General information

Sabre advisories

Our REST API technical documentation contains confidential and proprietary information belonging to Sabre®, which cannot be used or disclosed by you for any purpose other than those purposes that are expressly authorized by Sabre in your written agreement with Sabre.

The air content in our certification, a.k.a., Sandbox, or production environments are currently available for certain origins and destinations located in the United States, Puerto Rico, and the U.S. Virgin Islands.

The data that an API retrieves depends on the origin, destination, and other request parameters, the geographic territories or points of sale for which that data is available and other restrictions, all as determined by Sabre in its discretion. Suppliers may vary. The source for all air content is the Sabre® GDS (unless expressly stated otherwise). Consult the respective REST API documentation page for variances in the data that individual APIs use in production.

Security

All request and response exchanges are sent over Hypertext Transfer Protocol Secure (HTTPS).

All security is based on Secure Sockets Layer (SSL) and a valid authentication token, called an OAuth token. Authentication is based on the OAuth 2.0 specification. If you have not obtained an OAuth token, see the authentication page for steps on how to obtain a token and then make subsequent API calls.

Client requests that handle sensitive information must be encrypted using SSL from a third party device or server to the Sabre API endpoints and URIs.

Stateless services

All Sabre® REST APIs are stateless.

Sabre configures your OAuth token with authorization to make subsequent Sabre REST API calls. If your token expires, you must request a new token. See below: the concurrent transactions information for details on maximum values for concurrent transactions and OAuth tokens. If you have not obtained an OAuth token, see the authentication page for steps on how to obtain a token and then make subsequent API calls.

Token and transaction limits

We strongly advise that you code to the below token and transaction limits as part of your workflow.

Access tokens

OAuth 2.0 tokens have a finite lifetime and must be refreshed. Design a workflow that detects when an access token expires.

For example, you can keep track of the expires_in value returned in the response. This value is expressed in seconds. You can also write code to the error response 401 Unauthorized from the API endpoint when an expired token is detected.

Concurrent transactions

If the concurrent-transactions per second limits are exceeded for an API, the system will throttle the requests and respond with a 429 too many requests error. We strongly advise that you write code to this error response as part of your workflow. Please contact us if you wish to increase the allowed number of concurrent requests for any API.

See the status codes and errors page for a full list of authentication errors.

API standards

Sabre REST APIs use the data structures that JavaScript Object Notation (JSON) defines for its data-interchange format. See also: json.org for more information regarding data types.

Our REST APIs strictly define values that you can pass as request parameters. Refer to each REST API documentation page to identify the data type and description for each parameter in the request and all elements in the response.

API versioning

Each of our REST APIs is versioned. When any of these APIs are called, an application must include the API version in the request URI, in the form of vn, where n represents the version number. See also: the endpoints and URIs page for each of our REST API methods and endpoints.

Example

https://api.sabre.com/v1/shop/flights/fares?origin=ATL&destination=LAS&lengthofstay=3

Version compatibility

  • Changes to existing API versions: an existing API version will receive fixes and minor changes that expose new behavior when the changes are backward compatible and do not impact clients negatively.
  • New API versions: a new API version will be added when new functionality and major changes are not backward compatible.
  • Multiple concurrent versions: Sabre will maintain multiple concurrent versions of an API. Before a version becomes obsolete, Sabre will provide adequate notification, including on the applicable API documentation page, before removing the version from service.

Workflow for using our REST APIs

  1. Format an HTTPS request header and include your client ID. See also: the authentication page for instructions and to construct your client ID.
  2. Call the OAuth authentication service using the POST method to log in your client and authenticate to the server.
  3. If successful, your application receives an OAuth token. Format an HTTPS request header and include your OAuth token.
  4. Format an HTTPS request header and include your OAuth token to the appropriate URL for the API you want to call. See also: the authentication page for instructions on how to process the authentication response and make subsequent calls
  5. After you receive the response, you can continue to make more API calls.

Supported point of sale countries

Some of our REST APIs return fares eligible for sale in the US. Unless specified otherwise, the default value for the pointofsalecountry request parameter is the U.S.

View more information on point of sale and a list supported point of sale countries.

Docs Navigation