The importance of API security
API keys are used to authenticate and authorize access to our APIs. They help us protect our data and fortify the trust we’ve built with our customers over decades of service. It is important to keep API keys secure to prevent unauthorized access and fraudulent usage or charges on our valuable users' accounts.
To ensure API key security, we require our users to restrict access to their API key to only certain domain or IP addresses. As a new subscriber, you are required to set up at least one restriction type before gaining access to your API key. If you don’t know the definitive restrictions you want to apply just yet, you can always go back to the homepage and redefine them.
If you subscribed to Tripadvisor Content Solutions API before these security changes were released, you will be required to restrict your key for an extra layer of protection from your homepage.
Restricting your API key
Before having access to your key, we require that you restrict the access to it using specified IP addresses or domain names. This means that API calls/requests made with your key will only be allowed from these specific sites/apps. You will have to choose at least one restriction type before having access to the API key.
If you chose to restrict your API by domain name all API requests must include the HTTP Referer Header with an URL containing a restricted domain name. (e.g. Referer: http://example.com for domain name example.com)
If you don’t know the definitive restrictions you want to apply just yet, you can always go back to the Credentials page and redefine them.
How to set a restriction for an API key
Restrict by domain name
- Choose “Domain names” for API key restriction setting during sign up or from your homepage.
- Specify one or more domain names separated by a comma in the FQDN format (hostname.domain.tld). eg: example.com, news.bbc.co.uk, www.facebook.com.
- You must include the HTTP Referer header as a URL of the whitelisted domain to send requests to the API. Otherwise, the call will not be authorized. e.g. Referer: http://example.com, https://www.facebook.com/
Important Note: *Wildcards are not supported and Protocol specifications are not allowed.
Restrict by IP address
- Choose “IP addresses” for API key restriction setting during sign up or from your homepage.
- Specify one or more IPV4 addresses using CIDR notation, each separated by a comma. Eg: 198.51.100.14/24
- You must provide your public IP address and not the local IP address. The API call made with local IP address restriction will not be authorized. You can find your public IP address with a simple internet search from https://www.whatismyip.com or equivalent.
- We currently only allow IPv4 restrictions. If you have an IPv6 address, please change your network settings or disable the API key restriction by setting the range to 0.0.0.0/0. Please note that this would mean your API key stays unrestricted and anyone can call the API if your API key gets compromised. We strongly advise you to set up an IPv4 or domain restriction.
While the restrictions setup greatly depends on your preferences, we have commonly seen the following setups:
- "I want to call the Tripadvisor API from my local machine." Please set domain or IP restrictions as specified above.
- "I am using a third-party software for my application development which will make calls to Tripadvisor API."
In some cases, these services don’t publish the IPs of the machines issuing requests, please use domain restriction as specified above.
- "I want to call Tripadvisor API from my application and we’re using AWS workload with load balancer."
If the target machines of the LB have consecutive IP addresses, there should be a valid IPv4 CIDR range that fits them all. Otherwise, use the domain restriction as specified above.
Our APIs support CORS simple requests. At this time, we don’t support preflight requests that send an OPTIONS HTTP request to our endpoints.
Requirements for CORS to be enabled:
- Include a referer header with an URL from a domain matching one of the configured allowed domains
- Include the origin header with a URL from a domain matching one of the configured allowed domains
Example for a example.com configured domain:
curl -v -H "origin: <https://www.example.com>" -H "referer: <https://www.example.com>" "<https://api.content.tripadvisor.com/api/v1/location/730099/details?key=YOUR_API_KEY>"
Regenerating your API key
You can now generate a new API key from the Content API platform in case your API key gets compromised or is at risk.
- Go to Home page
- Generate New API key and follow the prompts
- Please ensure the old key will be disabled immediately as the new key gets provisioned
Security Best Practices
- Please avoid placing your API key in the source code or in a place where it can be easily discovered
- To monitor and prevent unauthorized use, you can:
- Monitor your key usage in Metrics page
- Limit the number of calls per day in Quotas page