Skip to main content
AgriBackup submits Due Diligence Statements to the EU TRACES NT system on your behalf using delegated credentials. Before DDS submission is possible, you must ingest your TRACES NT API token or password through this endpoint. AgriBackup encrypts the raw credential immediately using the HashiCorp Vault Transit Engine (AES-256-GCM) and stores only the resulting ciphertext reference — the plaintext credential is never written to disk or persisted in any database. You can verify the delegation is active at any time using the Check Status endpoint. POST /api/v1/enterprise/eudr/credentials/traces

Request Body

tokenOrPassword
string
required
The raw TRACES NT API token or account password issued by the European Commission’s TRACES NT portal. This value is transmitted over TLS and immediately encrypted on receipt — it is never logged or stored in plaintext.Example: "secret_abc123"
username
string
Your TRACES NT username, required if your organisation’s TRACES NT account uses username/password authentication rather than token-based access. If your account uses a bearer token only, this field can be omitted.Example: "eudr_enterprise_user"

Code Examples

import agribackup
from agribackup.rest import ApiException

configuration = agribackup.Configuration(host="https://live.agribackup.com/api/v1")
configuration.api_key["ApiKeyAuth"] = "sk_live_YOUR_API_KEY"

payload = {
    "tokenOrPassword": "traces_token_ABC123XYZ",
    "username": "eudr_enterprise_user"
}

with agribackup.ApiClient(configuration) as api_client:
    try:
        api_instance = agribackup.EnterpriseCredentialsApi(api_client)
        response = api_instance.ingest_traces_credentials(body=payload)
        print(response)
    except ApiException as e:
        print("Exception when calling API: %s\n" % e)
import { AgriBackupClient } from "@agribackup/sdk";

const client = new AgriBackupClient({
  apiKey: "sk_live_YOUR_API_KEY",
  baseUrl: "https://live.agribackup.com/api/v1",
});

async function ingestCredentials() {
  try {
    const response = await client.credentials.ingestTracesCredentials({
      tokenOrPassword: "traces_token_ABC123XYZ",
      username: "eudr_enterprise_user",
    });
    console.log(response);
  } catch (error) {
    console.error(error);
  }
}

ingestCredentials();
curl --request POST \
  --url https://live.agribackup.com/api/v1/enterprise/eudr/credentials/traces \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer sk_live_YOUR_API_KEY" \
  --data '{
    "tokenOrPassword": "traces_token_ABC123XYZ",
    "username": "eudr_enterprise_user"
  }'

Response

A 200 OK response confirms the credential was encrypted and stored in Vault. The vaultReference is an opaque ciphertext handle — AgriBackup uses this internally to decrypt and forward the credential to TRACES NT during DDS submission. You do not need to store or supply this reference in subsequent calls.
{
  "status": "SECURED",
  "vaultReference": "vault:v1:encodedCiphertextHere"
}
status
string
Indicates the outcome of the vault ingestion. A value of SECURED confirms the credential has been encrypted and anchored in HashiCorp Vault and is ready for delegation.
vaultReference
string
An opaque reference string returned by the HashiCorp Vault Transit Engine representing the encrypted ciphertext. This is used internally by AgriBackup when forwarding credentials to TRACES NT; you do not need to store it.

Error Responses

HTTP StatusError CodeDescription
400 Bad RequestVALIDATION_FAILEDThe tokenOrPassword field is missing or empty.
401 UnauthorizedUNAUTHORIZEDThe Authorization header is absent or the bearer token is not recognised.
403 ForbiddenFORBIDDENYour API key does not have the required scope to manage credentials.
429 Too Many RequestsRATE_LIMITEDYou have exceeded the hourly rate limit. Check X-RateLimit-Reset for your reset time.
{
  "code": "VALIDATION_FAILED",
  "message": "Request validation failed",
  "details": [
    {
      "code": "REQUIRED_FIELD_MISSING",
      "field": "tokenOrPassword",
      "issue": "tokenOrPassword is required and cannot be empty"
    }
  ]
}