API Authentication and Authorization
Authorization and authentication (sometimes abbreviated as AuthN and AuthZ) are two separate functions that help secure access to your APIs and data.
- Authentication establishes the identity of an API client (i.e. that it is your client).
- Authorization ensures that a client has the permission to make a given API request.
About Tokens
OAuth2.0 is an industry standard protocol that uses tokens (alphanumeric strings) to establish proof of authentication and authorization. A token includes this information:
- The identity of the API client that is making the request.
- The permissions the client has been granted, i.e. the list of scopes that you assigned it.
- The time that the token was created and how long it can be used. Tokens issued by the Open World platform are opaque, they cannot be decoded or decrypted.
Authentication: Acquire a Token
An API client must acquire a token prior to making an API request, and that is when authentication is performed. Tokens are provided through a special API endpoint that uses HTTP Basic Auth. You must provide the key as the username and the secret as the password.
Authorization: Supply a Token with Each API Request
A single token can be used to authorize multiple API requests over its lifetime. All tokens have a lifetime of 30 minutes, your client software must acquire a new token before the current one expires.
API requests that do not have a valid token will fail with an HTTP 403 error code (unauthorized). This error will occur when the token is:
- Missing from the request
- Not issued by the token API
- Expired
- Missing required scopes
The Token API
Use this API to acquire a token from within your client software:
curl --location --request POST 'https://api.expediagroup.com/identity/oauth2/v3/token' \
--header 'Authorization: Basic <key>:<secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials'