OAuth 2.0 authentication

Several of the Rapid APIs use an OAuth 2.0 authentication process rather than signature authentication.

Establish authorization

OAuth 2.0 authentication requires an access token. To get an access token, you will send a request to the Expedia gateway using your API credentials. The two parts of your credentials will be combined, Base64 encoded, and sent as the Authorization header with a Basic prefix, e.g. Basic <base64>.

Example: Encode your credentials in Base64 format

var client-id = postman.getEnvironmentVariable("client-id");
var client-secret= postman.getEnvironmentVariable("client-secret");
var base64Hash = CryptoJS.enc.Utf8.parse(client-id + ":" + client-secret);
var base64 = CryptoJS.enc.Base64.stringify(base64Hash);
postman.setEnvironmentVariable("base64",base64);

Note: If your launch manager has provided a Rapid API key (api_key) or shared secret (shared_secret), you may use those where the code example calls for client-id and client-secret, respectively. They are interchangeable in this usage.

Get an opaque access token

You'll need an opaque access token (that is, one that does not contain any information about the user or resource) before you can make an API request.

Sample request

POST – https://api.ean.com/identity/oauth2/v3/token 

Header: 
Key: ‘Authorization’ 
Value: ‘Basic {base64}’

Sample response

{ 
    "access_token": "p1xy6rxahicQPUIX_Sq6a52yFnHXpX3ImaSX9sKiUI4:XM8qZiTr1HPDc8FgBE5HLvFTFdICuRFV0-l7gFWI-WU", 
    "token_type": "bearer", 
    "expires_in": 1800, 
    "scope": "demand-solutions.demand-api-wrappers-playground.all" 
}

Use the opaque access token

Now that you have an access_token, you can use it to make requests to any endpoint that supports OAuth 2.0, such as Typeahead, Geography, and Cars.

GET - https://test.ean.com/v3/regions?include=standard&language=en-US&iata_location_code=SEA

Header: 
Key: 'Authorization' 
Value: 'Bearer {access_token}'