AgriBackup submits Due Diligence Statements to the EU TRACES NT system on your behalf using delegated credentials. Before DDS submission is possible, you must ingest your TRACES NT API token or password through this endpoint. AgriBackup encrypts the raw credential immediately using the HashiCorp Vault Transit Engine (AES-256-GCM) and stores only the resulting ciphertext reference — the plaintext credential is never written to disk or persisted in any database. You can verify the delegation is active at any time using the Check Status endpoint.
POST /api/v1/enterprise/eudr/credentials/traces
Request Body
The raw TRACES NT API token or account password issued by the European Commission’s TRACES NT portal. This value is transmitted over TLS and immediately encrypted on receipt — it is never logged or stored in plaintext.Example: "secret_abc123"
Your TRACES NT username, required if your organisation’s TRACES NT account uses username/password authentication rather than token-based access. If your account uses a bearer token only, this field can be omitted.Example: "eudr_enterprise_user"
Code Examples
import agribackup
from agribackup.rest import ApiException
configuration = agribackup.Configuration(host="https://live.agribackup.com/api/v1")
configuration.api_key["ApiKeyAuth"] = "sk_live_YOUR_API_KEY"
payload = {
"tokenOrPassword": "traces_token_ABC123XYZ",
"username": "eudr_enterprise_user"
}
with agribackup.ApiClient(configuration) as api_client:
try:
api_instance = agribackup.EnterpriseCredentialsApi(api_client)
response = api_instance.ingest_traces_credentials(body=payload)
print(response)
except ApiException as e:
print("Exception when calling API: %s\n" % e)
import { AgriBackupClient } from "@agribackup/sdk";
const client = new AgriBackupClient({
apiKey: "sk_live_YOUR_API_KEY",
baseUrl: "https://live.agribackup.com/api/v1",
});
async function ingestCredentials() {
try {
const response = await client.credentials.ingestTracesCredentials({
tokenOrPassword: "traces_token_ABC123XYZ",
username: "eudr_enterprise_user",
});
console.log(response);
} catch (error) {
console.error(error);
}
}
ingestCredentials();
curl --request POST \
--url https://live.agribackup.com/api/v1/enterprise/eudr/credentials/traces \
--header "Content-Type: application/json" \
--header "Authorization: Bearer sk_live_YOUR_API_KEY" \
--data '{
"tokenOrPassword": "traces_token_ABC123XYZ",
"username": "eudr_enterprise_user"
}'
Response
A 200 OK response confirms the credential was encrypted and stored in Vault. The vaultReference is an opaque ciphertext handle — AgriBackup uses this internally to decrypt and forward the credential to TRACES NT during DDS submission. You do not need to store or supply this reference in subsequent calls.
{
"status": "SECURED",
"vaultReference": "vault:v1:encodedCiphertextHere"
}
Indicates the outcome of the vault ingestion. A value of SECURED confirms the credential has been encrypted and anchored in HashiCorp Vault and is ready for delegation.
An opaque reference string returned by the HashiCorp Vault Transit Engine representing the encrypted ciphertext. This is used internally by AgriBackup when forwarding credentials to TRACES NT; you do not need to store it.
Error Responses
| HTTP Status | Error Code | Description |
|---|
400 Bad Request | VALIDATION_FAILED | The tokenOrPassword field is missing or empty. |
401 Unauthorized | UNAUTHORIZED | The Authorization header is absent or the bearer token is not recognised. |
403 Forbidden | FORBIDDEN | Your API key does not have the required scope to manage credentials. |
429 Too Many Requests | RATE_LIMITED | You have exceeded the hourly rate limit. Check X-RateLimit-Reset for your reset time. |
{
"code": "VALIDATION_FAILED",
"message": "Request validation failed",
"details": [
{
"code": "REQUIRED_FIELD_MISSING",
"field": "tokenOrPassword",
"issue": "tokenOrPassword is required and cannot be empty"
}
]
}