API keys
API keys allow external systems to access Traceable programmatically on behalf of your account. Use them to integrate Traceable into your internal tools, automate DPP data exports, or connect to third-party compliance and ERP platforms.
Navigate to Settings → API Keys to manage your keys.
What API Keys Are Used For
| Use Case | Description |
|---|---|
| Internal system integration | Pull DPP data into your internal product information management (PIM) or ERP system. |
| Automated data export | Schedule regular exports of your product catalogue, compliance documents, or audit logs. |
| Third-party tools | Connect Traceable to supply chain visibility platforms, carbon accounting tools, or regulatory reporting systems that accept API feeds. |
| CI/CD pipelines | Trigger DPP data validation checks as part of your product release workflow. |
Creating an API Key
- Navigate to Settings → API Keys.
- Click New key.
- Enter a descriptive name for the key — use a name that identifies the system or integration it will be used for (e.g.,
sap-erp-export,powerbi-dashboard,qms-compliance-feed). - Click Create key.
- Copy the key immediately. The full key value is displayed only once at creation time. After you close or navigate away from this screen, the key cannot be retrieved — only its name and metadata will be visible.
Store the key securely as described in the section below.
Key Scopes
All API keys currently operate with read-only scope. This means a key can:
- Read your account's product catalogue and DPP data.
- Access public DPP endpoints.
- Retrieve compliance document metadata (not the binary file contents, which require a separate download link).
- Read your account's audit log entries.
Keys cannot create, modify, or delete any data in your Traceable account. Write-access scopes are planned for a future release.
Storing Keys Securely
API keys are credentials equivalent to a password. They must be treated with the same level of care.
Do:
- Store keys in a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, Azure Key Vault).
- Store keys in environment variables on the systems that need them.
- Rotate keys on a regular schedule or whenever personnel with access to the key leave your organisation.
Do not:
- Commit keys to source code repositories — even private ones. Use
.gitignoreand environment variable injection instead. - Share keys over email, Slack, or any unencrypted channel.
- Use the same key for multiple independent integrations. Create one key per integration so that compromise or revocation of one key does not affect others.
Rotating a Key
Key rotation is the process of replacing an existing key with a new one. This should be done periodically or whenever you suspect a key may have been exposed.
- Create a new key (follow the steps in Creating an API Key).
- Update your integration or system to use the new key.
- Verify that the new key is working correctly by testing the integration.
- Return to Settings → API Keys, locate the old key, and click Revoke.
Do not revoke the old key before confirming the new key is functioning — doing so will cause your integration to fail during the transition window.
Revoking a Key
To revoke a key immediately:
- Navigate to Settings → API Keys.
- Locate the key in the list.
- Click Revoke next to the key name.
- Confirm the revocation in the dialogue.
Revocation is immediate. Any request made with a revoked key will receive an HTTP 401 Unauthorized response. There is no grace period. Revoked keys cannot be re-enabled.
Monitoring Key Usage
Each key in the Settings → API Keys list displays:
| Field | Description |
|---|---|
| Name | The descriptive name you assigned at creation. |
| Created | The date and time the key was created. |
| Last used | The date and time of the most recent authenticated request using this key. |
| Request count | Total number of requests made with this key since creation. |
If a key shows unexpected activity — requests at unusual times or from unexpected IP addresses — revoke it immediately and investigate.
Rate Limits
API keys are subject to the same rate limits as the Traceable API. For full rate limit details, including per-endpoint limits and burst allowances, see the Developer Guide.
If your integration exceeds rate limits, requests will receive an HTTP 429 Too Many Requests response with a Retry-After header indicating when the next request can be made.