---
title: Sentry | Keycard
description: Access error tracking, events, and project data
---

[Sentry developer console](https://sentry.io/settings/account/api/applications/)[OAuth setup guide](https://docs.sentry.io/api/auth/#oauth)[API docs](https://docs.sentry.io/api/)

Adding Sentry provisions a resource (the upstream Sentry API at `https://sentry.io/api/0`, with default scopes pre-set) and a provider for Sentry’s OAuth issuer - auto-provisioned on first install, or reused if you already connected another Sentry resource.

Your application calls Keycard’s [token-exchange endpoint](/sdk/oauth/index.md) with the user’s identity, gets back a token scoped to this resource, and uses it to call Sentry directly. Identity, [policy](/admin/access-policies/index.md), and audit log apply to every exchange - the OAuth client secret stays inside Keycard. Each exchange is recorded in the audit log with the user identity, the resource accessed, and the policy decision.

## Scopes

SCOPES

OAuth permissions Keycard requests on install. Override or add scopes in Console.

- event:read

  default

- project:read

  default

- org:read

  default

- org:write

- org:admin

- project:write

- project:admin

- project:releases

- team:read

- team:write

- team:admin

- member:read

- member:write

- member:admin

- event:write

- event:admin

Show all 16 scopes  Show defaults only

## Use Sentry from your code

USE FROM CODE

Call Sentry from your application with a Keycard-issued token scoped to this resource.

After installing Sentry, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the `subject_token`.

- [Python](#tab-panel-124)
- [TypeScript](#tab-panel-125)

```
from keycardai.oauth import Client, BasicAuth, TokenType
import requests


# Exchange the user's Keycard token for a Sentry token.
with Client(
    "https://<zone-id>.keycard.cloud",
    auth=BasicAuth("<your-client-id>", "<your-client-secret>"),
) as client:
    response = client.exchange_token(
        subject_token=user_access_token,
        subject_token_type=TokenType.ACCESS_TOKEN,
        resource="https://sentry.io/api/0",
    )


# Call Sentry directly with the exchanged token.
r = requests.get(
    "https://sentry.io/api/0/<endpoint>",
    headers={"Authorization": f"Bearer {response.access_token}"},
)
```

```
import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";


const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", {
  clientId: "<your-client-id>",
  clientSecret: "<your-client-secret>",
});


const response = await client.exchangeToken({
  subjectToken: userAccessToken,
  resource: "https://sentry.io/api/0",
});


// Call Sentry directly with the exchanged token.
const res = await fetch("https://sentry.io/api/0/<endpoint>", {
  headers: { Authorization: `Bearer ${response.accessToken}` },
});
```

See the [OAuth SDK → Token Exchange](/sdk/oauth/#token-exchange/index.md) reference for the full client API.

## Setup

SETUP

Register your OAuth credentials with Keycard so the resource can issue tokens.

### Create a Sentry application

1. Go to [Sentry Account Settings → API → Applications](https://sentry.io/settings/account/api/applications/)

2. Click **Create New Application**

3. In the dialog, select **Confidential** as the application type

4. Fill in:

   - **Name**: A descriptive name (e.g., “Keycard”)
   - **Redirect URL**: The redirect URI provided by Keycard

5. Click **Create Application**

### Get credentials

1. After creating the application, copy the **Client ID** and **Client Secret** from the application details page

### Register in Keycard

1. Open [Keycard Console](https://console.keycard.ai) → your zone → **Resources**

2. Click **Explore Resources**

3. Find and click **Sentry** in the catalog

4. In the configuration dialog:

   - Enter the **Client ID** and **Client Secret** from your Sentry application
   - Review the **User scopes** - the defaults (`event:read`, `project:read`, `org:read`) are pre-populated

5. Click **Add Sentry API**

Tip

The verification endpoint lists all organizations the authenticated user has access to. If the response is empty, the user may not belong to any Sentry organizations.

## Troubleshooting

TROUBLESHOOTING

Common errors when wiring Sentry into your zone.

Error 401: Invalid token

The access token is invalid or expired. Re-connect the provider. Sentry tokens expire relatively quickly - Keycard handles refresh if the provider issued a refresh token.

Error 403: Forbidden

The token scopes don’t match the endpoint requirements. Verify:

- The scopes in your Sentry application settings
- The scopes configured in your Keycard resource
- That `org:read` is included (required for the organizations endpoint)

## Related

RELATED

- [Catalog overview](/admin/catalog/index.md) - browse other API and MCP servers
- [Access policies](/admin/access-policies/index.md) - control who can use Sentry
- [Identity providers](/admin/identity-providers/index.md) - control who can sign in

[PreviousLinear](/admin/catalog/api-servers/linear/index.md)[NextSlack](/admin/catalog/api-servers/slack/index.md)