Land Transport Authority DataMall Authentication (2026)

Authentication overview

Land Transport Authority (LTA) DataMall provides access to a range of public transport and traffic-related datasets for Singapore. To ensure secure and authorized access to these APIs, the LTA DataMall employs a straightforward authentication mechanism based on API keys. An API key is a unique, secret token that identifies the calling application or user and grants them permission to interact with the API endpoints. This method is common for web services where simplicity and ease of integration are priorities, while still providing a layer of security by restricting access to known, registered clients.

When making requests to LTA DataMall APIs, clients must include their API key in a designated HTTP header. The LTA DataMall backend then validates this key against its registered users. If the key is valid and active, the request proceeds; otherwise, the request is rejected, typically with an HTTP 401 Unauthorized or 403 Forbidden status code. This system allows LTA to monitor API usage, enforce rate limits, and ensure that only legitimate applications consume their data resources.

It is important for developers to treat their API keys as sensitive credentials. Exposure of an API key could lead to unauthorized access to LTA DataMall APIs, potentially resulting in misuse of data or exceeding rate limits associated with the developer's account. Adhering to security best practices for API key management is therefore essential for any application integrating with the LTA DataMall.

Supported authentication methods

The Land Transport Authority DataMall primarily supports API Key authentication for all its publicly available APIs. This method involves generating a unique key through the developer portal and including it in the HTTP headers of every API request.

Below is a summary of the authentication method supported:

The LTA DataMall does not currently support more complex authentication flows like OAuth 2.0 or JSON Web Tokens (JWT) for direct API access. The simplicity of API key authentication aligns with the goal of providing easy access to public transport data for developers and researchers.

Getting your credentials

To obtain an API key for the Land Transport Authority DataMall, developers must follow a registration process on the official LTA DataMall developer portal. This process typically involves providing some personal or organizational details and agreeing to the terms of service.

1. Visit the LTA DataMall Developer Resources page: Navigate to the LTA DataMall Developer Resources on the official LTA website.
2. Register for an account: Look for a registration link or button, which will guide you through creating a new developer account. This usually involves providing an email address, setting a password, and confirming your email.
3. Request an API Key: Once registered and logged in, there will typically be a section or dashboard where you can generate or view your API key. The specific steps may vary but generally involve clicking a 'Generate Key' or 'My API Key' button.
4. Accept Terms of Use: Before receiving your key, you may need to acknowledge and accept the LTA DataMall API terms of use, which outline permissible usage, rate limits, and data governance policies.
5. Retrieve your API Key: Your unique API key will then be displayed. Copy this key immediately and store it securely. The LTA DataMall documentation specifies that this key must be included in the AccountKey HTTP header for all requests.

It's crucial to understand that the API key provided is directly linked to your developer account and its usage is subject to the LTA's terms and conditions. Misuse or sharing of the key beyond authorized personnel may lead to revocation of access.

Authenticated request example

Once you have obtained your API key from the LTA DataMall developer portal, you can use it to make authenticated requests to any of the available APIs. The API key must be passed in the HTTP request header named AccountKey.

Here's an example using curl to fetch data from a hypothetical LTA DataMall API endpoint, such as the Bus Arrival API (actual endpoints and parameters may vary; refer to the official LTA DataMall API reference for precise details).

curl -X GET \
  'http://datamall2.mytransport.sg/ltaodataservice/BusArrivalv2?BusStopCode=83139&ServiceNo=181' \
  -H 'AccountKey: YOUR_LTA_DATAMALL_API_KEY' \
  -H 'Accept: application/json'

In this example:

• http://datamall2.mytransport.sg/ltaodataservice/BusArrivalv2?BusStopCode=83139&ServiceNo=181 is the API endpoint for fetching bus arrival data for a specific bus stop and service number.
• -H 'AccountKey: YOUR_LTA_DATAMALL_API_KEY' sets the HTTP header AccountKey with your unique API key. Replace YOUR_LTA_DATAMALL_API_KEY with the actual key you obtained from the LTA DataMall portal.
• -H 'Accept: application/json' specifies that the client prefers a JSON response.

For programmatic access in various languages, the concept remains the same: include the AccountKey header with your API key in every request. Most HTTP client libraries provide methods to set custom headers.

Security best practices

Maintaining the security of your API key is paramount to protect your application and ensure uninterrupted access to LTA DataMall services. Adhering to general API key security principles, as outlined by resources like Cloudflare's API Key Best Practices, is highly recommended.

Here are key security best practices:

1. Keep API Keys Confidential: Treat your LTA DataMall API key like a password. Never hardcode it directly into client-side code (e.g., JavaScript in a browser) or commit it directly into version control systems like Git.
2. Use Environment Variables for Server-Side Applications: For applications running on servers, store the API key as an environment variable rather than directly in code. This prevents the key from being exposed if the codebase is compromised or publicly shared.
3. Implement a Proxy Layer for Client-Side Applications: If your application is client-side (e.g., a mobile app or a single-page web application), avoid embedding the API key directly. Instead, route API requests through your own secure backend server. This server can then add the API key to the request before forwarding it to LTA DataMall, keeping the key hidden from the client.
4. Restrict Access to API Keys: Limit who in your development team has access to the production API key. Follow the principle of least privilege.
5. Monitor API Key Usage: Regularly review your application's API usage patterns. Unusual spikes or activity might indicate a compromised key.
6. Implement Rate Limiting and Quotas (Client-Side): Even though LTA DataMall implements its own rate limits, building in client-side rate limiting can help prevent accidental overuse and reduce the impact of a compromised key.
7. Secure Communication (HTTPS/TLS): All communication with LTA DataMall APIs should always occur over HTTPS. This encrypts the data in transit, protecting your API key and the data exchanged from eavesdropping. The LTA DataMall endpoints are designed to use HTTPS by default.
8. Key Rotation: Periodically rotate your API key. If the LTA DataMall portal provides a mechanism to regenerate or revoke keys, utilize it as a standard security practice, especially if you suspect a key might have been exposed.
9. Error Handling: Implement robust error handling for API requests. Do not expose raw error messages, especially those that might contain sensitive information or hint at internal system details, to end-users.

By diligently following these practices, developers can significantly enhance the security posture of their applications interacting with the Land Transport Authority DataMall APIs, protecting both their own credentials and the integrity of the data services.