Account Information API
Verify travelers using your site using their account details
The Account Information API includes details about each traveler. An Expedia agent will use it to verify the traveler’s unique identifier for purchases, loyalty redemption, cancellations, and more. This unique identifier can be a credit card number (a Payment Card Industry (PCI) identifier) or a non-PCI identifier such as email address or loyalty account number, depending on your requirements or security standards.
See Common data and responses for additional information.
Get account information
You’ll use this set of fields to fetch account info for a loyalty member or card holder using POST /user/v1/account.
Header
| Field | Description | Sample value | Field type | Mandatory? |
|---|---|---|---|---|
partnerId | Unique identifier for your business, provided by Expedia | YOUR BRAND | String, max 20 characters | Yes |
Authorization | Access token received by Expedia from your authorization server, to be validated by your team | Standard JSON web token (JWT) | String, standard JWT length | — |
Authorization2 | JSON web token (JWT) sent by Expedia; signature and claims to be validated on your end | Standard JWT | String, standard JWT length | — |
Request
You will need to set either membershipId, loyaltyAccountNumber, cardNumber, or email as a mandatory parameter. Your account manager will work with you to define which will work best based on your requirements.
Note: If you are using cardNumber as your identifier, you will also need to review the cardDetails and billingAddress tables below. No other parameters require this data.
| Field | Description | Field type | Mandatory? |
|---|---|---|---|
requestId | Unique identifier for the transaction request | String | Yes |
membershipId | Unique traveler identifier | String | Yes, option 1 |
loyaltyAccountNumber | The traveler’s loyalty account number (also called programAccountNumber); this should only be populated if an identifier other than membershipId is required for loyalty operations | String | Yes, option 2 |
programId | Identifier for the loyalty program the traveler is affiliated to or the tier name associated with the loyalty program | String | — |
cardNumber | Traveler credit card number (encrypted) | String | Yes, option 3 |
email | Traveler email address | String | Yes, option 4 |
Response
| Field | Description | Field type | Mandatory? |
|---|---|---|---|
status | Transaction status (values: Approved, Declined) | String | Yes |
requestId | Unique identifier for the transaction request (from request payload) | String | Yes |
programAccount | Loyalty program account details; see programAccount table for nested fields | — | |
languageId | The languages in which the site will be viewable; see the Locale details page for details | String | — |
optInForMarketingEmail | Whether the user has opted for marketing emails | Boolean | — |
channelType | Platforms the site is optimized for (values: WEB, MOBILE, TABLET) | String | — |
users | list of user details; see users table for nested fields | — | |
cardDetails | Details about the credit card used in the transaction; see cardDetails table for nested fields (if populated, some nested items must be encrypted) | — |
programAccount
| Field | Description | Sample value | Mandatory? |
|---|---|---|---|
programId | Identifier for the loyalty program the traveler is affiliated to or the tier name associated with the loyalty program | Aventura Gold | Yes |
accountName | Program name (if different from programId) | Aventura | — |
loyaltyAccountNumber | The traveler’s loyalty account number (also called programAccountNumber); this should only be populated if an identifier other than membershipId is required for loyalty operations | 1234567 | — |
lastFourDigitsOfCreditCard | The last 4 digits of the credit card the traveler used for the booking | 0000 | — |
loyaltyConversionRatio | Ratio of how payment converts to points earned (for example, $1 = 1 point) | — | |
loyaltyAccountBalance | Current balance of traveler’s earned loyalty points | 2003 | Yes |
cardDetails
| Field | Description | Field type | Mandatory? |
|---|---|---|---|
cardNumber | Traveler credit card number (encrypted) | String | Yes |
cardType | Type of card used (encrypted) | String | Yes |
expirationDate | Expiration date of card in MM/YYYY format (encrypted) | String | Yes |
billingAddress | Billing address of the card used in the transaction; see billingAddress table for nested fields | — |
billingAddress
| Field | Description | Field type | Mandatory? |
|---|---|---|---|
firstAddressLine | First line of billing address (encrypted) | String | Yes |
secondAddressLine | Second line of billing address | String | — |
thirdAddressLine | third line of billing address | String | — |
city | City element of billing address | String | — |
province | Province or state element of billing address | String | — |
countryCode | Country element of billing address | String | — |
postalCode | Postal code element of billing address (encrypted) | String | Yes |
users
| Field | Description | Sample value | Mandatory? |
|---|---|---|---|
userId | Unique identifier for traveler; same as membershipId | Yes | |
name | Traveler first, middle, and last name | — | — |
firstName | Traveler’s first name; nested under name | Bob | Yes |
middleName | Traveler’s middle name; nested under name | Robert | — |
lastName | Traveler’s last name; nested under name | Jones | Yes |
contactInfo | Traveler contact information, including address, email and phone number | — | — |
address | Traveler address, including street address, city, state or province, and postal code; nested under contactInfo | — | — |
streetAddress | Traveler street address; nested under address | 123 Main St. | — |
city | City of traveler’s street address; nested under address | Boston | — |
state | State of traveler’s street address; nested under address | MA | — |
country | Country of traveler’s street address; nested under address | USA | — |
postalCode | Postal code of traveler’s street address; nested under address | 02112 | — |
taxProvince | The state or province in which the traveler will be paying taxes; nested under address | MA | — |
email | Traveler’s email address; nested under contactInfo | brjones@somewhere.com | — |
contactNumber | Traveler’s phone number; nested under contactInfo | 555-555-5555 | — |
userType | Whether the traveler is a single (primary) user or associated with an organization | — | |
dateOfBirth | Traveler’s date of birth | — |
Credit card encryption and decryption
If you use cardNumber as the traveler identifier for validation, some information will need to be encrypted. Expedia requires secure handling of PCI information using an industry-standard JWE (JSON web encryption) technique for encrypting and decrypting credit card details: asymmetric encryption using a public and private key pair.
Encryption use cases
The places where encryption should take place include:
- Request:
cardNumber - Response:
cardDetails
In the request parameter, you should set up a 2048-bit CA (certificate authority)-signed RSA (Rivest Shamir Adleman) private key certificate and share it with Expedia. We’ll then use your public key to encrypt the cardNumber field using JWE and RSA.
In the response parameter, we’ll set up a 2048-bit CA-signed RSA private key and will share the corresponding public key certificate and share it with you. Using the Expedia public key, you’ll then encrypt each element of cardDetails using JWE and RSA.
We’ve laid out the steps to the encryption process below.
Encryption, step-by-step
Step 1: Fetch the public certificate and get the RSA 2048 public key.
- Generate a random symmetric key (RSK) of 256 bits length.
- Encrypt the RSK using the RSA 2048 public key using the algorithm RSA-OAEP-256.
Step 2: Generate a random initialization vector (IV) of 96 bits length.
Step 3: Encrypt plaintext data by using the RSK, IV, and the algorithm A256GCM to form the ciphertext and authentication tag data.
Step 4: Base64URL-encode the ciphertext to produce Base64URL (JWE ciphertext).
Step 5: Base64URL-encode the authentication tag, IV, RSK, and the JWE header JSON to produce:
- Authentication tag data: Base64URL (JWE authentication tag).
- IV: Base64URL (JWE initialization vector)
- RSK: Base64URL (JWE encrypted key)
- JWE header JSON: Base64URL (UTF8 (JWE header))
Then serialize the JWE object to its compact format consisting of Base64URL-encoded parts delimited by periods ('.') to produce:
Base64URL (UTF8) (JWE header) || '.' || Base64URL (JWE encrypted key) || '.' || Base64URL (JWE initialization vector) || '.' || Base64URL (JWE ciphertext) || '.' || Base64URL (JWE authentication tag)
Decryption of card number in request
Expedia will encrypt cardNumber in the request. The decryption path is the reverse of the encryption path:
- When you receive the encrypted JWE, you should decode the first section of the JWE, the JOSE header to determine the algorithm, the encryption, and the
keyId(alg, enc, kid). - You’ll then validate the
iat(issued-at: the time the JWT was issued) to make sure it’s no more than 5 minutes different from the current time. (The token will expire after 5 minutes.) - Next, fetch your private key and decrypt the JWE encryption key.
- Then, using the decrypted RSK, the JWE initialization vector, and the JWE authentication tag, you can decrypt the JWE ciphertext parameter and verify it.