Skip to main content
All Retrac API requests must use HTTPS. Unencrypted HTTP is not supported.

API keys

Create keys under Settings → API Keys in your workspace. Each key is tied to the user who created it and inherits that user’s workspace role and location access. 
Authorization: Bearer YOUR_API_KEY
API keys are shown once at creation. Store them in a secrets manager or environment variable. Never commit keys to source control, client-side code, or public repositories.

Key types

TypePrefixWorkspace IDScopes
Full access(no prefix)Required on every request via workspaceId query paramAll permissions your user role allows
Restrictedretrac_Embedded in the key — omit workspaceIdOnly scopes you select at creation
Restricted keys are recommended for integrations. Grant the minimum scopes needed.

Scopes

Restricted keys use space-separated scopes. Presets in the dashboard map to:
PresetScopesUse when
All accessapis.allTrusted server-side integrations needing full inventory access
Read onlyapis.readReporting, dashboards, sync-from-Retrac jobs
RestrictedCustom subsetPrinciple of least privilege
Individual resource scopes:
ScopeAllows
items.read / items.writeList and manage catalog items
tags.read / tags.writeList and manage tags
locations.read / locations.writeList and manage locations (write is owner-only)
inventory.read / inventory.writeRead balances/movements; set on-hand stock
transfers.read / transfers.writeList and create transfers; owners may revert
workspaces.read / workspaces.writeRead workspace metadata; update workspace (write is owner-only)
A restricted key cannot exceed what your workspace role allows. For example, a member cannot use a key with locations.write if their role does not include that permission.

Workspace ID

Full-access keys must pass workspaceId on every workspace-scoped request: 
https://api.retrac.co/items?workspaceId=YOUR_WORKSPACE_ID
Find the workspace ID under Settings → General. Restricted keys (retrac_…) are bound to one workspace — do not pass workspaceId; the server resolves it from the key.

Session authentication

Dashboard session cookies are not documented here and should not be used for third-party integrations. Use API keys for programmatic access.

Plan requirements

API keys are available on Business plans and above. Lower plans may receive 403 responses when creating or using keys.