> ## Documentation Index > Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt > Use this file to discover all available pages before exploring further. # Create a Limit > Use this endpoint to create a spending limit with scopes array. Limits are created in DRAFT status. Use the activate endpoint to start enforcement. After creation, limitType and currency cannot be changed. ## OpenAPI ````yaml /en/openapi/v3-current/tracer.yaml post /v1/limits openapi: 3.1.0 info: title: Tracer API description: >- Complete API reference for Tracer services including transaction validation, rules management, spending limits, and audit events for SOX/GLBA compliance. version: 1.0.0 servers: - url: https://tracer.lerian.io security: - ApiKeyAuth: [] - BearerAuth: [] tags: - name: Health API description: >- Health check endpoints for liveness and readiness probes. These endpoints do not require authentication. - name: Validations API description: >- Transaction validation endpoints. Performance target is under 80ms (p99). Validations are not idempotent. - name: Rules API description: >- Validation rule management endpoints. Rules use CEL (Common Expression Language) expressions. - name: Limits API description: >- Spending limit management endpoints. Limits control transaction amounts by scope and period. - name: Audit Events API description: >- Audit trail endpoints for SOX/GLBA compliance. All validation decisions and configuration changes are recorded. paths: /v1/limits: post: tags: - Limits API summary: Create a Limit description: >- Use this endpoint to create a spending limit with scopes array. Limits are created in DRAFT status. Use the activate endpoint to start enforcement. After creation, limitType and currency cannot be changed. operationId: createLimit parameters: - $ref: '#/components/parameters/ContentType' - $ref: '#/components/parameters/XApiKey' - $ref: '#/components/parameters/XRequestId' requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateLimitInput' example: name: Daily Corporate Limit description: Daily spending limit for corporate segment limitType: DAILY maxAmount: '50000.00' currency: BRL scopes: - segmentId: 019c96a0-0b4e-7079-8be0-ab6bdccf975f transactionType: CARD responses: '201': description: Indicates that the limit was successfully created in DRAFT status. content: application/json: schema: $ref: '#/components/schemas/Limit' example: limitId: 019c96a0-0c0d-7915-84b9-e497bfee9916 name: Daily Corporate Limit description: Daily spending limit for corporate segment limitType: DAILY maxAmount: '50000.00' currency: BRL scopes: - segmentId: 019c96a0-0b4e-7079-8be0-ab6bdccf975f transactionType: CARD status: DRAFT resetAt: '2026-01-31T00:00:00Z' createdAt: '2026-01-30T10:00:00Z' updatedAt: '2026-01-30T10:00:00Z' '400': description: '' content: application/json: schema: $ref: '#/components/schemas/ErrorFormat' examples: Error0001: $ref: '#/components/examples/Error0001' Error0003: $ref: '#/components/examples/Error0003' Error0122: $ref: '#/components/examples/Error0122' Error0123: $ref: '#/components/examples/Error0123' Error0124: $ref: '#/components/examples/Error0124' Error0125: $ref: '#/components/examples/Error0125' Error0126: $ref: '#/components/examples/Error0126' Error0127: $ref: '#/components/examples/Error0127' Error0129: $ref: '#/components/examples/Error0129' Error0130: $ref: '#/components/examples/Error0130' '401': description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorFormat' examples: ErrorUnauthenticated: $ref: '#/components/examples/ErrorUnauthenticated' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/ErrorFormat' examples: Error0121: $ref: '#/components/examples/Error0121' '500': description: Internal Server Error content: application/json: schema: $ref: '#/components/schemas/ErrorFormat' examples: Error0004: $ref: '#/components/examples/Error0004' components: parameters: ContentType: name: Content-Type in: header description: The type of media of the resource. Must be `application/json`. required: true example: application/json schema: type: string XApiKey: name: X-API-Key in: header description: >- The API Key for authentication. **This header is required for all endpoints except health checks**. required: true schema: type: string XRequestId: name: X-Request-Id in: header description: A unique identifier used to trace and track each request. required: false example: 019c96a0-10ce-75fc-a273-dc799079a99c schema: type: string format: uuid schemas: CreateLimitInput: type: object description: Input for creating a new spending limit. required: - name - limitType - maxAmount - currency - scopes properties: name: type: string minLength: 1 maxLength: 255 description: Human-readable limit name. description: type: string maxLength: 1000 limitType: type: string enum: - DAILY - WEEKLY - MONTHLY - CUSTOM - PER_TRANSACTION description: Type of limit (cannot be changed after creation). maxAmount: type: string pattern: ^(?:[1-9]\d*(?:\.\d{1,2})?|0\.(?:0[1-9]|[1-9]\d))$ example: '1000.00' description: Maximum decimal amount. currency: type: string minLength: 3 maxLength: 3 description: ISO 4217 currency code (cannot be changed after creation). scopes: type: array minItems: 1 maxItems: 100 items: $ref: '#/components/schemas/Scope' description: At least one scope is required. activeTimeStart: type: string pattern: ^([01]\d|2[0-3]):[0-5]\d$ example: '09:00' description: Start of the daily active time window in HH:mm format. activeTimeEnd: type: string pattern: ^([01]\d|2[0-3]):[0-5]\d$ example: '17:00' description: End of the daily active time window in HH:mm format. customStartDate: type: string format: date-time description: Start date for CUSTOM limits. Required when limitType is CUSTOM. customEndDate: type: string format: date-time description: End date for CUSTOM limits. Required when limitType is CUSTOM. allOf: - if: properties: limitType: const: CUSTOM then: required: - customStartDate - customEndDate Limit: type: object description: Spending limit. properties: limitId: type: string format: uuid description: Unique identifier for the limit. name: type: string description: Human-readable limit name. maxLength: 255 description: type: string maxLength: 1000 description: Limit purpose and usage explanation. limitType: type: string enum: - DAILY - WEEKLY - MONTHLY - CUSTOM - PER_TRANSACTION description: Type of limit (immutable after creation). maxAmount: type: string pattern: ^(?:[1-9]\d*(?:\.\d{1,2})?|0\.(?:0[1-9]|[1-9]\d))$ example: '1000.00' description: Maximum decimal amount. currency: type: string minLength: 3 maxLength: 3 description: ISO 4217 currency code (immutable after creation). scopes: type: array items: $ref: '#/components/schemas/Scope' description: Scopes that determine which transactions this limit applies to. status: type: string enum: - DRAFT - ACTIVE - INACTIVE - DELETED description: Limit lifecycle status. activeTimeStart: type: string pattern: ^([01]\d|2[0-3]):[0-5]\d$ example: '09:00' description: >- Start of the daily active time window in HH:mm format. Omitted when the limit is active all day. activeTimeEnd: type: string pattern: ^([01]\d|2[0-3]):[0-5]\d$ example: '17:00' description: >- End of the daily active time window in HH:mm format. Omitted when the limit is active all day. customStartDate: type: string format: date-time description: Start date for CUSTOM limits. customEndDate: type: string format: date-time description: End date for CUSTOM limits. resetAt: type: - string - 'null' format: date-time description: When the limit counter resets. Null for PER_TRANSACTION limits. createdAt: type: string format: date-time description: When the limit was created. updatedAt: type: string format: date-time description: When the limit was last modified. deletedAt: type: - string - 'null' format: date-time description: When the limit was deleted (null if not deleted). ErrorFormat: type: object description: The response message error. required: - code - title - message properties: code: type: string description: A unique, stable identifier for the error. title: type: string description: A brief summary of the issue. message: type: string description: Detailed guidance for resolving the error. fields: type: object additionalProperties: true description: Additional information about the fields that caused the error. Scope: type: object description: Scope definition for rules and limits. At least one field must be set. properties: segmentId: type: string format: uuid description: Apply to transactions from this segment. portfolioId: type: string format: uuid description: Apply to transactions from this portfolio. accountId: type: string format: uuid description: Apply to transactions from this specific account. merchantId: type: string format: uuid description: Apply to transactions to this specific merchant. transactionType: type: string enum: - CARD - WIRE - PIX - CRYPTO description: Apply to this transaction type only. subType: type: string maxLength: 50 description: Apply to this transaction subType only. examples: Error0001: summary: Generic Validation Error value: code: TRC-0001 title: Validation Error message: >- Field validation failed. Please verify the provided data and try again. Error0003: summary: Invalid Request Body value: code: TRC-0003 title: Invalid Request Body message: >- The request body is invalid or malformed. Please verify the JSON format and try again. Error0122: summary: Invalid Limit Type value: code: TRC-0122 title: Invalid Limit Type message: >- The limitType must be one of DAILY, WEEKLY, MONTHLY, CUSTOM, or PER_TRANSACTION. Please provide a valid limit type. Error0123: summary: Amount Must Be Positive value: code: TRC-0123 title: Invalid Amount message: >- The maxAmount must be a positive decimal string. Please provide a valid decimal amount. Error0124: summary: Invalid Currency Code value: code: TRC-0124 title: Invalid Currency Code message: >- The currency must be a valid 3-letter ISO 4217 code (e.g., BRL, USD). Please provide a valid currency code. Error0125: summary: Scopes Required value: code: TRC-0125 title: Missing Required Field message: >- At least one scope is required for limits. Please provide at least one scope and try again. Error0126: summary: Limit Name Required value: code: TRC-0126 title: Missing Required Field message: >- The name field is required. Please provide a name for the limit and try again. Error0127: summary: Limit Name Exceeds Maximum Length value: code: TRC-0127 title: Name Too Long message: >- The limit name exceeds the maximum allowed length. Please reduce the name size. Error0129: summary: Name Contains Invalid Characters value: code: TRC-0129 title: Invalid Name message: >- The name contains invalid characters. Please use only allowed characters. Error0130: summary: Description Contains Invalid Characters value: code: TRC-0130 title: Invalid Description message: >- The description contains invalid characters. Please use only allowed characters. ErrorUnauthenticated: summary: Unauthorized value: code: Unauthenticated title: Unauthorized message: >- API Key missing or invalid. Provide a valid API Key in the X-API-Key header. Error0121: summary: Invalid Limit Status Transition value: code: TRC-0121 title: Invalid Status Transition message: >- The requested status transition is not allowed. Please check the current limit status and valid transitions. Error0004: summary: Internal Server Error value: code: TRC-0004 title: Internal Server Error message: >- An unexpected error occurred. Please try again later or contact support if the issue persists. securitySchemes: ApiKeyAuth: type: apiKey in: header name: X-API-Key description: >- API Key authentication. Used by single-tenant deployments (`MULTI_TENANT_ENABLED=false`). Sent on every `/v1/*` request. BearerAuth: type: http scheme: bearer bearerFormat: JWT description: >- JWT bearer authentication. Used by multi-tenant deployments (`MULTI_TENANT_ENABLED=true`). The JWT is issued by Access Manager and must carry the `tenantId` claim — Tracer resolves the tenant from the token, not from any header or body field. ````