Transport and storage
- All API traffic must use TLS (
https://api.retrac.co). - Store API keys in environment variables or a secrets manager — never in frontend bundles, mobile apps, or public config files.
- Rotate keys immediately if a key may have been exposed. Delete the old key after deploying the new one.
Least privilege
- Prefer restricted keys (
retrac_prefix) over full-access keys. - Grant only the scopes your integration needs. A read-only reporting job should use
apis.read, notapis.all. - Use separate keys per environment (staging vs production) and per integration.
Workspace isolation
- Every request is scoped to a single workspace. Keys cannot access workspaces the creating user does not belong to.
- Responses contain only data for the authenticated workspace. Cross-tenant access is not supported by design.
Location access
Members with location restrictions only see and modify inventory for assigned locations — including via API keys created by that member. Owners always have full workspace access.Rate limiting
API keys are rate limited per key. See Rate limits. Honor429 responses and the Retry-After header.
What the public API does not expose
The documented API surface intentionally excludes:- Admin, cron, billing, and webhook callback routes
- User session, password, and OAuth endpoints
- SAML/SCIM provisioning endpoints (configured in the dashboard, not via public REST)
- Internal AI, support, and feedback endpoints
Error responses
Errors return JSON with a machine-readablecode and no stack traces or internal paths. See Errors.