Willkommen bei der Travelandz API

Basis und Authentifizierung

Richten Sie Basis-URLs, Pflicht-Header und API-Key-Authentifizierung für Travelandz-Integrationen ein.

Required headers

Header	Value
`Authorization`	`Bearer <secret_key>`
`X-Travelandz-Id`	`<public_key>:<profile_code>`
`Content-Type`	`application/json` for requests with JSON body

The API token strategy reads Authorization and X-Travelandz-Id.
The bearer token must match the encrypted secret stored for the selected credential.
X-Travelandz-Id must include the public key and a valid Developer Profile code (profileCode, formatted as dp_<12 alphanumeric>). The legacy Mongo ObjectId format is no longer accepted.
Sandbox uses testCredentials; production uses liveCredentials.
The profile and company must be active.
Production requires isProductionAllowed=true.
If domainsAllowed is configured, the request IP, Origin hostname or Referer hostname must match.
The used credential receives lastUsed and the request context stores profileId, profileCode, profileKey, credentialId and companyId.

Field	Description
`profileCode`	Developer Profile code sent in `X-Travelandz-Id`, for example `dp_a1b2c3d4e5f6`. Find it in your dashboard.
`credentialId`	Embedded credential `_id`, used for request log auditability.
`publicKey`	Public identifier sent in `X-Travelandz-Id`, for example `pk_sandbox_abc123`.
`secretKey`	Secret bearer token. Never store it client-side and never log it.
`secretKeyLast4`	Last four visible characters for user identification.
`domainsAllowed`	Optional IP or hostname allow-list.
`lastUsed`	Last successful usage timestamp.