XAP APIs

Authentication and Authorization

Accessing our XAP API's requires a pair of authentication identifiers: XAP API Key and Authorization, that you must pass in every request.

How to identify the API user in a request

Every request to an XAP API endpoint must identify the API user that is sending the request.

Each API user has a unique pair of identifiers (your API Key and Authorization string) that allow access to XAP API. You can authenticate yourself by using both your API key and Authorization header in every request you send to an XAP API endpoint.

Key: <XAP-API-key>Where XAP-API-key is a unique identifier shared during onboarding process. Find out more here
Authorization: <authorization-string>Please go to Basic authentication page to learn more about the format for <authorization-string>
Warning

Make sure your request uses HTTPS, to ensure secure transmission of the Authorization. If you send the request over an unsecured (HTTP) connection, it will not work.

API Key and credentials Management

Follow this Get Started section to get your API Key and Authorization string.

Keeping Your Credentials Secure

To minimize the risk of misuse of your credentials, you must keep them secure.

Best practices for keeping your credentials secure

The following is a (non-exhaustive) list of recommendations that you can use to help you keep your API key secure.

Store the credentials securely:

  • Do not hard code your credentials in your application.
  • Do not expose your credentials in a source control system repositories - public pr private.
  • Consider using a secrets management service to store and manage your credentials.

Actively control access to and maintain an API key:

  • Do not share your credentials with unauthorized users.
  • If you suspect your credentials has been compromised, revoke it immediately and then generate a new one.
  • Revoke the Key and credentials if you no longer need it.

Authentication

XAP APIs currently support just Basic Authentication to authnenticate the API user. Basic Authentication is a simple authentication scheme built into the HTTP protocol. It is based on challenge-response mechanism that involves the client sending HTTP requests with an Authorization header containing a Base64-encoded string of the username and password.

Basic Authentication

Implementing Basic Authentication

If you have not already worked with Basic Authentication you will find that it is not that complicated. All you need is your Expedia-issued Username and password, both of which you can get from your Expedia representative.

|

Step 1 – Building the String

The first step in the process is to build the Authentication String. The string is structured like this:

[username]:[password]

Once you insert your actual username and password for the [placeholder] elements, the example version might look like this:

9x9x9x-9x9x9x-9x9x9x9x9:a1b2c3d4e5f6

Note: Make sure that you have not included any space characters in the string as these will invalidate it.

Step 2 – Encoding to Base64

The authorization string above must be encoded using Base64 Encoding. If you do not have an application that can do this you can find many free ones online (such as base64encode.org). Simply enter the authorization string and click 'encode'.

The result will look something like this:

OXg5eDl4LTl4OXg5eC05eDl4OXg5eDk6YTFiMmMzZDRlNWY2

Step 3 – Constructing the Header Parameter

Now that you have the Base64-encoded string you need to create the authorization string. This structure of the string looks like this:

'Basic' + ' ' + [base64-encoded key and password]

So, put the word 'Basic' in front of the Base-64 encoded string with one blank space between them:

Basic OXg5eDl4LTl4OXg5eC05eDl4OXg5eDk6YTFiMmMzZDRlNWY2

Step 4 – Placing in the Header

Once you have your encoded authorization string you only need to place it in the header of each API request.

The name of the API Header element that you'll be using is Authorization, so the final authorization header string looks like this:

Authorization:Basic OXg5eDl4LTl4OXg5eC05eDl4OXg5eDk6YTFiMmMzZDRlNWY2

Once you have created your authorization string you can use it in any API header where you are also using the partner key.

Note: The partner key is included twice in each header, once by itself in the Key element, and then once more within the Base64-encoded Authorization string. Both are required for valid API calls.

Possible errors

  • 401 - Access is denied due to invalid credentials.
  • 403 - The specified API user is authenticated, but does not have permission to access the requested endpoint.

For more information on how to deal with all these errors, see Error handling.

Did you find this page helpful?
How can we improve this content?
Thank you for helping us improve!