Developer Hub for XAP

Basic Authentication

The XAP API Platform leverages Basic Authentication to validate each API request

Why Basic Authentication?

Basic Authentication is an Internet standard (see Wikipedia entry) and if you have any experience in connecting to enterprise APIs you have probably encountered it in the past.

Keeping Your Credentials Secure

Basic Authentication is simple but effective. It is important to note that this will only be true when the credentials are kept on the server. All communication with Expedia APIs is over HTTPS which means that your authentication header information will be encrypted in transit but that will not be true if the authentication information is placed anywhere in pages or files that are downloaded to the user's browser.

Unless specifically noted in the documentation, all Expedia APIs are intended to be accessed by a server-side application and the information in the API response placed into the files downloaded to the user. Any Expedia API that is designed to be accessed directly from the client page or application will not require an authorization string.

Implementing Basic Authentication

If you have not already worked with Basic Authentication you will find that it is not very complicated. All you need is your Expedia-issued API Key (which you may have already) and an Expedia-issued password, both of which you can get from your Expedia representative.

|

Step 1 – Building the String

The first step in the process is to build the Authentication String. The string is structured like this:

[key]:[password]

Once you insert your actual key and password for the [placeholder] elements, the example version might look like this:

9x9x9x-9x9x9x-9x9x9x9x9:a1b2c3d4e5f6

Note: Make sure that you have not included any space characters in the string as these will invalidate it.

Step 2 – Encoding to Base64

The authorization string above must be encoded using Base64 Encoding. If you do not have an application that can do this you can find many free ones online (such as base64encode.org). Simply enter the authorization string and click 'encode'.

The result will look something like this:

OXg5eDl4LTl4OXg5eC05eDl4OXg5eDk6YTFiMmMzZDRlNWY2

Step 3 – Constructing the Header Parameter

Now that you have the Base64-encoded string you need to create the authorization string. This structure of the string looks like this:

'Basic' + ' ' + [base64-encoded key and password]

So, put the word 'Basic' in front of the Base-64 encoded string with one blank space between them:

Basic OXg5eDl4LTl4OXg5eC05eDl4OXg5eDk6YTFiMmMzZDRlNWY2

Step 4 – Placing in the Header

Once you have your encoded authorization string you only need to place it in the header of each API request.

The name of the API Header element that you'll be using is Authorization, so the final authorization header string looks like this:

Authorization:Basic OXg5eDl4LTl4OXg5eC05eDl4OXg5eDk6YTFiMmMzZDRlNWY2

Once you have created your authorization string you can use it in any API header where you are also using the partner key.

Note: The partner key is included twice in each header, once by itself in the Key element, and then once more within the Base64-encoded Authorization string. Both are required for valid API calls.

Did you find this page helpful?
How can we improve this content?
Thank you for helping us improve!

Privacy Statement Cookie Statement Terms of Use

Expedia, Inc. is not responsible for content on external Web sites.
© 2023 Expedia, Inc., an Expedia Group company. All rights reserved. Expedia and the Airplane Logo are trademarks or registered trademarks of Expedia, Inc. CST# 2029030-50.