Security within the TravelgateX platform

This page describes the how security is implemented in TravelgateX platform.


TravelgateX offers a fine-grained access control and visibility for centrally managing Resources, which are granted to Partners belonging to Organizations.


Authentication is the process of authorizing or making sure that the Partner is the correct one. Every request to TravelgateX GraphQL API must carry an Access Token whether it’s an API Key or a JSON Web Token (JWT).


The API key takes cares of the authentication of applications, normally created as a Service Account with limited scopes. The correct way to send it to GraphQL server is via HTTP Header:

curl -X\
   -H "Content-Type: application/json" \
   -H "Authorization: Apikey 8626cf56-e364-4fd1-4fe0-311e23ac6355"  \
   --data '{"query":"{searchStatusService{code description}}"}' \
   --compressed \

Creating an API Key

JSON Web Token (JWT)

The JSON Web Token takes cares of the authentication of users, normally created as User.

Whenever the user wants to access a protected resource, the user agent should send the JWT, in the Authorization header using the Bearer schema. The content of the header should look like the following:


Once the Member is authenticated we must authorize the Partner to use the requested Resource.

TravelgateX Identity and Access Management let Partner administrators authorize who can take action on specific resources. This gives you full control and internal visilibity to manage your resources centrally.