Welcome to Travelandz API
Base and authentication
How public and secret credentials authenticate Travelandz API requests.
How public and secret credentials authenticate Travelandz API requests.
Required headers
| Header | Value |
|---|---|
Authorization | Bearer <secret_key> |
X-Travelandz-Id | <public_key>:<profile_code> |
Content-Type | application/json for requests with JSON body |
Authentication flow
- The API token strategy reads
AuthorizationandX-Travelandz-Id. - The bearer token must match the encrypted secret stored for the selected credential.
X-Travelandz-Idmust include the public key and a valid Developer Profile code (profileCode, formatted asdp_<12 alphanumeric>). The legacy Mongo ObjectId format is no longer accepted.- Sandbox uses
testCredentials; production usesliveCredentials. - The profile and company must be active.
- Production requires
isProductionAllowed=true. - If
domainsAllowedis configured, the request IP, Origin hostname or Referer hostname must match. - The used credential receives
lastUsedand the request context storesprofileId,profileCode,profileKey,credentialIdandcompanyId.
Credential fields
| Field | Description |
|---|---|
profileCode | Developer Profile code sent in X-Travelandz-Id, for example dp_a1b2c3d4e5f6. Find it in your dashboard. |
credentialId | Embedded credential _id, used for request log auditability. |
publicKey | Public identifier sent in X-Travelandz-Id, for example pk_sandbox_abc123. |
secretKey | Secret bearer token. Never store it client-side and never log it. |
secretKeyLast4 | Last four visible characters for user identification. |
domainsAllowed | Optional IP or hostname allow-list. |
lastUsed | Last successful usage timestamp. |