Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt

Use this file to discover all available pages before exploring further.

Integrating Tracer means deciding where in your authorization flow to make the validation call, what data to send, and how to handle the three possible decisions. The pattern is short: your system collects the full transaction context, calls POST /v1/validations, acts on ALLOW / DENY / REVIEW, and moves on. Tracer never reaches back into your stack — there are no webhooks or callbacks; the integration ends with the response. What changes in your operation: decisioning moves from in-process logic to an external call. The call is synchronous (request/response, no webhooks), so it sits on the critical path of the transaction. Done well, it adds under 80ms p99 and gives you a single point for policy and audit. Done poorly — no timeout, no retry strategy, no fallback — it becomes a single point of failure. Trade-off to be honest about: you’re adding a network hop. The good news is the contract is simple: idempotent by requestId, no callbacks, deterministic three-state response. The bad news is you need to think about timeouts, retries, and what to do if Tracer is unreachable — most of this guide is about that.
Who is this guide for? Integration engineers writing the request from your system to Tracer, and architects deciding where the call sits in the flow. Risk and fraud analysts who write rules can skip ahead to the Rules engine guide; compliance can read the Audit and compliance guide instead.
This guide covers payload requirements, the integration flow, and practices that keep the validation call inside your latency budget.

Integration overview

Tracer is designed to be called by authorization systems (payment gateways, workflow orchestrators, or transaction processors) that need real-time validation decisions. The integration follows a simple request-response pattern:
Key principle: Tracer does not fetch external data during validation. Your system is responsible for providing all context needed for rule evaluation.

Payload-Complete Pattern

Tracer uses the Payload-Complete Pattern, which means all context required for validation must be included in the request. This design ensures:
BenefitDescription
Predictable latencyNo external calls during validation; response time stays under 80ms
SimplicitySingle request contains everything needed for decision
ReliabilityNo dependency on external services during validation
FlexibilityYour system controls data freshness and enrichment logic

Your responsibilities

As the integrating system, you are responsible for:
  1. Enriching the payload with account, segment, portfolio, and merchant data before calling Tracer
  2. Providing accurate context for rule and limit evaluation—Tracer cannot fetch missing data
  3. Handling the decision (ALLOW, DENY, or REVIEW) appropriately in your workflow
  4. Implementing retry logic if Tracer is temporarily unavailable
  5. Managing review workflows when Tracer returns REVIEW—Tracer does not include case management
Tracer validates what you send. If your payload is missing context (e.g., account status, segment membership), rules that depend on that data cannot evaluate correctly. Always ensure payloads are complete before submission.

Tracer’s responsibilities

Tracer is responsible for:
  1. Evaluating rules against the provided context
  2. Checking limits against current usage
  3. Recording audit trail for compliance
  4. Returning decision with detailed information

Integration flow

Follow these steps to integrate your system with Tracer.

Step 1: Prepare the transaction context

Before calling Tracer, gather all relevant data from your systems:

Step 2: Call Tracer API

Send a POST request to /v1/validations with the complete transaction context including:
  • Transaction details (type, subType, amount, currency, timestamp)
  • Account information (required)
  • Optional: segment, portfolio, merchant, and custom
For complete payload structure and field details, see the API reference.

Step 3: Handle the response

Process the decision returned by Tracer:
DecisionAction
ALLOWProceed with the transaction
DENYReject the transaction; show reason to user if appropriate
REVIEWQueue for manual review in your review system
The response includes the validationId for audit trail correlation, details about which rules matched, and current limit usage information.

Using metadata

Metadata allows you to pass custom fields that your rules can evaluate. Use this for context like channel, device information, customer tier, or any business-specific attributes.
Metadata keys must be alphanumeric with underscores only, maximum 64 characters. Maximum 50 entries per request.

Request idempotency

Validation requests are idempotent based on the requestId field. If you send the same requestId twice, Tracer returns the cached result from the first request instead of reprocessing.
Response codeMeaning
201 CreatedNew validation processed
200 OKDuplicate request detected; cached result returned
The response body is identical in both cases. Your client should handle both status codes as success. Why it matters: Network timeouts and retries can cause duplicate requests. Without idempotency, a retried request could double-count against limits or create duplicate audit records. The requestId ensures exactly-once processing semantics. Idempotency contract:
  • Same requestId → Same response (guaranteed)
  • Different requestId → Independent processing (even if transaction data is identical)
Always generate a unique requestId (UUID) for each new transaction. Reusing a requestId from a previous transaction will return the old result, not process the new transaction.

Authentication

Tracer supports two authentication modes that can be used independently or combined.

API key authentication

The simplest option. Send your API key in the X-API-Key header with every request.
Environment variableDescription
API_KEY_ENABLEDEnable API key authentication (default: false)
API_KEYThe secret key value
API_KEY_ENABLED_ONLY_VALIDATIONUse API key only for the /v1/validations endpoint (default: false)

Plugin authentication (Access Manager)

For enterprise deployments, Tracer can delegate authentication to the Lerian Access Manager. This enables centralized authentication across all Lerian services.
Environment variableDescription
PLUGIN_AUTH_ENABLEDEnable plugin authentication (default: false)
PLUGIN_AUTH_ADDRESSURL of the auth service (default: http://localhost:4000)

Authentication priority

When both modes are enabled, Tracer uses this priority:
  1. If PLUGIN_AUTH_ENABLED=true and the endpoint is not flagged for API-key-only → Plugin auth
  2. If API_KEY_ENABLED=true or the endpoint is flagged for API-key-only → API key auth
Infrastructure endpoints (health checks, version probe, OpenAPI spec) bypass authentication and are not part of the public /v1/* API surface documented in this reference.
The /v1/validations endpoint can be configured for API-key-only authentication via API_KEY_ENABLED_ONLY_VALIDATION=true. This is useful in high-throughput scenarios where plugin auth adds unacceptable latency. This flag is incompatible with multi-tenant mode (MULTI_TENANT_ENABLED=true) — the service fails to start with TRC-0327.

Multi-tenant authentication

When MULTI_TENANT_ENABLED=true, Tracer runs in multi-tenant mode and the authentication model changes:
  • Plugin auth is required. The service fails to start with TRC-0326 if PLUGIN_AUTH_ENABLED=false.
  • Every /v1/* request must carry a JWT bearer token issued by Access Manager: Authorization: Bearer <jwt>.
  • tenantId is resolved from the JWT claim, not from a header, path, body, metadata, or rule scope. There is no X-Tenant-ID header — passing the tenant identifier anywhere other than the token claim is unsupported and ignored.
  • Each tenant operates on its own PostgreSQL database. The tenant-specific connection is resolved by the platform’s Tenant Manager service at request time.
  • Public endpoints (/health, /readyz, /version, /swagger/*) stay unauthenticated in multi-tenant mode too — the bearer-token requirement applies only to /v1/*.
If the JWT is missing, malformed, or expired, the request returns HTTP 401 with "code": "Unauthenticated" (the same code used for missing API keys; no separate TRC code is emitted). If the multi-tenant deployment hits its per-instance tenant cap, requests for cold tenants return HTTP 503 with TRC-0335 and a Retry-After header. The client should back off and retry; the cap auto-resets as the LRU pool evicts cold tenants. See Multi-tenancy for the platform-wide tenant model.

Performance considerations

Optimize your integration for low latency and high reliability.

Timeout budget

Tracer is designed to respond in under 80ms (p99). Configure your client timeout accordingly:
ConfigurationRecommended value
Client timeout100ms
Connection timeout50ms
Read timeout100ms

Retry strategy

Implement retry logic for transient failures: 
On 5xx error or timeout:
  - Wait 10ms
  - Retry once
  - If still failing, apply fallback policy
Do not retry on 4xx errors—these indicate invalid requests that will fail again. For retries on 5xx/timeout, reuse the same requestId to take advantage of idempotency.

Fallback behavior

Decide what happens when Tracer is unavailable:
StrategyWhen to use
Fail-openAllow transaction if Tracer is down (prioritize availability)
Fail-closedDeny transaction if Tracer is down (prioritize security)
Queue for reviewQueue transaction for manual review
Your choice depends on your risk tolerance and business requirements.
Common integration pitfalls:
  • “My retry created a duplicate validation in the audit trail.” Reuse the same requestId across retries. Tracer deduplicates by that field — the second call returns the cached result (HTTP 200) without creating a duplicate event. If you generate a fresh UUID on every retry, you defeat idempotency.
  • “My client times out after 30 seconds but Tracer keeps processing.” Tracer respects its own deadlines (~80ms p99 target). If your client gives up on the call, Tracer’s work is already wasted on returning a response. Set client timeout aggressively (100ms) and trust the retry path.
  • “My validation is rejected with TRC-0228 (timestamp too old) on legitimate transactions.” Default tolerance is 24 hours. Check your server clock and the transactionTimestamp you’re sending — if you batch-process late, you need to set the timestamp to the actual transaction moment, not the moment you’re calling Tracer.
  • “Test transactions show up in production audit.” All validations are recorded, including from test/staging environments calling the same Tracer instance. Use metadata.environment (or similar) to tag and filter test traffic if you share Tracer between environments.

Data freshness

Since you control the payload enrichment, data freshness is your responsibility. Tracer trusts the data you provide and cannot detect stale information.
Data typeFreshness recommendationRisk if stale
Account statusReal-time or near real-timeTransactions on suspended accounts may be allowed
Segment membershipCan be cached (changes infrequently)Wrong limits or rules may apply
Portfolio assignmentCan be cached (changes infrequently)Incorrect scope matching
Merchant dataCan be cached with periodic refreshRisk rules may not trigger correctly
Stale data leads to incorrect decisions. If an account was suspended but your cache shows it as active, Tracer will allow transactions that should be denied. Your enrichment layer is the source of truth for Tracer.

Date and time format

All datetime fields must use RFC3339 format with mandatory timezone: Valid formats: 
2026-01-30T10:30:00Z           (UTC)
2026-01-30T10:30:00-03:00      (São Paulo timezone)
2026-01-30T00:00:00+00:00      (UTC explicit)
Invalid formats: 
2026-01-30                     (date only - rejected)
2026-01-30T10:30:00            (missing timezone - rejected)

Integration checklist

Before going to production, verify:
  • API Key is configured and secured
  • Each request includes a unique requestId (UUID)
  • Client handles both 201 and 200 responses as success
  • Client timeout is set to 100ms
  • Retry logic is implemented for 5xx errors
  • Fallback behavior is defined
  • All required fields are populated
  • Timestamps use RFC3339 format with timezone
  • Currency codes are uppercase ISO 4217
  • Decision handling is implemented (ALLOW/DENY/REVIEW)
  • Validation IDs are logged for audit trail correlation

Example integration (pseudocode)

def validate_transaction(transaction):
    # Step 1: Enrich payload
    payload = {
        "requestId": generate_uuid(),
        "transactionType": transaction.type,
        "amount": transaction.amount,
        "currency": transaction.currency.upper(),
        "transactionTimestamp": now_rfc3339(),
        "account": get_account_context(transaction.account_id),
        "segment": get_segment_context(transaction.segment_id),
        "merchant": get_merchant_context(transaction.merchant_id),
        "metadata": transaction.custom_fields
    }

    # Step 2: Call Tracer
    try:
        response = http_post(
            url="https://tracer.example.com/v1/validations",
            headers={"X-API-Key": API_KEY},
            json=payload,
            timeout_ms=100
        )
    except Timeout:
        return apply_fallback_policy()
    except ServerError:
        return retry_once_or_fallback()

    # Step 3: Handle decision
    if response.decision == "ALLOW":
        return proceed_with_transaction()
    elif response.decision == "DENY":
        return reject_transaction(response.reason)
    elif response.decision == "REVIEW":
        return queue_for_manual_review(response.validationId)

Next steps