Generate signature and build request URL

Checklist for generating the signature and building the request URL:

Step-by-step guide

Step 1: Construct the deeplink request URL to the property results page

Construct the deeplink request URL to the property results page using the partner domain in place of the Expedia domain in the example. Format search parameters and tracking code as per the deeplink guide here.

Deeplink request URL:

https://expedia.com/go/hotel/search/Destination/2025-12-22/2025-12-25?mdpcid=Expedia-IE.DPS.Expedia.ExtFlightEmail-Xsell_CTA.Hotel&CityName=ORD&SortBy=distance&NumRoom=1&NumAdult1=3&NumChild1=2&Rm1child1age=9&Rm1child2age=6

Step 2: Encode the deeplink URL using UTF-8

Encoded deeplink URL:

https%3A%2F%2Fexpedia.com%2Fgo%2Fhotel%2Fsearch%2FDestination%2F2025-12-22%2F2025-12-25%3Fmdpcid%3DExpedia-IE.DPS.Expedia.ExtFlightEmail-Xsell_CTA.Hotel%26CityName%3DORD%26SortBy%3Ddistance%26NumRoom%3D1%26NumAdult1%3D3%26NumChild1%3D2%26Rm1child1age%3D9%26Rm1child2age%3D6

Step 3: Append all the required parameters to enable attach rates

outboundEndDateTime (encoded) + originTLA + returnStartDateTime (encoded) + destinationTLA + bookingDateTime (encoded) + partnerId + attachDL

Step 4: Construct URL for signature generation (don't include domain)

Endpoint + Encoded Deeplink URL + outboundEndDateTime (encoded) + originTLA + returnStartDateTime (encoded)+ destinationTLA + bookingDateTime (encoded) + partnerId + attachDL

Example

/xsell-redirect-pwa?url=https%3A%2F%2Fexpedia.com%2Fgo%2Fhotel%2Fsearch%2FDestination%2F2025-12-22%2F2025-12-25%3Fmdpcid%3DExpedia-IE.DPS.Expedia.ExtFlightEmail-Xsell_CTA.Hotel%26CityName%3DORD%26SortBy%3Ddistance%26NumRoom%3D1%26NumAdult1%3D3%26NumChild1%3D2%26Rm1child1age%3D9%26Rm1child2age%3D6&outboundEndDateTime=2025-10-30T20%3A12%3A17.928020Z&destinationTLA=LAS&returnStartDateTime=2025-11-10T20%3A12%3A17.928020Z&originTLA=JFK&bookingDateTime=2025-07-25T20%3A12%3A17.928020Z&attachDL=true&partnerId=new-pwa-xsell-testing-airnz

Step 5: Signing the request/generating the signature

The string (URL) obtained from Step 4 should be signed using the HMAC-SHA1 algorithm using the secret/private key shared by Expedia Group. In most cryptographic libraries, the resulting signature will be in binary format so may require decoding the key into its original binary format.

There are many implementations of this cryptographic hash function defined in the RFC 2104 for several computer languages and frameworks. The following list is a subset of the implementations available:

• Java
• Javascript
• C#
• Python
• Ruby

Step 6: Encode the resulting binary signature

Encode the binary signature using modified Base64 for URLs, which replaces the + and / characters of the Base64 output with - (hyphen) and _ (underscore), respectively, to make the URL safe (see RFC 4648 for additional information). It should look similar to this:

bj01fgT85mUiRmzxxSufSmlGpiI

Additionally, it is important to note that the padding = (if any) should be removed from the base64 encoded string.

Step 7: Building the final request URL

Construct the final deeplink URL as shown below:

Domain + Endpoint + Encoded Deeplink URL + outboundEndDateTime (encoded) + originTLA + returnStartDateTime (encoded) + destinationTLA + bookingDateTime (encoded) + partnerId + attachDL + signature

Example:

https://www.expedia.com/xsell-redirect-pwa?url=https%3A%2F%2Fexpedia.com%2Fgo%2Fhotel%2Fsearch%2FDestination%2F2025-12-22%2F2025-12-25%3Fmdpcid%3DExpedia-IE.DPS.Expedia.ExtFlightEmail-Xsell_CTA.Hotel%26CityName%3DORD%26SortBy%3Ddistance%26NumRoom%3D1%26NumAdult1%3D3%26NumChild1%3D2%26Rm1child1age%3D9%26Rm1child2age%3D6&outboundEndDateTime=2025-10-30T20%3A12%3A17.928020Z&destinationTLA=LAS&returnStartDateTime=2025-11-10T20%3A12%3A17.928020Z&originTLA=JFK&bookingDateTime=2025-07-25T20%3A12%3A17.928020Z&attachDL=true&partnerId=new-pwa-xsell-testing-airnz&signature=3WQjtTHsSCRxrogs3xhY7edWfgE

Step 8: Embed the final URL in the airline post-booking path (e.g. email)

Checklist

Please ensure the following:

• Signature
  • Signature is in the correct format (Base64), not Hexadecimal.
  • Signature is treated as an integer (not a string) when converting to Base64 encoding.
    • Replace + for - from the signature if necessary (Base64 encoding should do this automatically): m6y13j0747-x/h81wEzR9jE1fco=
    • Replace / for _ from the signature if necessary(Base64 encoding should do this automatically): m6y13j0747-x_h81wEzR9jE1fco=
  • Remove Padding = (if any) from the Base64 encoded string.
  • Signature is exactly 27 characters long.
  • Secret key is not publicly visible on the client side; it should only be used on the server side to generate the signature.
• Parameters
  • All parameter values are percent-encoded UTF-8.
  • All required parameters are passed.
• Domain and endpoint
  • Endpoint is correct /xsell-redirect-pwa
• Final Request URL should be combination of Domain + Endpoint + Encoded Deeplink URL + outboundEndDateTime (encoded) + originTLA + returnStartDateTime (encoded) + destinationTLA + bookingDateTime (encoded) + partnerId + attachDL + signature

Testing

Verify attach module prior to test/production deployment.

Verify the final request URL:

• The request will redirect to the property results page based on the search criteria in the encoded deeplink URL.

Note: Expedia solution supports a production environment only. Partner’s wishing to test in a pre-production will need to point their pre-production to Expedia’s production.