Account Information API

The Account Information API includes details about each of your customers. Your template site will use this information as part of the single-sign-on (SSO) protocol to verify the user’s account. It will be used for purchases, loyalty redemption, and more.

This API can also be used by an Expedia agent to verify the traveler’s unique identifier (for example, credit card number) as part of the request to get the user account details. The details received will be used to validate the traveler on the phone before proceeding with shopping and booking for the traveler.

See the Common data and responses page for additional information.

Credit card encryption and decryption

Expedia uses an industry-standard JWE (JSON web encryption) technique for encrypting and decrypting credit card details: asymmetric encryption using a public and private key pair.

Encryption use cases

The places where encryption should take place include:

Request: cardNumber
Response: cardDetails

In the request parameter, you should set up a 2048-bit CA (certificate authority)-signed RSA (Rivest Shamir Adleman) private key certificate and share it with Expedia. We’ll then use your public key to encrypt the cardNumber field using JWE and RSA.

In the response parameter, we’ll set up a 2048-bit CA-signed RSA private key and will share the corresponding public key certificate and share it with you. Using the Expedia public key, you’ll then encrypt each element of cardDetails using JWE and RSA.

We’ve laid out the steps to the encryption process below.

Encryption, step-by-step

Step 1: Fetch the public certificate and get the RSA 2048 public key.

Generate a random symmetric key (RSK) of 256 bits length.
Encrypt the RSK using the RSA 2048 public key using the algorithm RSA-OAEP-256.

Step 2: Generate a random initialization vector (IV) of 96 bits length.

Step 3: Encrypt plaintext data by using the RSK, IV, and the algorithm A256GCM to form the ciphertext and authentication tag data.

Step 4: Base64URL-encode the ciphertext to produce Base64URL (JWE ciphertext).

Step 5: Base64URL-encode the authentication tag, IV, RSK, and the JWE header JSON to produce:

Authentication tag data: Base64URL (JWE authentication tag).
IV: Base64URL (JWE initialization vector)
RSK: Base64URL (JWE encrypted key)
JWE header JSON: Base64URL (UTF8 (JWE header))

Then serialize the JWE object to its compact format consisting of Base64URL-encoded parts delimited by periods ('.') to produce:

Base64URL (UTF8) (JWE header) || '.' || Base64URL (JWE encrypted key) || '.' || Base64URL (JWE initialization vector) || '.' || Base64URL (JWE ciphertext) || '.' || Base64URL (JWE authentication tag)

Code samples

Sample Java for encryption

JWE encryption can be implemented efficiently and quickly the with help of third party JWE libraries. For example, this java code for encryption was created with the help of Nimbus JOSE+JWT library.

public String encryptWithJWE(String plainText){
    X509Certificate publicCertificate = <fetch public cert>
    //get RSA public key
    final X509EncodedKeySpec publicKeySpec = new 
    X509EncodedKeySpec(publicCertificate.getPublicKey().getEncoded());
    final KeyFactory keyFactory = KeyFactory.getInstance("RSA");
    RSAPublicKey rsaPublicKey = (RSAPublicKey) keyFactory.generatePublic(publicKeySpec);
    //get keyID
    String keyID = certificateManager.getKid(publicCertificate);
    // Create JWE Header containing the needed metadata for encryption and decryption
    JWEHeader jweHeader = new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM)
        .type(JOSEObjectType.JWT)
        .customParam(IAT, System.currentTimeMillis())
        .keyID(keyID)
        .build();
/*

Sample JWE header

{
"alg":"RSA-OAEP-256",
"typ":"JWT",
"enc":"A256GCM",
"iat":<Time (in UTC) when JWE was issued, expressed in UNIX epoch time (seconds since 1 January, 1970)>,
"kid":<Key ID or subject key Identifier from the public key certificate>
}
*/
    JWEObject jweObject = new JWEObject(jweHeader, new Payload(plainText));
    RSAEncrypter encrypter = new RSAEncrypter(rsaPublicKey);
    jweObject.encrypt(encrypter);
    return jweObject.serialize();
    }

Decryption of card number in request

Expedia will encrypt cardNumber in the request. The decryption path is the reverse of the encryption path:

When you receive the encrypted JWE, you should decode the first section of the JWE, the JOSE header to determine the algorithm, the encryption, and the keyId (alg, enc, kid).
You’ll then validate the iat (issued-at: the time the JWT was issued) to make sure it’s no more than 5 minutes different from the current time. (The token will expire after 5 minutes.)
Next, fetch your private key and decrypt the JWE encryption key.
Then, using the decrypted RSK, the JWE initialization vector, and the JWE authentication tag, you can decrypt the JWE ciphertext parameter and verify it.

Code sample

Sample Java for encryption

JWE encryption can be implemented efficiently and quickly the with help of third party JWE libraries. For example, this java code for encryption was created with the help of Nimbus JOSE+JWT library.

public String decryptJWE(String jweString) {
    PrivateKey privateKey = <fetch private key>;
    RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) privateKey;
    JWEObject jweObject = JWEObject.parse(jweString);
    JWEHeader jweHeader = jweObject.getHeader();validateJweHeader(jweHeader);
    RSADecrypter rsaDecrypter = new RSADecrypter(rsaPrivateKey);
    jweObject.decrypt(rsaDecrypter);
    return jweObject.getPayload().toString();
}

Get account information

You’ll use this set of fields to fetch account info for a loyalty member or card holder using POST /user/v1/account.

Header

Field	Description	Sample value	Field type	Mandatory?
`partnerId`	Unique identifier for your business, provided by Expedia	YOUR BRAND	String, max 20 characters	Yes
`Authorization`	Access token received by Expedia from your authorization server, to be validated by your team	Standard JSON web token (JWT)	String, standard JWT length	No
`Authorization2`	JSON web token (JWT) sent by Expedia; signature and claims to be validated on your end	Standard JWT	String, standard JWT length	No

Request

Field	Description	Field type	Mandatory?
`requestId`	Unique identifier for the transaction request	String	Yes
`membershipId`	Unique customer identifier	String	No
`loyaltyAccountNumber`	The customer’s loyalty account number (also called `programAccountNumber`); this should only be populated if an identifier other than `membershipId` is required for loyalty operations	String	No
`programId`	Identifier for the loyalty program the customer is affiliated to or the tier name associated with the loyalty program	String	No
`cardNumber`	Customer credit card number (encrypted)	String	No
`email`	Customer email address	String	No

Response

Field	Description	Field type	Mandatory?
`status`	Transaction status (values: Approved, Declined)	String	Yes
`requestId`	Unique identifier for the transaction request (from request payload)	String	Yes
`ProgramAccount`	Program account details; see ProgramAccount table for nested fields
`languageId`	The languages in which the site will be viewable	String	No
`channelType`	Platforms the site is optimized for (values: WEB, MOBILE, TABLET)		No

ProgramAccount

Field	Description	Sample value	Mandatory?
`programId`	Identifier for the loyalty program the customer is affiliated to or the tier name associated with the loyalty program	Aventura Gold	Yes
`accountName`	Program name (if different from `programId`)	Aventura	No
`loyaltyAccountNumber`	The customer’s loyalty account number (also called `programAccountNumber`); this should only be populated if an identifier other than `membershipId` is required for loyalty operations	1234567	No
`lastFourDigitsOfCreditCard`	The last 4 digits of the credit card the customer used for the booking	0000	No
`loyaltyConversionRatio`	Ratio of how payment converts to points earned (for example, $1 = 1 point)		No
`loyaltyAccountBalance`	Current balance of customer’s earned loyalty points	2003	Yes

User information

Field	Description	Sample value	Mandatory?
`userId`	Unique identifier for customer; same as `membershipId`		Yes
`name`	Customer first, middle, and last name
`firstName`	Customer’s first name; nested under `name`	Bob	Yes
`middleName`	Customer’s middle name; nested under `name`	Robert	No
`lastName`	Customer’s last name; nested under `name`	Jones	Yes
`contactInfo`	Customer contact information, including address, email and phone number		No
`address`	Customer address, including street address, city, state or province, and postal code; nested under `contactInfo`
`streetAddress`	Customer street address; nested under `address`	123 Main St.	No
`city`	City of customer’s street address; nested under `address`	Boston	No
`state`	State of customer’s street address; nested under `address`	MA	No
`country`	Country of customer’s street address; nested under `address`	USA	No
`postalCode`	Postal code of customer’s street address; nested under `address`	02112	No
`taxProvince`	The state or province in which the customer will be paying taxes; nested under `address`	MA	No
`email`	Customer’s email address; nested under `contactInfo`	brjones@somewhere.com	No
`contactNumber`	Customer’s phone number; nested under `contactInfo`	555-555-5555	No
`userType`	Whether the customer is a single (primary) user or associated with an organization		No
`dateOfBirth`	Customer’s date of birth		No
`cardDetails`	Details about the credit card used in the transaction; if populated, some nested items must be encrypted		No
`cardNumber` *	Credit card number used in transaction (encrypted); nested under `cardDetails`		Yes
`cardType`	Type of card used (encrypted); nested under `cardDetails`		Yes
`expirationDate` *	Expiration date of card in MM/YYYY format (encrypted); nested under `cardDetails`		Yes
`billingAddress`	Billing address of the card used in the transaction; nested under `cardDetails`
`firstAddressLine` *	First line of billing address (encrypted); nested under `billingAddress`		Yes
`secondAddressLine`	Second line of billing address; nested under `billingAddress`		No
`thirdAddressLine`	Third line of billing address; nested under `billingAddress`		No
`city`	City element of billing address; nested under `billingAddress`		No
`province`	Province or state element of billing address; nested under `billingAddress`		No
`countryCode`	Country element of billing address; nested under `billingAddress`		No
`postalCode` *	Postal code element of billing address (encrypted); nested under `billingAddress`		Yes

Note: If any of the cardDetails fields are populated, those marked with a * are mandatory. All of the data in these fields are encrypted.

API details

Without credit card information

With credit card information