Skip to main content

ā€‹
Server-side authentication only

Travelbase API keys are designed for secure server-to-server communication. Never expose your API keys in client-side code such as browsers, mobile apps, or public repositories.

Manage keys in the dashboard

API keys are created and managed in the Travelbase dashboard.Use the dashboard to:
  • Create new API keys
  • Rotate compromised keys
  • Revoke unused keys
  • View usage and activity

ā€‹
Using your API key

Authenticate requests

Include your API key in the x-api-key header for every request.

ā€‹
Example request

curl https://sandbox.travelbase.ai/v1/tenant \
  -H "x-api-key: tb_live_xxxxxxxxxxxxxxxxx"
Travelbase uses API keys to:
  • Identify your tenant
  • Authorize access to resources
  • Track usage and activity

ā€‹
API key environments

Sandbox keys

Used for testing and development. Sandbox keys cannot access live data and are safe for non-production use.

Live keys

Used for production systems. Live keys have access to real tenant data and must be handled securely.

ā€‹
Security best practices

Store keys securely

Store API keys in secure environments such as:
  • Environment variables
  • Secret managers
  • Secure backend configuration
Never store keys in source code.

Never expose client-side

Do not include API keys in:
  • Frontend JavaScript
  • Mobile apps
  • Public repositories
API keys must only be used from your server.

Rotate keys regularly

Rotate API keys periodically to reduce risk exposure. Immediately rotate keys if they are exposed or compromised.

Use separate keys per environment

Use different keys for:
  • Development
  • Staging
  • Production
This prevents accidental access to live systems.

Secure architecture

Your server should act as a secure intermediary between your application and the Travelbase API.

ā€‹
Authentication

All requests to the Travelbase Tenant API must be authenticated using an API key. API keys uniquely identify your tenant, authorize access to resources, and enable secure, auditable communication between your systems and the Travelbase platform.

ā€‹
Key Format

Travelbase API keys use specific prefixes to help you distinguish between environments at a glance. This prevents accidentally using production keys during development.
PrefixEnvironmentDescription
tb_sandbox_SandboxUsed for development and testing without affecting real data.
tb_live_LiveUsed for production environments and real transactions.
Example: tb_live_2YotnFZFEjr1zCsicMWpAA

ā€‹
Security & Compromised Keys

If you suspect your API key has been exposed or compromised, you must act quickly to prevent unauthorized access to your tenant data.

ā€‹
Emergency Rotation Workflow

Follow this sequence to secure your account without causing prolonged downtime:

Immediate Actions

If your security is breached:Rotate the API key from the dashboard immediately.Update your backend environment variables with the new key.Review recent API activity logs for suspicious behavior.Remove any hardcoded keys from your code or public repositories.

Tenant

Learn how to retrieve and manage specific tenant information.

Webhooks

Set up webhooks to receive real-time events and updates.