> ## Documentation Index
> Fetch the complete documentation index at: https://docs.agribackup.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ingest TRACES NT Credentials into Vault

> Securely store your TRACES NT API token or password in AgriBackup's HashiCorp Vault. Required before submitting Due Diligence Statements.

AgriBackup submits Due Diligence Statements to the EU TRACES NT system on your behalf using delegated credentials. Before DDS submission is possible, you must ingest your TRACES NT API token or password through this endpoint. AgriBackup encrypts the raw credential immediately using the HashiCorp Vault Transit Engine (AES-256-GCM) and stores only the resulting ciphertext reference — the plaintext credential is never written to disk or persisted in any database. You can verify the delegation is active at any time using the [Check Status](/sdks/enterprise-credentials/check-traces-nt-credential-delegation-status) endpoint.

**`POST /api/v1/enterprise/eudr/credentials/traces`**

## Request Body

<ParamField body="tokenOrPassword" type="string" required>
  The raw TRACES NT API token or account password issued by the European Commission's TRACES NT portal. This value is transmitted over TLS and immediately encrypted on receipt — it is never logged or stored in plaintext.

  **Example:** `"secret_abc123"`
</ParamField>

<ParamField body="username" type="string">
  Your TRACES NT username, required if your organisation's TRACES NT account uses username/password authentication rather than token-based access. If your account uses a bearer token only, this field can be omitted.

  **Example:** `"eudr_enterprise_user"`
</ParamField>

## Code Examples

<CodeGroup>
  ```python Python theme={null}
  import agribackup
  from agribackup.rest import ApiException

  configuration = agribackup.Configuration(host="https://live.agribackup.com/api/v1")
  configuration.api_key["ApiKeyAuth"] = "sk_live_YOUR_API_KEY"

  payload = {
      "tokenOrPassword": "traces_token_ABC123XYZ",
      "username": "eudr_enterprise_user"
  }

  with agribackup.ApiClient(configuration) as api_client:
      try:
          api_instance = agribackup.EnterpriseCredentialsApi(api_client)
          response = api_instance.ingest_traces_credentials(body=payload)
          print(response)
      except ApiException as e:
          print("Exception when calling API: %s\n" % e)
  ```

  ```javascript Node.js theme={null}
  import { AgriBackupClient } from "@agribackup/sdk";

  const client = new AgriBackupClient({
    apiKey: "sk_live_YOUR_API_KEY",
    baseUrl: "https://live.agribackup.com/api/v1",
  });

  async function ingestCredentials() {
    try {
      const response = await client.credentials.ingestTracesCredentials({
        tokenOrPassword: "traces_token_ABC123XYZ",
        username: "eudr_enterprise_user",
      });
      console.log(response);
    } catch (error) {
      console.error(error);
    }
  }

  ingestCredentials();
  ```

  ```bash cURL theme={null}
  curl --request POST \
    --url https://live.agribackup.com/api/v1/enterprise/eudr/credentials/traces \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer sk_live_YOUR_API_KEY" \
    --data '{
      "tokenOrPassword": "traces_token_ABC123XYZ",
      "username": "eudr_enterprise_user"
    }'
  ```
</CodeGroup>

## Response

A `200 OK` response confirms the credential was encrypted and stored in Vault. The `vaultReference` is an opaque ciphertext handle — AgriBackup uses this internally to decrypt and forward the credential to TRACES NT during DDS submission. You do not need to store or supply this reference in subsequent calls.

```json theme={null}
{
  "status": "SECURED",
  "vaultReference": "vault:v1:encodedCiphertextHere"
}
```

<ResponseField name="status" type="string">
  Indicates the outcome of the vault ingestion. A value of `SECURED` confirms the credential has been encrypted and anchored in HashiCorp Vault and is ready for delegation.
</ResponseField>

<ResponseField name="vaultReference" type="string">
  An opaque reference string returned by the HashiCorp Vault Transit Engine representing the encrypted ciphertext. This is used internally by AgriBackup when forwarding credentials to TRACES NT; you do not need to store it.
</ResponseField>

## Error Responses

| HTTP Status             | Error Code          | Description                                                                             |
| ----------------------- | ------------------- | --------------------------------------------------------------------------------------- |
| `400 Bad Request`       | `VALIDATION_FAILED` | The `tokenOrPassword` field is missing or empty.                                        |
| `401 Unauthorized`      | `UNAUTHORIZED`      | The `Authorization` header is absent or the bearer token is not recognised.             |
| `403 Forbidden`         | `FORBIDDEN`         | Your API key does not have the required scope to manage credentials.                    |
| `429 Too Many Requests` | `RATE_LIMITED`      | You have exceeded the hourly rate limit. Check `X-RateLimit-Reset` for your reset time. |

```json theme={null}
{
  "code": "VALIDATION_FAILED",
  "message": "Request validation failed",
  "details": [
    {
      "code": "REQUIRED_FIELD_MISSING",
      "field": "tokenOrPassword",
      "issue": "tokenOrPassword is required and cannot be empty"
    }
  ]
}
```
