Public Tracking API¶

Endpoint¶

GET /api/v1/track/{tracking_id}

No authentication required.

Request¶

GET /api/v1/track/TRK-A1B2C3D4

Response¶

{
  "tracking_id": "TRK-A1B2C3D4",
  "status": "IN_FLIGHT",
  "origin": "Madrid",
  "destination": "Lima",
  ...
}

Security Measures¶

Protection	Value
Rate Limit	60 requests/minute per IP
ID Format	`TRK-[A-Z0-9]{8}` (regex validated)
Max Length	20 characters
Blocked Chars	`< > " ' & ; -- /* */`

Error Responses¶

400 Bad Request (Invalid Format)¶

{
  "detail": "Invalid tracking ID format (e.g., TRK-A1B2C3D4)"
}

404 Not Found¶

{
  "detail": "Shipment not found"
}

429 Too Many Requests¶

{
  "detail": "Rate limit exceeded: 60 per 1 minute"
}

Test Tracking IDs¶

ID	Route
`TRK-A1B2C3D4`	Madrid → Lima
`TRK-E5F6G7H8`	Madrid → Bogotá
`TRK-I9J0K1L2`	Barcelona → Ciudad de México
`TRK-M3N4O5P6`	Madrid → Buenos Aires

Implementation¶

See modules/shipments/infrastructure/services/tracking_service.py for the service implementation.

Rate limiting and input validation are handled by: - core/security/rate_limiter.py - core/security/input_validator.py - core/security/ip_blocklist.py