Sentry

Developer Tools

Access error tracking, events, and project data

Sentry developer console OAuth setup guide API docs

Adding Sentry provisions a resource (the upstream Sentry API at https://sentry.io/api/0, with default scopes pre-set) and a provider for Sentry’s OAuth issuer - auto-provisioned on first install, or reused if you already connected another Sentry resource.

Your application calls Keycard’s token-exchange endpoint with the user’s identity, gets back a token scoped to this resource, and uses it to call Sentry directly. Identity, policy, and audit log apply to every exchange - the OAuth client secret stays inside Keycard. Each exchange is recorded in the audit log with the user identity, the resource accessed, and the policy decision.

Scopes

SCOPES

OAuth permissions Keycard requests on install. Override or add scopes in Console.

event:read: default
project:read: default
org:read: default
org:write
org:admin
project:write
project:admin
project:releases
team:read
team:write
team:admin
member:read
member:write
member:admin
event:write
event:admin

Use Sentry from your code

USE FROM CODE

Call Sentry from your application with a Keycard-issued token scoped to this resource.

After installing Sentry, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.

Python
TypeScript

from keycardai.oauth import Client, BasicAuth, TokenType
import requests

# Exchange the user's Keycard token for a Sentry token.
with Client(
    "https://<zone-id>.keycard.cloud",
    auth=BasicAuth("<your-client-id>", "<your-client-secret>"),
) as client:
    response = client.exchange_token(
        subject_token=user_access_token,
        subject_token_type=TokenType.ACCESS_TOKEN,
        resource="https://sentry.io/api/0",
    )

# Call Sentry directly with the exchanged token.
r = requests.get(
    "https://sentry.io/api/0/<endpoint>",
    headers={"Authorization": f"Bearer {response.access_token}"},
)

import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";

const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", {
  clientId: "<your-client-id>",
  clientSecret: "<your-client-secret>",
});

const response = await client.exchangeToken({
  subjectToken: userAccessToken,
  resource: "https://sentry.io/api/0",
});

// Call Sentry directly with the exchanged token.
const res = await fetch("https://sentry.io/api/0/<endpoint>", {
  headers: { Authorization: `Bearer ${response.accessToken}` },
});

See the OAuth SDK → Token Exchange reference for the full client API.

Setup

SETUP

Create a Sentry application

Go to Sentry Account Settings → API → Applications
Click Create New Application
In the dialog, select Confidential as the application type
Fill in:
- Name: A descriptive name (e.g., “Keycard”)
- Redirect URL: The redirect URI provided by Keycard
Click Create Application

Get credentials

After creating the application, copy the Client ID and Client Secret from the application details page

Register in Keycard

Open Keycard Console → your zone → Resources
Click Explore Resources
Find and click Sentry in the catalog
In the configuration dialog:
- Enter the Client ID and Client Secret from your Sentry application
- Review the User scopes - the defaults (event:read, project:read, org:read) are pre-populated
Click Add Sentry API

Troubleshooting

TROUBLESHOOTING

Common errors when wiring Sentry into your zone.

Error 401: Invalid token

The access token is invalid or expired. Re-connect the provider. Sentry tokens expire relatively quickly - Keycard handles refresh if the provider issued a refresh token.

Error 403: Forbidden

The token scopes don’t match the endpoint requirements. Verify:

The scopes in your Sentry application settings
The scopes configured in your Keycard resource
That org:read is included (required for the organizations endpoint)

Catalog overview - browse other API and MCP servers
Access policies - control who can use Sentry
Identity providers - control who can sign in