API tokens

Authenticate and authorize your Expedia Group travel platform APIs

Authorization and authentication, sometimes abbreviated as AuthN and AuthZ, are functions that help secure access to your APIs and data.

  • Authentication establishes the identity of an API client (making sure that it is your client).
  • Authorization ensures that a client has the permission to make a given API request.

About tokens

OAuth2.0 is an industry standard protocol that uses tokens (alphanumeric strings) to establish proof of authentication and authorization. A token includes:

  • The identity of the API client that's making the request.
  • The permissions the client has been granted (the list of scopes that you assigned it).
  • The time that the token was created and how long it can be used. Tokens issued by the Expedia Group travel platform are opaque, that is, they cannot be decoded or decrypted.

Authentication: acquire a token

An API client must acquire a token prior to making an API request, and that is when authentication is performed. Tokens are provided through a special API endpoint that uses HTTP Basic Auth. You must provide the API credentials (the client ID and secret) as the username and password.

Authorization: supply a token with each API request

A single token can be used to authorize multiple API requests over its lifetime. All tokens have a lifetime of 30 minutes, and your client software must acquire a new token before the current one expires.

API requests that don't have a valid token will fail with an HTTP 403 error code (unauthorized). This error will occur when the token is:

  • Missing from the request
  • Not issued by the token API
  • Expired
  • Missing required scopes

The token API

Use this API to acquire a token from within your client software:

curl --location --request POST 'https://api.expediagroup.com/identity/oauth2/v3/token' \
    --header 'Authorization: Basic <key>:<secret>' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials'
Did you find this page helpful?
How can we improve this content?
Thank you for helping us improve!