Authentication must first be requested before you can make subsequent Sabre® REST API calls.

REST APIs use the OAuth 2.0 token protocol for authentication and authorization. Sabre configures these authentication credentials with authorization to call the published APIs that you request. You must use this token in any type of client that you create.

What's new in v2

  • Access tokens are now sessionless—no Sabre session is allocated with authentication.
  • The lifetime of the access token has increased from 390 to 604800 (seconds).
  • Access tokens have a finite lifetime and must be refreshed. (See step 5: handle token expirations.)

Method and endpoint

POST /v2/auth/token

Basic steps

Step 1: Construct your Client ID

Construct your Client ID using your Sabre user ID, group and domain credentials. Append each value with a colon to build your Client ID. The format looks like this:

Field Description
V1 The service credential value of V1 (Note: V1 is a static value and is not tied to the v2 (OAuth token) authentication endpoint.)
userid Your Sabre user ID
group Your group (also accepts iPCC or organization)
domain Your domain (if you normally use a default domain, use "AA")

This step assumes you have obtained the security credentials to build your client ID. Contact your Sabre representative for details. You can also obtain these credentials by registering for a free account, which will grant you access to our certification environment.

Step 2: Base64 encode your credentials

Use a base64 encoding tool to encode your Client ID from step 1. Then encode your password. Append your new encoded Client ID with your encoded password and separate with a colon to make a concatenated string. The format looks like this:


An example of a concatenated, encoded Client ID and password is shown below:


Use a base64 encoding tool again to encode your concatenated string into a single base64 encoded string. An example of a single base64 encoded string is shown below:


Step 3: Get an access token

Access token request

Make an HTTPS POST to the authentication URL at {environment}/v2/auth/token.

Field Value Description
environment The production environment, a.k.a., PROD
environment The test environment, a.k.a., CERT or "Sandbox" (contains limited API data as compared to PROD)
header Authorization: Basic {string} The authorization header with {your single encoded base64 string}
header Content-Type: application/x-www-form-urlencoded The content type
payload grant_type=client_credentials The grant type
payload source_ip The client source IP (optional)

An example of an access token request is shown below:

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo
Authorization: Basic ZVc5MWNtTnNhV1Z1ZEdsazplVzkxY21Oc2FXVnVkSE5sWTNKbGRBPT0=
Content-Type: application/x-www-form-urlencoded 
Accept: */*

Access token response

If the request is valid, the API will send a response that contains the access token.

Field Value Description
access_token {your token} This token must be sent to access a REST API
token_type bearer The type of token returned, which will always have a value of bearer
expires_in 604800 The lifetime of the access token in seconds (See the handle token expirations information)

An example of an access token response is shown below:

{access_token: "T1RLAQLGvbv8bgEDtkUluJb1dBDQ1WJTfBB0OC9XwItgref4u2AKisF4AACQbcNl4UPCzFwNMMXq8VKPTNgXra2nTzlC6Ys45kuwac6d7noUiUb1X+v7rRO5XcNiSUxyie/gPYlPsoZHOWjaQ1pUjDQHJuCZAJ0swMAm2oDiER5HRgCac57GommwHaQNqzTlr4mUgbY6PwQNllIeluAOtKi+42yP+4h7oaWrN/ibm5OWae7dNxDrcwZquGDM",
token_type: "bearer",
expires_in: 604800}

If the request is not valid, the server returns the following error message:

{error : "invalid_client", error_description: "Credentials are missing or the syntax is not correct"} 

If the request is unauthorized, the server returns the following error message:

{"error":"invalid_client","error_description":"Wrong clientID or clientSecret"}

See the status codes and errors page for a full list of authentication errors.

Step 4: Call the REST API

Send the access token to the environment, method and endpoint in an Authorization header when you call a given REST API. We recommend you reuse the same access token for multiple requests, until it expires.

Field Value Description
environment The production environment, a.k.a., PROD
environment The test environment, a.k.a., CERT or "Sandbox" (contains limited API data as compared to PROD)
URI {API method/endpoint} The method and endpoint that applies to the REST API (See the endpoints and URIs page)
header Authorization: Bearer {your token} The authorization header with {your token} (See the handle token expirations information)
protocol HTTP 1.1 The standard protocol for REST APIs

An example of a request to the Travel Theme Lookup API is shown below:

Authorization: Bearer T1RLAQLGvbv8bgEDtkUluJb1dBDQ1WJTfBB0OC9XwItgref4u2AKisF4AACQbcNl4UPCzFwNMMXq8VKPTNgXra2nTzlC6Ys45kuwac6d7noUiUb1X+v7rRO5XcNiSUxyie/gPYlPsoZHOWjaQ1pUjDQHJuCZAJ0swMAm2oDiER5HRgCac57GommwHaQNqzTlr4mUgbY6PwQNllIeluAOtKi+42yP+4h7oaWrN/ibm5OWae7dNxDrcwZquGDM

Note: It is assumed that you are calling a published REST API to which you have been granted access.

Step 5: Handle token expirations

We recommend you design logic to handle token expirations using the handling session token expirations best practices.

Docs Navigation