Skip to main content
The Traffical SDK API is served from sdk.traffical.io. SDKs use it to fetch config bundles, send events, and (in server evaluation mode) request resolutions. You can also call it directly for server-to-server integrations.

Base URL

https://sdk.traffical.io
You can override this in any SDK with the baseUrl option — useful for testing.

Authentication

All requests require an API key in the Authorization header: 
Authorization: Bearer traffical_sk_...

API key types

Every key has the same traffical_sk_... prefix. What a key can do — and whether it is browser-safe — depends on its scopes, not its prefix:
ScopesTypeCapabilitiesBrowser-safe?
sdk:read, sdk:writeSDK keyFetch bundles, request resolutions, send eventsYes — ship in client code
mgmt:read, mgmt:write, or adminManagement keyCreate and modify projects, layers, policiesNo — must stay secret
  • sdk:read — fetch bundles, request resolutions
  • sdk:write — send events
  • mgmt:read / mgmt:write / admin — read and modify configuration
SDK keys are safe to include in client-side JavaScript: they can fetch the project’s bundle and send events, but cannot modify configuration in any way. Management keys can change configuration and must never ship in client code. A mgmt:read key also authenticates AI agents against the read-only MCP server.

Managing keys

Create and revoke keys under Settings → API keys in the dashboard. Keys can be scoped to a project and environment, given an expiry, or revoked at any time.

Endpoints

MethodPathDescriptionScope
GET/v1/config/:projectIdFetch the config bundlesdk:read
POST/v1/resolveServer-side resolution (for evaluationMode: "server")sdk:read
POST/v1/decide/:policyIdPer-entity adaptive decisionsdk:read
POST/v1/eventsSend exposure, decision, and track eventssdk:write
The /v1/events/batch endpoint is an alias for POST /v1/events for clients that prefer the explicit “batch” naming.

Caching

GET /v1/config/:projectId is served with Cache-Control: public, max-age=60, must-revalidate and an ETag per bundle version. SDKs send If-None-Match on subsequent requests — unchanged bundles return 304 Not Modified with no body. Use the same pattern in any custom client that polls the bundle.

Error responses

All errors share a consistent shape: 
{
  "error": "Unauthorized",
  "message": "Invalid or expired API key"
}
StatusDescription
400Bad request — invalid payload or missing required fields
401Unauthorized — missing or invalid API key
403Forbidden — API key lacks required scope
404Not found — resource does not exist
429Rate limited
500Internal server error

Rate limits

Limits are generous for SDK traffic and scale with your plan. Two things to know:
  • GET /v1/config/:projectId responses are heavily cached at the edge — most SDK refreshes never reach an origin.
  • POST /v1/events accepts batches of up to 1000 events per request. Always batch; never send one event per request from a server.