Back to Blog
feature-launchapiautomationintegrations

Full HTTP API: Programmatic Access to Your Financial Data

Jon Phenow
Jon Phenow
Author
6 min read

Some people want to script things. Maybe you're syncing your financial data to a spreadsheet. Maybe you're building a custom dashboard. Maybe you just hate clicking buttons when code could do it for you.

Now you can access Tricksy.io programmatically via a full HTTP API. Same endpoints the web interface uses. Authenticate with scoped API keys that control exactly what each script can access.

Here's what you need to know.

Creating an API Key

Go to your account dropdown → "API Keys" → "Create API Key". Name it something descriptive (like "Sync Script" or "Dashboard Integration"), pick the permissions it needs, and you'll get a key that looks like this:

tricksy_live_a4f3d2e1b6c8e9f0...

You only see the full key once. Copy it immediately and store it somewhere safe (environment variables, secret manager, password vault—wherever you keep credentials).

Permissions (Scopes)

API keys use scope-based permissions. You pick exactly what each key can do. This means you can create read-only keys for dashboards and write-enabled keys for automation scripts.

43 concrete scopes across 6 resource types:

  • Accounts: read, write, delete
  • Transactions: read, write, delete
  • Budgets: read, write, delete
  • Templates: read, write, execute, delete
  • Tags: read, write, delete
  • Analytics: read

Wildcards make bulk permissions easier:

  • read:* grants all read permissions
  • * grants full access (all scopes)

Example: A sync script that reads transactions and writes to an external database only needs read:transactions. A backup script that exports everything only needs read:*. An automation that creates transactions needs write:transactions.

When you create the key, check the boxes for what you need. Don't give keys more permissions than they need.

Using an API Key

Include your key in the Authorization header on any HTTP request:

curl -H "Authorization: Bearer tricksy_live_YOUR_KEY" \
  https://tricksy.io/api/accounts

The API returns JSON. Same data the web interface uses. If you can see it in the UI, you can fetch it via the API.

Example: Get all transactions

curl -H "Authorization: Bearer tricksy_live_YOUR_KEY" \
  https://tricksy.io/api/transactions

Example: Create a transaction

curl -X POST https://tricksy.io/api/transactions \
  -H "Authorization: Bearer tricksy_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "fromAccountId": "acc_123...",
    "toAccountId": "acc_456...",
    "amount": 50.00,
    "description": "Coffee",
    "date": "2025-12-13"
  }'

Rate Limiting

API keys are rate limited to 100 requests per hour per key. That's plenty for most automation but prevents abuse.

Rate limit info is included in response headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1234567890

When you hit the limit, you get a 429 Too Many Requests response. Wait until the reset time, then try again.

If you need higher limits, create multiple keys (each gets its own bucket) or batch your requests instead of making 200 individual calls.

Available Endpoints

Most endpoints that exist in the web UI are accessible via API:

Accounts

  • GET /api/accounts - List all accounts
  • POST /api/accounts - Create account
  • PATCH /api/accounts/:id - Update account
  • DELETE /api/accounts/:id - Delete account

Transactions

  • GET /api/transactions - List all transactions
  • POST /api/transactions - Create transaction
  • PATCH /api/transactions/:id - Update transaction
  • DELETE /api/transactions/:id - Delete transaction

Budgets

  • GET /api/budgets - List all budgets
  • POST /api/budgets - Create budget
  • (Plus budget line items and calculations)

Tags

  • GET /api/tags - List all tags
  • POST /api/tags - Create tag

Templates

  • GET /api/transfer-templates - List templates
  • POST /api/transfer-templates/:id/execute - Execute template

Check the API documentation on the API Keys page for complete endpoint details and example requests.

Error Handling

401 Unauthorized: Your API key is invalid, expired, or missing.

403 Forbidden: Your API key lacks the required scope. For example, you tried to create a transaction with a key that only has read:transactions.

{
  "error": "Insufficient permissions",
  "requiredScope": "write:transactions"
}

The error tells you exactly what scope you need. Go back to the API Keys page, update the key's permissions, and try again.

429 Too Many Requests: You hit the rate limit. Check the X-RateLimit-Reset header to see when you can retry.

Security Best Practices

Store keys securely. Use environment variables, secret managers, or password vaults. Never hardcode keys in scripts you commit to version control.

Use minimum required scopes. Don't give a read-only dashboard script write:* permissions. If the key only reads data, limit it to read:*.

Rotate keys periodically. Create a new key, update your scripts, delete the old key. Good hygiene.

Monitor usage. Each API key tracks when it was last used and logs every request (endpoint, status code, timestamp). Check the API Keys page to see what your keys are doing.

Revoke compromised keys immediately. If a key leaks, delete it from the API Keys page. All requests using that key will fail instantly.

Example Use Cases

Daily backup script: Create a cron job that exports your financial data every night using GET /api/accounts and GET /api/transactions with a read:* key.

Custom analytics dashboard: Build a Grafana or Metabase dashboard that pulls transaction data from the API and visualizes spending trends.

Budget tracking automation: Write a script that checks your budget totals and sends you a Slack message when you're over budget.

Integration with external tools: Sync transactions to a Google Sheet, Notion database, or Airtable base using API keys.

CI/CD validation: Test your finance workflows in automated tests by creating test transactions via the API.

Migration script: If you're moving from another system, write a script that reads from their API and writes to Tricksy.io via API keys instead of manually importing CSVs.

Managing Your Keys

The API Keys page shows:

  • Active keys: Name, scopes, last used timestamp
  • Masked keys: Only shows the prefix (tricksy_live_...) for security
  • Usage logs: View recent requests per key
  • Expiration dates: Optionally set expiration for temporary keys

You can update key names and scopes, or delete keys you're not using anymore.

Try It Out

If you're already subscribed, create a read-only API key right now. Try fetching your accounts:

curl -H "Authorization: Bearer YOUR_KEY" \
  https://tricksy.io/api/accounts

You should see JSON data for all your accounts. From there, you can start building whatever integrations you need.

If you're evaluating Tricksy.io and you need programmatic access, API keys mean you can integrate it with your existing workflows instead of being locked into the web UI.

We're interested in feedback on the API! Let us know what endpoints you need, what's missing, or what could be better.

Related Articles

Full HTTP API: Programmatic Access to Your Financial Data - Tricksy.io Finance Blog