Tracking
The tracking endpoints manage write keys for Vendo web tracking and generate the installation snippet your site embeds. Write keys are browser-safe credentials scoped to event collection — they are separate from vendo_sk_* API keys.
Write Key Format
vendo_wk_<random-string>The full write key is only returned when a key is created or rotated. List and get responses include only the keyPrefix (first 12 characters) for identification.
List Write Keys
GET /api/v1/tracking/keysReturns all tracking write keys for the authenticated account, without the full key value.
Example Response
{
"data": [
{
"id": "key_123",
"accountId": "acct_123",
"name": "Production storefront",
"keyPrefix": "vendo_wk_ab1",
"environment": "production",
"allowedOrigins": ["https://store.example.com"],
"destinations": [],
"rateLimits": {
"eventsPerSecond": 100,
"eventsPerDay": 1000000
},
"isActive": true,
"shopDomain": null,
"createdAt": "2026-04-01T00:00:00Z",
"createdBy": "key_abc",
"revokedAt": null
}
]
}Create Write Key
POST /api/v1/tracking/keysRequest Body
| Field | Type | Required | Description |
|---|---|---|---|
name | string | No | Display name for the key |
environment | string | No | production, staging, or development |
allowedOrigins | string[] | No | Origins allowed to send events (max 20) |
destinations | object[] | No | Destination app bindings: { app_id, enabled?, config? } (max 10) |
rateLimitEps | integer | No | Events-per-second limit (1–10,000) |
rateLimitEpd | integer | No | Events-per-day limit |
shopDomain | string | No | Associated shop domain |
Example Response
Returns 201 Created. This is the only response that includes the full writeKey — store it securely:
{
"data": {
"id": "key_123",
"writeKey": "vendo_wk_ab1cd2...",
"keyPrefix": "vendo_wk_ab1",
"name": "Production storefront",
"environment": "production",
"isActive": true
}
}Get Write Key
GET /api/v1/tracking/keys/{id}Returns a single key in the same shape as the list endpoint (no full key value).
Update Write Key
PATCH /api/v1/tracking/keys/{id}Accepts the same fields as create, plus isActive (boolean) to enable or disable the key without revoking it.
Revoke Write Key
DELETE /api/v1/tracking/keys/{id}Revokes (soft-deletes) the key. Events sent with a revoked key are rejected.
Rotate Write Key
POST /api/v1/tracking/keys/{id}/rotateCreates a new key with the same settings and revokes the old one. Returns 201 Created with the new full writeKey — this is the only time it is shown.
Get Installation Snippet
GET /api/v1/tracking/snippetGenerates the HTML snippet to embed on your site. The write key must belong to the authenticated account.
Query Parameters
| Parameter | Type | Description |
|---|---|---|
writeKey | string | Required. The tracking write key to embed |
host | string | Tracking API host to send events to (HTTPS only) |
async | boolean | Load the SDK asynchronously (default: true) |
trackPageViews | boolean | Auto-track page views (default: true) |
Example Response
{
"data": {
"snippet": "<!-- Vendo Web Tracking -->\n<script async>...</script>",
"writeKey": "vendo_wk_ab1cd2...",
"options": {
"async": true,
"trackPageViews": true
}
}
}The snippet loads the SDK from https://cdn.vendodata.com/sdk/v1/vendo.js and initializes the global queue:
vendo('init', '<writeKey>', {
trackPageViews: true,
});Events are posted to the configured tracking host’s /collect endpoint.
Get Tracking Config (Public)
GET /api/v1/tracking/configConfig resolution endpoint used by the tracking SDK itself. Unlike the other endpoints, it authenticates with the write key, not an API key:
X-Write-Key: vendo_wk_...Returns browser-safe tenant configuration: allowed origins for CORS, rate limits, and destinations without credentials. Responses are cacheable for 5 minutes and support ETag / If-None-Match conditional requests.
Related
- Web Tracking — feature overview and SDK usage
- Authentication — API keys for the management endpoints