Partner Integration

Embed AviaFrame on your agency website with a public widget key.

The integration uses a domain-restricted public agency key, a secure loader, and a short-lived backend widget session. No DRCT credentials or supplier secrets are ever exposed in the browser.

Open Live Demo Talk to Sales

How the integration works

A single public key ties the embedded widget to the correct agency, while the backend keeps tenant control and supplier access server-side.

1. Agency site loads `embed.js` The website includes a public widget key and target container.

2. Loader requests widget session The backend validates the agency key and current website origin against the allowlist.

3. Backend issues short-lived token That token is scoped to the agency and current allowed origin.

4. Search and booking stay tenant-scoped Orders, payments, and provider calls continue through AviaFrame backend controls.

Canonical Embed Snippet

Each agency receives a public widget key from the AviaFrame admin portal. Add the container below where you want the booking experience to appear, then include the secure loader script.

<div id="aviaframe-widget"></div>
<script
  src="https://admin.aviaframe.com/embed.js"
  data-agency-key="YOUR_AGENCY_PUBLIC_WIDGET_KEY"
  data-target-id="aviaframe-widget"
  data-locale="en"
  data-theme="light"
  async
></script>

`data-agency-key` is generated and stored by AviaFrame in the agency record. It is a public integration key, not a payment secret and not a supplier credential. The backend still enforces allowed domains before any widget session is issued.

1. Add your domains in the admin portal Save the exact website hostnames where the widget is allowed to load. The backend uses this allowlist during widget session bootstrap.

2. Copy the public widget key The key is shown in the agency setup screen together with the ready-to-paste embed code.

3. Paste the snippet into your site The loader script creates a secure iframe, initializes a short-lived widget session, and binds the session to your allowed origin.

4. Open the preview and live demo Validate loading, branding, and booking behavior before going live.

What the platform does behind the scenes

Public key Maps the embedded widget to the correct agency tenant.

Allowed origins Prevents the widget from loading on unauthorized domains.

Widget session Issues a short-lived backend token tied to the agency and website origin.

Secure operations Bookings, orders, and provider interactions stay backend-mediated and tenant-scoped.

Open Live Demo Talk to Sales

What must happen in the admin portal first

The snippet only becomes agency-specific after the agency record exists and the domain allowlist has been saved.

1. Create or provision the agency AviaFrame creates the agency tenant in the admin portal and stores its public widget key in the agency record.

2. Save allowed widget domains The admin adds the exact production hostnames where the widget is allowed to load, for example `www.agency.com`.

3. Copy the agency-specific snippet The portal exposes the embed snippet with that agency's public key already inserted.

4. Paste and validate The agency pastes the snippet into its website, then validates preview, live search, and booking behavior.

What the agency needs before going live

Allowed domains: add the exact production hostnames where the widget is allowed to load.

Public widget key: copy it from the agency setup screen in the admin portal.

Placement on site: choose the page or landing block where the booking widget should appear.

Launch validation: test preview, test live page, then verify search and booking behavior end to end.

FAQ

Is `data-agency-key` sensitive?

No. It is intentionally public and safe to place in HTML. Real protection happens server-side through domain allowlists, short-lived widget sessions, and tenant-scoped backend enforcement.

Can an agency use WordPress or a no-code site builder?

Yes. The integration only requires a target `

` and a script tag, so it works with plain HTML, WordPress, Webflow, Shopify custom sections, and most CMS systems that support custom code blocks.

Does the browser ever receive supplier tokens?

No. DRCT and backend provider credentials remain server-side. The browser only receives the short-lived widget session issued for the agency and allowed origin.

How do branding changes work?

Brand, domain, and widget settings are managed centrally in the AviaFrame admin portal. Agencies do not need to rebuild the widget script when colors, labels, or allowed domains change.

What gets embedded

The website only receives a container and a secure loader script. AviaFrame handles the tenant binding and session bootstrap behind the scenes.

Minimal production embed

<div id="aviaframe-widget"></div>
<script src="https://admin.aviaframe.com/embed.js" data-agency-key="..." data-target-id="aviaframe-widget" async></script>