Skip to main content
This guide walks you through setting up Tracer and running your first validation. In just a few steps, you’ll have a working environment ready to validate transactions in real time. For step-by-step API instructions with request and response examples, see the Tracer API quick start.

Why use Tracer

  • Real-time validation: Make ALLOW/DENY/REVIEW decisions in under 80ms (p99)
  • Flexible rules: Expression-based rule engine for custom business logic
  • Spending control: Configure limits by account, portfolio, segment, and period
  • Complete audit trail: Immutable validation records for SOX/GLBA compliance
  • Product-agnostic: Supports any transaction type (Card, Wire, PIX, Crypto) |
By the end of this guide, you will:
  • Understand Tracer architecture and core concepts
  • Have a working development environment
  • Run your first transaction validation
  • Configure a spending limit

What is Tracer

Tracer is a transaction validation platform that evaluates rules and limits and returns instant decisions. Your system calls Tracer before executing transactions and acts on the decision (ALLOW, DENY, or REVIEW) according to your business logic.

How it works

In this flow:
  • Rules evaluate expressions against the transaction context
  • Limits check spending thresholds for applicable scopes
  • Decision returns ALLOW, DENY, or REVIEW based on evaluation results

Core contexts

Tracer is built around three bounded contexts:
  1. Validation Context - Orchestrates requests, coordinates evaluation, records audit trail
  2. Rules Context - Manages rule definitions and expression evaluation
  3. Limits Context - Manages spending limits and usage tracking

Prerequisites

Before you start, make sure you have:
  • Docker and Docker Compose installed
  • Go 1.25.5+ (for local development)
  • PostgreSQL 16+ (included in Docker Compose)
  • API Key for authentication

Infrastructure dependencies

Tracer requires the following components:
ComponentVersionPurpose
PostgreSQL16+Data persistence and audit trail

Ports

Default ports used by Tracer services:
ServicePortDescription
Tracer API8080Main REST API
PostgreSQL5432Database

Step 1: Set up the environment

You can run Tracer with Docker Compose or locally for development.
This is the fastest way to start. PostgreSQL starts automatically with the service.
Clone the repository and start the services: 
# Clone the repository
git clone https://github.com/lerianstudio/tracer.git
cd tracer

# Setup environment
cp .env.example .env

# Start all services
make up
Verify service health: 
# Check Tracer health
curl http://localhost:8080/health

# Check readiness (database connection)
curl http://localhost:8080/ready

Option B: Local run

For development, you can run Tracer locally: 
# Set environment variables
export DB_HOST="localhost"
export DB_NAME="tracer"
export API_KEY="your-secure-api-key"
export API_KEY_ENABLED="true"
export SERVER_PORT="8080"
export LOG_LEVEL="INFO"

# Start the service
go run cmd/app/main.go

Essential environment variables

VariableDescriptionExample
DB_HOSTPostgreSQL hostlocalhost
DB_NAMEPostgreSQL database nametracer
API_KEYAPI Key for authenticationyour-secure-api-key
API_KEY_ENABLEDEnable API Key authenticationtrue, false
SERVER_PORTAPI port8080
LOG_LEVELLog levelINFO, DEBUG, ERROR

Step 2: Authenticate to the API

Tracer uses API Key authentication for all requests.

API Key authentication

Include the API Key in the X-API-Key header: 
GET /v1/rules
X-API-Key: your-secure-api-key

cURL example

# Check API health (no authentication required)
curl http://localhost:8080/health

# List rules (authenticated)
curl -H "X-API-Key: your-secure-api-key" \
  http://localhost:8080/v1/rules
API Keys should be kept secure. Never expose your API Key in client-side code or public repositories.

Step 3: Configure a spending limit

Spending limits control transaction amounts by scope and period. Create a limit using POST /v1/limits.

Limit types

TypeDescriptionReset behavior
DAILYMaximum amount per dayResets at midnight UTC
MONTHLYMaximum amount per monthResets on 1st of month
PER_TRANSACTIONMaximum per single transactionNo tracking needed

Scopes

Apply limits to specific contexts:
  • Segment: Apply to all accounts in a segment (e.g., corporate customers)
  • Portfolio: Apply to accounts in a portfolio
  • Account: Apply to a specific account
  • Transaction type: Apply only to CARD, WIRE, PIX, or CRYPTO

Limit lifecycle

Limits follow the same lifecycle as rules: DRAFTACTIVEINACTIVE. Activate a limit to start enforcement.

Monitor usage

Query GET /v1/limits/{limitId}/usage to check current consumption. The nearLimit flag activates at 80% utilization for proactive management. For detailed configuration options, see the Spending limits guide.

Step 4: Validate your first transaction

With limits configured, you’re ready to validate a transaction using POST /v1/validations.

Submit a transaction for validation

Send a validation request with the transaction context including:
  • Transaction details (type, amount, currency, timestamp)
  • Account information
  • Optional: segment, portfolio, merchant, and custom metadata
Tracer evaluates all active rules and limits, then returns one of three decisions:
DecisionMeaningYour system should
ALLOWTransaction approvedProceed with the transaction
DENYTransaction denied (rule matched or limit exceeded)Block the transaction
REVIEWRequires manual reviewQueue for human review
The response includes details about which rules were evaluated, which matched, and the current limit usage—useful for debugging and customer support. For complete payload structure and field details, see the API reference.

Step 5: Create a validation rule

Rules let you define custom business logic that evaluates during validation. Create a rule using the POST /v1/rules endpoint with an expression, action, and optional scopes. For example, to block high-value transactions, you can create a rule with:
  • Expression: amount > 1000000 (amounts above R$ 10,000)
  • Action: DENY
  • Scope: Apply only to CARD transactions

Rule lifecycle

Rules are created in DRAFT status. To start evaluation, activate the rule using POST /v1/rules/{ruleId}/activate. Active rules can be deactivated and reactivated as needed. For detailed information about rule expressions and lifecycle management, see the Rules engine guide.

Observability

Tracer exposes endpoints for monitoring and observability.

Health endpoints

EndpointDescription
GET /healthLiveness check (app running)
GET /readyReadiness check (database available)

Key metrics

Tracer exposes Prometheus-compatible metrics:
  • tracer_validations_total{decision} - Total validations by decision
  • tracer_validation_duration_seconds - Validation latency histogram
  • tracer_rule_evaluations_total - Total rule evaluations
  • tracer_limit_checks_total{result} - Limit checks by result
  • tracer_auth_failures_total{reason} - Authentication failures by reason
  • tracer_active_rules - Number of active rules

Verification

Confirm that everything is working correctly.

Checklist

  • Docker services started and healthy
  • API Key authentication working
  • Spending limit configured
  • Test transaction validated successfully
  • Rule created and activated

Connectivity test

# Check API health (liveness)
curl http://localhost:8080/health

# Check readiness (database connection)
curl http://localhost:8080/ready

Next steps

You’ve successfully set up Tracer and validated your first transaction. From here, you can explore more advanced features:

Quick reference

Key endpoints and concepts for quick lookup.

Main endpoints

OperationMethodEndpoint
Health checkGET/health
Readiness checkGET/ready
Validate transactionPOST/v1/validations
Get validationGET/v1/validations/{validationId}
List validationsGET/v1/validations
Create limitPOST/v1/limits
Get limitGET/v1/limits/{limitId}
Update limitPATCH/v1/limits/{limitId}
Get limit usageGET/v1/limits/{limitId}/usage
Create rulePOST/v1/rules
Get ruleGET/v1/rules/{ruleId}
Update rulePATCH/v1/rules/{ruleId}
Activate rulePOST/v1/rules/{ruleId}/activate
Deactivate rulePOST/v1/rules/{ruleId}/deactivate
Delete ruleDELETE/v1/rules/{ruleId}

Transaction types

TypeDescriptionsubType examples
CARDCard-based transactionsdebit, credit, prepaid
WIREWire transfersdomestic, international, ach
PIXBrazilian instant paymentinstant, scheduled
CRYPTOCryptocurrencybitcoin, ethereum, stablecoin

Decision types

DecisionDescriptionYour system should
ALLOWTracer recommends approvalProceed with the transaction
DENYTracer recommends denialBlock the transaction and inform the user
REVIEWTracer recommends reviewQueue for manual review in your system
Tracer returns decisions as recommendations. Your system is responsible for implementing the appropriate action based on each decision.