TrackRoad Route Optimization Software

API Authentication (TrackServiceKey)

TrackRoad APIs use an API key called TrackServiceKey. For REST, send it as X-API-Key. For SOAP, send it in SessionIDHeader as SessionID.

TrackRoad API authentication flow: use TrackServiceKey as X-API-Key header for REST, and as SessionID in SessionIDHeader for SOAP requests.
Authentication overview: TrackServiceKey is your API key — send it as X-API-Key for REST and as SessionIDHeader/SessionID for SOAP.

Need endpoints and models?

Swagger provides the full request/response schemas for Dispatch, Routes, Route, Geocode, Credit, and Distance.

View Swagger UI API Reference Overview

Table of Contents

  1. How authentication works
  2. Generate your TrackServiceKey
  3. REST authentication (X-API-Key)
  4. SOAP authentication (SessionIDHeader)
  5. Login / Logout (legacy)
  6. Security best practices
  7. Common errors (401/403)
  8. Related endpoints

How authentication works#

  • TrackServiceKey is generated in your TrackRoad account.
  • REST: send it in X-API-Key for every request.
  • SOAP: send it in SessionIDHeader as SessionID for every call.

Recommended: use REST for new integrations. Use SOAP only for legacy systems.

Generate your TrackServiceKey#

  1. Sign in to your TrackRoad account.
  2. Open Manage Users (or API settings if available).
  3. Generate/copy your TrackServiceKey.
  4. Store it securely (server-side only).

If you cannot find TrackServiceKey, contact TrackRoad Support for API access.

REST authentication (X-API-Key)#

Send your TrackServiceKey in the X-API-Key header on every REST request. 

curl -X POST "https://trackservice.trackroad.com/rest/credit" \
  -H "X-API-Key: YOUR_TRACKSERVICEKEY"

Keep API keys server-side. Do not embed keys in browser or mobile client code.

SOAP authentication (SessionIDHeader)#

SOAP calls authenticate using SessionIDHeader. For TrackRoad SOAP services, send your TrackServiceKey as the SessionID value on every call.

Login/Logout methods can remain documented as legacy, but they are not required anymore. 

<soap:Header>
  <SessionIDHeader xmlns="http://TrackService.TrackRoad.com/">
    <SessionID>YOUR_TRACKSERVICEKEY</SessionID>
  </SessionIDHeader>
</soap:Header>

Login / Logout endpoints (legacy)#

Login/Logout are maintained for backward compatibility only. New integrations should authenticate using TrackServiceKey: REST via X-API-Key, SOAP via SessionIDHeader.

Security best practices

  • Never expose API keys in front-end JavaScript
  • Use server-to-server calls (backend integrations)
  • Store keys in environment variables / secret managers
  • Rotate the key if compromised
  • Never log API keys

Common errors (401/403)#

  • 401 Unauthorized: missing/invalid key (REST: missing X-API-Key; SOAP: missing/invalid SessionIDHeader).
  • 403 Forbidden: key is valid but blocked/expired or account lacks credit/permissions.

Next step: try an endpoint

Once you have your TrackServiceKey, start with Credit to validate authentication, then move to Geocode, Route, Routes, or Dispatch.

Check Credit Go to Dispatch