API Authentication and Authorization

Authorization and authentication (sometimes abbreviated as AuthN and AuthZ) are two separate functions that help secure access to your APIs and data.

  • Authentication establishes the identity of an API client (i.e. that it is your client).
  • Authorization ensures that a client has the permission to make a given API request.

About Tokens

OAuth2.0 is an industry standard protocol that uses tokens (alphanumeric strings) to establish proof of authentication and authorization. A token includes this information:

  • The identity of the API client that is making the request.
  • The permissions the client has been granted, i.e. the list of scopes that you assigned it.
  • The time that the token was created and how long it can be used. Tokens issued by the Open World platform are opaque, they cannot be decoded or decrypted.

Authentication: Acquire a Token

An API client must acquire a token prior to making an API request, and that is when authentication is performed. Tokens are provided through a special API endpoint that uses HTTP Basic Auth. You must provide the key as the username and the secret as the password.

Authorization: Supply a Token with Each API Request

A single token can be used to authorize multiple API requests over its lifetime. All tokens have a lifetime of 30 minutes, your client software must acquire a new token before the current one expires.

API requests that do not have a valid token will fail with an HTTP 403 error code (unauthorized). This error will occur when the token is:

  • Missing from the request
  • Not issued by the token API
  • Expired
  • Missing required scopes

The Token API

Use this API to acquire a token from within your client software:

curl --location --request POST 'https://api.expediagroup.com/identity/oauth2/v3/token' \
    --header 'Authorization: Basic <key>:<secret>' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials'
Did you find this page helpful?
How can we improve this content?
Thank you for helping us improve Developer Hub!