TravelyzerTravelyzerDocs

Authentication

How to get your API credentials and use the Travelyzer Places JWT authentication system.

Authentication

Travelyzer Places API uses a secure authentication system based on JWT (JSON Web Token) tokens. This guide walks you through setting up your API access step by step.

Process Overview

Authentication takes place in 3 simple steps:

  1. Create your credentials in the Developer Dashboard
  2. Exchange your credentials for a JWT token
  3. Use the token in your API requests

The JWT token is a security measure that avoids exposing your secret credentials in each request. It has a limited lifespan and can be revoked at any time.

Step 1: Create Your API Credentials

Access the Dashboard

  1. Go to the Developer Dashboard
  2. Log in or create an account
  3. Navigate to the "API Keys" section

Generate a New Key

  1. Click on "Create new key"
  2. Give your key a descriptive name (e.g., "Production", "Mobile App", "Backend Server")
  3. Click "Create"

Your Credentials

After creation, you receive two essential pieces of information:

CredentialFormatDescription
API Keygck_xxxxxxxxxxxxxxxxxxxxPublic identifier of your application
API Secretgcs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxSecret key for generating your tokens

Warning: The API Secret is only displayed once during creation. Copy it immediately and store it in a safe place. If you lose it, you will need to regenerate a new secret.

Step 2: Get a JWT Token

Use your credentials to obtain a JWT token via the /api-clients/token endpoint.

Endpoint

POST https://api2.gotravelyzer.com/api-clients/token

Request

curl -X POST "https://api2.gotravelyzer.com/api-clients/token" \
  -H "Content-Type: application/json" \
  -d '{
    "apiKey": "gck_your_api_key",
    "apiSecret": "gcs_your_api_secret"
  }'

Body Parameters

ParameterTypeRequiredDescription
apiKeystringYesYour API Key (format gck_xxx)
apiSecretstringYesYour API Secret (format gcs_xxx)
expiresInstringNoToken validity duration (default: 1h)

Duration Options (expiresIn)

ValueDurationUse Case
1h1 hourShort sessions, development
24h24 hoursWeb applications, daily use
7d7 daysMobile applications, scripts
30d30 daysServer-to-server integrations

Response (200 OK)

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expiresAt": "2026-02-24T12:00:00.000Z",
  "clientId": "client_abc123"
}
FieldTypeDescription
tokenstringYour JWT token to use in requests
expiresAtstringExpiration date and time (ISO 8601)
clientIdstringYour application identifier

Possible Errors

CodeMessageSolution
401Invalid API keyCheck your API Key
401Invalid API secretCheck your API Secret
400apiKey is requiredAdd apiKey in the body
400apiSecret is requiredAdd apiSecret in the body

Step 3: Use the Token in Your Requests

Include your JWT token in the Authorization header of each API request.

Header Format

Authorization: Bearer your_jwt_token

Request Example

curl "https://places.gotravelyzer.com/v1/geocoding/forward?query=Paris" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Complete Example

Here's the complete flow, from obtaining the token to the API call:

# 1. Get a JWT token
TOKEN=$(curl -s -X POST "https://api2.gotravelyzer.com/api-clients/token" \
  -H "Content-Type: application/json" \
  -d '{
    "apiKey": "gck_your_api_key",
    "apiSecret": "gcs_your_api_secret"
  }' | jq -r '.token')
 
# 2. Use the token for a geocoding request
curl "https://places.gotravelyzer.com/v1/geocoding/forward?query=Eiffel%20Tower%20Paris" \
  -H "Authorization: Bearer $TOKEN"

Handling Expired Tokens

Detecting an Expired Token

When your token expires, the API returns a 401 error:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Token expired"
}

Renewal Strategy

Best practice: Renew your token before it expires. Check the expiresAt field to know the expiration date.

  1. Store the expiration date (expiresAt) when obtaining the token
  2. Check before each request if the token is close to expiration
  3. Proactively renew the token a few minutes before expiration
  4. On 401 error, request a new token and retry the request

Security Best Practices

Never Expose Your Credentials

Never commit your API Key and Secret in your source code or Git repository.

Use environment variables:

# .env (do not commit this file)
TRAVELYZER_API_KEY=gck_your_api_key
TRAVELYZER_API_SECRET=gcs_your_api_secret
# .gitignore
.env
.env.local
.env.production

Client vs Server Security

EnvironmentRecommended Storage
Backend / ServerEnvironment variables, secrets manager (Vault, AWS Secrets Manager)
Frontend / BrowserNever store credentials client-side. Use a backend proxy.
MobileKeychain (iOS), Keystore (Android), or backend proxy

Secret Rotation

Regularly renew your API Secrets:

  1. Create a new secret in the Dashboard
  2. Update your applications with the new secret
  3. Verify everything works
  4. Delete the old secret

After regeneration, the old secret is immediately invalidated. All tokens generated with the old secret will remain valid until they expire.

Keys by Environment

Use distinct API keys for each environment:

EnvironmentRecommendation
Local DevelopmentDedicated "Development" key
Staging / TestDedicated "Staging" key
ProductionDedicated "Production" key

This allows you to:

  • Track usage by environment
  • Revoke a key without impacting others
  • Apply different restrictions

Authentication Errors

CodeMessageCauseSolution
401Missing Authorization headerHeader missingAdd Authorization: Bearer <token>
401Invalid tokenMalformed tokenCheck the token format
401Token expiredToken expiredRequest a new token
403API key disabledKey disabledReactivate the key in the Dashboard
403Quota exceededQuota exceededWait for reset or upgrade your plan

Error Response Example

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid token"
}

Next Steps

Quickstart

Make your first API call in 2 minutes.

Rate Limits

Understand usage limits by plan.

IntroductionQuickstart