verifies the identity of clients accessing the Tourism Accelerator API. This ensures only authorised entities can interact with your data, preventing unauthorised changes to experience details, such as pricing or availability. This protects your business from unauthorised bookings and modifications.
Accessing this feature
REQUIRES_DEVELOPER_INPUT: The correct navigation path to access API authentication methods needs to be provided.
How to use it
Tourism Accelerator supports industry-standard authentication methods to secure your API interactions. The appropriate method depends on your application's architecture and security requirements.
API Keys
API keys provide a simple and effective method for authenticating server-to-server or trusted client applications.
Generate an API Key:
Log in to the Tourism Accelerator Launchpad.
REQUIRES_DEVELOPER_INPUT: Provide the correct navigation path to API Credentials.
Select Generate New API Key.
Provide a descriptive name for the key (e.g., "My Booking Engine Integration").
The system will generate a unique alphanumeric key. Store this key securely, as it will only be displayed once.
Implement the API Key:
Include your API key in every request to our API. The preferred method is to pass it in the `X-API-Key` HTTP header:
GET /api/v1/resources
X-API-Key: YOUR_API_KEY_HERE
Alternatively, for specific endpoints where header inclusion is not feasible, the API key can be passed as a query parameter (though less secure):
GET /api/v1/resources?api_key=YOUR_API_KEY_HERE
Revoke an API Key:
From the API Credentials section, locate the key you wish to revoke.
Select Revoke to immediately invalidate the key, preventing any further access.
OAuth 2.0 (Authorisation Code Grant Flow)
OAuth 2.0 is an authorisation framework that enables third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner (e.g., a user) or by the application itself. Tourism Accelerator primarily uses the Authorisation Code Grant flow for web applications requiring user consent.
Register Your Application:
Log in to the Tourism Accelerator Launchpad.
REQUIRES_DEVELOPER_INPUT: Provide the correct navigation path to API Credentials.
Select Register New OAuth Client.
Provide your application's name, description, and the authorised redirect URI(s) where the authorisation code will be sent after user consent.
Upon registration, you will receive a Client ID and a Client Secret. Store the Client Secret securely.
Initiate Authorisation:
Direct the user's browser to the Tourism Accelerator authorisation endpoint:
GET https://auth.tourismaccelerator.com.au/oauth/authorise?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=SCOPES_REQUESTED&state=unique value to prevent CSRF
The user will be prompted to grant your application access.
Exchange Authorisation Code for Access Token:
If the user grants access, Tourism Accelerator redirects the user's browser back to your `redirect_uri` with an authorisation code and the `state` parameter. Your application must then make a server-side POST request to the token endpoint to exchange the code for an access token and optionally a refresh token:
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=AUTHORISATION_CODE_RECEIVED&redirect_uri=YOUR_REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
The response will contain the `access_token`, `token_type` (e.g., Bearer), `expires_in`, and potentially a `refresh_token`.
Access Protected Resources:
Include the `access_token` in the `Authorisation` header of your API requests:
GET /api/v1/protected_resources
Authorisation: Bearer YOUR_ACCESS_TOKEN
Refresh Access Token:
When an `access_token` expires, use the `refresh_token` (if obtained) to request a new `access_token` without user re-authentication:
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
## Tips
Secure Credential Storage: Never hardcode API keys or client secrets directly into your application's source code. Use environment variables, secret management services, or secure configuration files.
HTTPS Enforcement: Always ensure all API communication occurs over HTTPS to encrypt data in transit and prevent man-in-the-middle attacks.
Regular Key Rotation: Periodically generate new API keys and revoke old ones to minimise the risk associated with compromised keys.
Least Privilege Principle: Grant your applications only the minimum necessary permissions required to perform their intended functions. Avoid using overly broad scopes or permissions.
Error Handling: Implement effective error handling for authentication failures. Do not expose sensitive error details to end-users; log them securely for internal review.
Validate Redirect URIs (OAuth 2.0): Ensure your registered redirect URIs are precise and secure to prevent authorisation code interception attacks.
State Parameter (OAuth 2.0): Always use the `state` parameter in OAuth 2.0 authorisation requests to protect against Cross-Site Request Forgery (CSRF).
Secure Access Control: Authenticate and authorise every API request, ensuring only legitimate clients interact with Tourism Accelerator services.
Granular Permissions: Define specific scopes and permissions for OAuth 2.0 clients, limiting access to only necessary resources.
Auditability: Track API usage and access attempts, providing a clear audit trail for security monitoring and compliance.
Protection Against Unauthorized Use: Prevent malicious actors from accessing, changing, or exporting data.
Flexible Integration: Support various application types, from server-side integrations using API keys to complex web and mobile applications leveraging OAuth 2.0.
Need help?
For further assistance, contact us at [email protected]