Authentication

Secure your API requests with proper authentication.

API Key Authentication

All API requests require authentication using an API key. Your API key identifies your application and grants access to the API based on your permissions.

Important: Keep your API key secure. Never expose it in client-side code, public repositories, or insecure locations.

Obtaining an API Key

To request API access:

Contact our team at hello@jets.partners
Provide your company name and intended use case
Specify your expected request volume
Our team will review and provision your API key

API keys are prefixed with jtp_ for easy identification.

Authentication Methods

Bearer Token (Recommended)

Include your API key in the Authorization header using the Bearer scheme:

Authorization: Bearer jtp_your_api_key_here

Example Request

curl -X GET https://booking.api.jets.partners/v1/account \
  -H "Authorization: Bearer jtp_your_api_key_here"

X-API-Key Header

Alternatively, you can use the X-API-Key header:

X-API-Key: jtp_your_api_key_here

Example Request

curl -X GET https://booking.api.jets.partners/v1/account \
  -H "X-API-Key: jtp_your_api_key_here"

API Key Permissions

API keys can have different permission levels:

Permission	Description	Endpoints
`flights_search`	Search for available flights	`/v1/flights/*`
`flights_book`	Create new bookings	`POST /v1/bookings`
`flights_manage`	Manage existing bookings	`PUT/DELETE /v1/bookings/*`
`account_read`	Read account information	`/v1/account/*`

Rate Limiting

Rate limits are enforced per API key. The following headers are included in all responses:

Header	Description
`X-RateLimit-Limit`	Maximum requests allowed in the current window
`X-RateLimit-Remaining`	Requests remaining in the current window
`X-RateLimit-Reset`	Unix timestamp when the rate limit resets

If you exceed your rate limit, you'll receive a 429 Too Many Requests response.

Security Best Practices

Use Environment Variables

Store your API key in environment variables, not in your codebase.

Rotate Keys Regularly

Contact support to rotate your API keys periodically.

Use HTTPS Only

All API requests must be made over HTTPS. HTTP requests will be rejected.

Monitor Usage

Regularly check your API usage through the /v1/account/usage endpoint.

Authentication Errors

Error Code	HTTP Status	Description
`MISSING_API_KEY`	401	No API key was provided in the request
`INVALID_API_KEY`	401	The provided API key is invalid or revoked
`INSUFFICIENT_PERMISSIONS`	403	The API key lacks permission for this operation
`RATE_LIMIT_EXCEEDED`	429	Too many requests in the current time window