As an distributor, safeguarding data and ensuring secure integration is not just a technical requirement - it’s a core part of your obligations under the Distribution Licence Agreement. Protecting both your business and the broader tourism network relies on robust security and privacy practices.

Our content is a valuable asset, and the API is a critical channel for delivering that content to your customers. Security breaches, unauthorised access, or data leaks can compromise your reputation, disrupt your services, and put sensitive information at risk. By following best practices, you help maintain trust and ensure compliance with our standards.

To ensure secure and reliable integration with our API, all distributors must follow these best practices:

Always use HTTPS to encrypt data transmitted between your application and the API. This protects sensitive information from being intercepted or tampered with.

Keep your API keys confidential. Do not hard-code them in your application code or expose them in client-side scripts. Store them securely in your server environment and restrict their usage to specific IP addresses or environments whenever possible.

Ensure only authorised users and systems can access the API. Implement role-based access and the principle of least privilege.

Monitor API usage and log all access attempts. This helps detect and respond to suspicious activity or potential breaches.

Use encryption to protect sensitive data both in transit and at rest.

Implement rate limiting to prevent abuse and ensure fair usage for all distributors. This helps protect against denial-of-service attacks and system overloads.

Conduct regular security reviews and vulnerability assessments. Remove outdated or unused APIs (“zombie APIs”) to reduce risk.

Avoid exposing sensitive technical details in error messages. Use generic error responses and log details internally.

Familiarise yourself with ATDW’s distributor guidelines and the Distribution Licence Agreement to ensure your integration remains compliant.

Your API key is confidential and must not be shared, sublicensed, or used across multiple domains. It is issued for your exclusive use as a registered distributor and is considered Confidential Information under your agreement with ATDW.

API keys are authorised for use on a single domain only. Sharing or using your API key on multiple domains is a breach of your licence and may result in access being revoked.

Store API keys securely on your server, never in public repositories or client-side code.

ATDW expects all distributors to handle data responsibly and in accordance with privacy best practices. This includes:

The API enforces a maximum of 5,000 profiles per page. If you need to access more, implement pagination in your integration. Learn more about size restrictions.

Use delta updates to retrieve only new or changed data, reducing unnecessary load and improving efficiency.

For technical support, integration changes, and best practice updates, visit the ATDW Support Portal.

Failure to follow these security and privacy requirements can result in revoked access, reputational damage, and potential legal or financial penalties. The Distribution Licence Agreement outlines your obligations in detail.

If you have questions about security, data privacy, or integration best practices, please contact our support team. We’re here to help you build a secure, reliable, and compliant tourism platform.