Getting startedPromotions

API intro

The Lodging Supply GraphQL API enables Expedia connectivity partners to retrieve property information, pricing data, performance insights, and more. This is a GraphQL API, and all request and response bodies, including errors, are encoded in JSON. All requests and responses must be made over a secure connection.

Endpoint

https://apis.expediaconnectivity.com/graphql

All requests must be made over a secure connection. All request and response bodies, including errors, are encoded in JSON.

Use the POST method as shown in this example:

1curl --request POST \
2 --url https://apis.expediaconnectivity.com/graphql \
3 --header 'Authorization: Bearer {token}' \
4 --header 'Content-Type: application/json' \
5 -d ' {
6 property(id: "{id}")
7 ...
8 }
9 '

Even though a POST is sent to the GraphQL endpoint, data will only be retrieved, not modified, because the body contains queries only.

Authentication

This API uses OAuth2 for delegating access to resources. Rather than passing username/password credentials with each request, you can periodically obtain an access token from the OAuth2 server to send within API requests in the form of a bearer token header. The token is used to verify identity (authenticate) and authorize access to the specified property.

If you issue a request using an expired token, an error is returned stating that the token is invalid. We recommended that you retrieve a new token several seconds before it expires to avoid any service disruption. (The expires_in attribute in the response indicates the number of seconds a token is valid.)

If you are calling the API from multiple servers, you can request a unique access token from each server and save it in memory. It is not necessary to persist the token to disk and attempt to reuse across all servers in your application. This should simplify your solution and is potentially more secure as the token is less likely to be compromised if it is not persisted to disk.

Obtaining an access token

To obtain an access token, complete these steps:

  1. Obtain API credentials, which will be used to authenticate with the OAuth2 token service:

    • If you are an existing API partner, use your current API credentials to fetch the access token. You would usually use these credentials to access other APIs, such as Availability and Rates, Property, and Product. They are typically prefixed with ”EQC”.
    • If you are new partner, obtain Expedia credentials by submitting your request on this page.

    Ensure that these credentials are stored securely and are not exposed to your users through cookies, web storage, browser or mobile applications, and so on.

  2. Encode the username and password to Base64.

  3. Send a request to the OAuth2 token service (https://apis.expediaconnectivity.com/oauth/token?grant_type=client_credentials).

    Note that the access token may be longer and additional attributes will be present in the response. Also, note the expires_in attribute, which indicates how long the token is valid (in seconds). The expires_in value provided in the sample code below is an example. Be sure to obtain the actual value of the field returned to you and use it to determine the expiration status of your token.

  4. Save the access token in a secure fashion (preferably in-memory), and do not expose the token to your users in any way. Do not attempt to parse the contents of the access token because they are subject to change. Always send the token directly to the API over a secure TLS connection using server-to-server communications.

Here is an example request to obtain a token:

curl -i -XPOST https://apis.expediaconnectivity.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic {base64_encoded_credentials}" \
  -d "grant_type=client_credentials"

Example response:

1{
2 "access_token": "oVapAccHHYCGzggNaVHP.ys7dffRkOP2om9Hkbylo.tssKms0UIo9KScLlegv1",
3 "token_type": "bearer",
4 "expires_in": 299
5}

Calling the API with an access token

After you obtain an access token, you must include it with all API requests; every request must be authenticated, no anonymous access is allowed. Pass the token in the header of requests as follows:

Authorization: Bearer {token}

If you have a valid token, your request is processed by the API. Otherwise, an error is generated indicating that the token has expired or is invalid in some way.

Request headers

NameDescription
Content-TypeRequired.
Media type of the resource. Specify application/json.
Type: string
AuthorizationRequired.
Authorization type and credentials. Specify Bearer {token}.
Type: string

Rate limits

A rate limit is the number of requests received by the API within any given second. We ask each partner to issue no more than five requests per second. We constantly evaluate traffic as it surges and subsides. We will adjust the limit as needed to protect the Vrbo platform, our partners, or travelers. If you receive the HTTP 429 status code, you have exceeded our rate limit and should consider throttling your requests.

Testing requests and responses

We provide a graphical integrated development environment (IDE) that enables you to issue query requests using test data. This GraphQL explorer is available on many doc pages on this site. Or, you can install a third-party IDE (desktop app), such as Prisma or Insomnia. After you install the application, configure it with either your client ID and secret or a token generated using these values. Refer to the application's documentation for more information about configuring authorization and headers. Then, load our GraphQL endpoint URL and issue test requests as needed.