Guides
Start typing to search…

API Security

The importance of API security

API keys are used to authenticate and authorize access to our APIs. They help us protect our data and fortify the trust we’ve built with our customers over decades of service. It is important to keep API keys secure to prevent unauthorized access and fraudulent usage or charges on our valuable users' accounts.

To ensure API key security, we require our users to restrict access to their API key to only certain domain or IP addresses. As a new subscriber, you are required to set up at least one restriction type before gaining access to your API key. If you don’t know the definitive restrictions you want to apply just yet, you can always go back to the homepage and redefine them.

If you subscribed to Tripadvisor Content Solutions API before these security changes were released, you will be required to restrict your key for an extra layer of protection from your homepage .

Restricting your API key

Before we provide access to your key, we require that you restrict the access to it using specified IP addresses or domain names. This means that API calls/requests made with your key will only be allowed from these specific sites/apps. You will have to choose at least one restriction type before we provide access to the API key.

If you chose to restrict your API by domain name, all API requests must include the HTTP Referer Header with a URL containing a restricted domain name. (e.g. Referer: http://example.com for domain name example.com).

If you don’t know the definitive restrictions you want to apply just yet, you can always go back to the Credentials page and redefine them.

Set a restriction for an API key

Restrict by domain name

  1. Choose Domain names for API key restriction setting during sign up or from your homepage.
  2. Specify one or more domain names separated by a comma in the FQDN format (hostname.domain.tld). eg: example.com, news.bbc.co.uk, www.facebook.com.
  3. You must include the HTTP Referer header as a URL of the whitelisted domain to send requests to the API. Otherwise, the call will not be authorized. e.g. Referer: http://example.com, https://www.facebook.com/
📘

Wildcards are not supported and Protocol specifications are not allowed.

Restrict by IP address

  1. Choose IP addresses for API key restriction setting during sign up or from your homepage.
  2. Specify one or more IPV4 addresses using CIDR notation, each separated by a comma. Eg: 198.51.100.14/24
    • You must provide your public IP address and not the local IP address. The API call made with local IP address restriction will not be authorized. You can find your public IP address with a simple internet search from https://www.whatismyip.com or equivalent.
    • We currently only allow IPv4 restrictions. If you have an IPv6 address, please change your network settings or disable the API key restriction by setting the range to 0.0.0.0/0. Note that this would mean your API key stays unrestricted and anyone can call the API if your API key gets compromised. We strongly advise you to set up an IPv4 or domain restriction.

Common use cases and recommendations

While the restrictions setup greatly depends on your preferences, we often see the following use cases:

Use caseRecommendation
I want to call the Tripadvisor API from my local machine.Set domain or IP restrictions as specified above.
I am using a third-party software for my application development which will make calls to Tripadvisor API.In some cases, these services don’t publish the IPs of the machines issuing requests, please use domain restriction as specified above.
I want to call Tripadvisor API from my application and we’re using AWS workload with load balancer.If the target machines of the LB have consecutive IP addresses, there should be a valid IPv4 CIDR range that fits them all. Otherwise, use the domain restriction as specified above

CORS

Our APIs support CORS simple requests. At this time, we don’t support preflight requests that send an OPTIONS HTTP request to our endpoints.

To enable CORS:

  1. Include a referer header with an URL from a domain matching one of the configured allowed domains.
  2. Include the origin header with a URL from a domain matching one of the configured allowed domains.

The following example shows an example.com configured domain:

curl -v -H "origin: <https://www.example.com>" -H "referer: <https://www.example.com>" "<https://api.content.tripadvisor.com/api/v1/location/730099/details?key=YOUR_API_KEY>"

Regenerating your API key

📘

This feature is yet to be released.

You can now generate a new API key from the Content API platform in case your API key gets compromised or is at risk.

  1. In a browser, open https://www.tripadvisor.com/developers and sign in to your account.
  2. Click Generate New API key and follow the prompts to create a new key.
  3. Disable your existing key immediately as the new key gets provisioned.

Security best practices

  • Avoid placing your API key in the source code or in a place where it can be easily discovered.
  • To monitor and prevent unauthorized use:
    • Visit the Metrics page to monitor your key usage.
    • Visit the Quotas page to limit the number of calls per day.

Updated about 2 months ago