Authentication

Overview

Authentication must first be requested by customers in order to make authorized calls to Sabre APIs.

Sabre APIs support two authentication mechanisms: sessionless tokens and session tokens. Tokens are mapped to a single Pseudo City Code (PCC), a credential that identifies the travel provider, stores private data unique to a specific customer, and determines your authorization to call the published APIs that you request. Therefore, you must use this token in all Sabre API calls.

Understanding the role of sessioned and sessionless transactions is critical to interacting with Sabre APIs. See the Best Practices section for all things session/sessionless.

What's new

  • You can now authenticate to the Sabre APIs infrastructure without the need for sessions using sessionless tokens.
  • Check the "API Information" boxes we’re rolling out across documentation pages on Dev Studio, starting with APIs that support sessionless tokens. These boxes contain critical information about our APIs, such as the supported authentication method.
  • Check out our new Session and Sessionless Token workflow for a typical shopping and booking process which combines session and sessionless tokens.
  • See what developers are saying are the Top 5 reasons to go sessionless.

Session token: basic steps

Step 1: Get a session token

Make a call to the Create Session API (SessionCreateRQ) with your Sabre APIs credentials to get a session token. See the SOAP basics: environments page for the testing and production endpoints.

Note: the below steps include required parameters only. See the Create Session API (SessionCreateRQ) for more information on the optional parameters available for this API.

Field Description
eb:Action The SessionCreateRQ action code
wsse:Username Your Sabre APIs user name
wsse:Password Your Sabre APIs password
Organization The Internet Pseudo City Code or airline code (Note: this value must match the value in <eb:CPAId> and <PseudoCityCode>
Domain A Sabre extension that specifies a domain location that is associated with the Sabre APIs user name, password, and organization (usually DEFAULT for TN-based subscribers or an airline code for SabreSonic-based subscribers)

This step assumes you have obtained the security credentials necessary to access and call SOAP-based Sabre APIs. Contact your Sabre representative for details.

An example of a session token request is shown below:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsd="http://www.w3.org/1999/XMLSchema">
    <SOAP-ENV:Header>
        <eb:MessageHeader SOAP-ENV:mustUnderstand="1" eb:version="1.0">
            <eb:ConversationId/>
            <eb:From>
                <eb:PartyId type="urn:x12.org:IO5:01">999999</eb:PartyId>
            </eb:From>
            <eb:To>
                <eb:PartyId type="urn:x12.org:IO5:01">123123</eb:PartyId>
            </eb:To>
            <eb:CPAId>IPCC</eb:CPAId>
            <eb:Service eb:type="OTA">SessionCreateRQ</eb:Service>
            <eb:Action>SessionCreateRQ</eb:Action>
            <eb:MessageData>
                <eb:MessageId>1000</eb:MessageId>
                <eb:Timestamp>2001-02-15T11:15:12Z</eb:Timestamp>
                <eb:TimeToLive>2001-02-15T11:15:12Z</eb:TimeToLive>
            </eb:MessageData>
        </eb:MessageHeader>
        <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/12/utility">
            <wsse:UsernameToken> 
                <wsse:Username>USERNAME</wsse:Username>
                <wsse:Password>PASSWORD</wsse:Password>
                <Organization>IPCC</Organization>
                <Domain>DEFAULT</Domain> 
            </wsse:UsernameToken>
        </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <eb:Manifest SOAP-ENV:mustUnderstand="1" eb:version="1.0">
            <eb:Reference xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="cid:rootelement" xlink:type="simple"/>
        </eb:Manifest>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Session token response

If the request is valid, the API will send a response that contains the session token and conversation ID.

Field Description
wsse:BinarySecurityToken The session token that should be used for subsequent requests

An example of a session token response is shown below:

<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
    <soap-env:Header>
        <eb:MessageHeader xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" eb:version="1.0" soap-env:mustUnderstand="1">
            <eb:From>
                <eb:PartyId eb:type="URI">123123</eb:PartyId>
            </eb:From>
            <eb:To>
                <eb:PartyId eb:type="URI">999999</eb:PartyId>
            </eb:To>
            <eb:CPAId>IPCC</eb:CPAId>
            <eb:ConversationId>YourConversationId</eb:ConversationId>
            <eb:Service eb:type="sabreXML">SessionCreateRS</eb:Service>
            <eb:Action>SessionCreateRS</eb:Action>
            <eb:MessageData>
                <eb:MessageId>be5031b4-f539-47e0-8a34-8db0e7b8c7bb@19</eb:MessageId>
                <eb:Timestamp>2015-09-30T15:22:20</eb:Timestamp>
                <eb:RefToMessageId>1000</eb:RefToMessageId>
            </eb:MessageData>
        </eb:MessageHeader>
        <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
            <wsse:BinarySecurityToken valueType="String" EncodingType="wsse:Base64Binary">Shared/IDL:IceSess\/SessMgr:1\.0.IDL/Common/!ICESMS\/RESH!ICESMSLB\/RES.LB!-3485631637434281295!472007!0</wsse:BinarySecurityToken>
        </wsse:Security>
    </soap-env:Header>
    <soap-env:Body>
        <eb:Manifest xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" eb:id="Manifest" eb:version="1.0">
            <eb:Reference eb:id="SessionCreateRS" xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="cid:SessionCreateRS">
                <eb:Description xml:lang="en-US">Session Create Response Message</eb:Description>
            </eb:Reference>
        </eb:Manifest>
    </soap-env:Body>
</soap-env:Envelope>

Store the session token in <eb:BinarySecurityToken> for step 2.

If the request is not valid, the server returns the following error message:

<soap-env:Body>
    <soap-env:Fault>
        <faultcode>soap-env:Client.InvalidSecurityToken</faultcode>
        <faultstring>Invalid or Expired binary security token: Shared/IDL:IceSess\/SessMgr:1\.0.IDL/Common/!ICESMS\/RESB!ICESMSLB\/RES.LB!-4766997140656846583!105529!0</faultstring>
        <detail>
            <StackTrace>com.sabre.universalservices.base.session.SessionException: errors.session.USG_INVALID_SECURITY_TOKEN</StackTrace>
        </detail>
    </soap-env:Fault>
</soap-env:Body>

See the status codes and errors page for a full list of authentication errors.

Step 2: Call the SOAP API

You are now ready to make subsequent Sabre® SOAP API calls. Use the session token in <eb:BinarySecurityToken> from the SessionCreateRS response in step 1 (above). We recommend you reuse the same access token for multiple requests, until it expires.

Field Description
wsse:BinarySecurityToken The session token obtained from step 1 in the session token response

An example of a subsequent request (with security credentials in the header) to the Hotel Availability API (OTA_HotelAvailRQ) is shown below:

<?xml version='1.0' encoding='UTF-8'?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        <SOAP-ENV:Header>
            <eb:MessageHeader xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" SOAP-ENV:mustUnderstand="0">
                <eb:From>
                    <eb:PartyId eb:type="urn:x12.org:IO5:01">from</eb:PartyId>
                </eb:From>
                <eb:To>
                    <eb:PartyId eb:type="urn:x12.org:IO5:01">ws</eb:PartyId>
                </eb:To>
                <eb:CPAId>YOURPCC</eb:CPAId>
                <eb:ConversationId>YourConversationId</eb:ConversationId>
                <eb:Service eb:type="sabreXML"></eb:Service>
                <eb:Action>OTA_HotelAvailLLSRQ</eb:Action>
            </eb:MessageHeader> <eb:Security xmlns:eb="http://schemas.xmlsoap.org/ws/2002/12/secext" SOAP-ENV:mustUnderstand="0">
                <eb:BinarySecurityToken>Shared/IDL:IceSess\/SessMgr:1\.0.IDL/Common/!ICESMS\/CERTG!ICESMSLB\/CRT.LB!-3488060046525942493!102430!0</eb:BinarySecurityToken>
            </eb:Security>
        </SOAP-ENV:Header>
        <SOAP-ENV:Body>
            <eb:OTA_HotelAvailRQ xmlns:eb="http://webservices.sabre.com/sabreXML/2003/07" TimeStamp="2011-01-26T12:30:00-06:00" Version="1.10.1">
                <eb:POS>
                    <eb:Source PseudoCityCode="YOURPCC" /></eb:POS>
                <eb:AvailRequestSegments>
                    <eb:AvailRequestSegment>
                        <eb:StayDateRange Start="11-10" End="11-15" />
                        <eb:RoomStayCandidates>
                            <eb:RoomStayCandidate>
                                <eb:GuestCounts>
                                    <eb:GuestCount Count="1" /></eb:GuestCounts>
                            </eb:RoomStayCandidate>
                        </eb:RoomStayCandidates>
                        <eb:HotelSearchCriteria xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="eb:HotelSearchCriteria_type0">
                            <eb:Criterion>
                                <eb:HotelRef HotelCityCode="DFW" /></eb:Criterion>
                        </eb:HotelSearchCriteria>
                    </eb:AvailRequestSegment>
                </eb:AvailRequestSegments>
            </eb:OTA_HotelAvailRQ>
        </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Step 3: Close the session

Call the Close Session API (SessionCloseRQ) with the session token obtained from the previous steps to close the connection and release the allocated host resources to your TAM pool.

An example of a close session request is shown below:

<SOAP-ENV:Header>
    <eb:MessageHeader xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" eb:version="1.0" soap-env:mustUnderstand="1">
        <eb:From>
            <eb:PartyId eb:type="URI">123123</eb:PartyId>
        </eb:From>
        <eb:To>
            <eb:PartyId eb:type="URI">999999</eb:PartyId>
        </eb:To>
        <eb:CPAId>IPCC</eb:CPAId>
        <eb:ConversationId>YourConversationId</eb:ConversationId>
        <eb:Service eb:type="sabreXML">SessionCloseRQ</eb:Service>
        <eb:Action>SessionCloseRQ</eb:Action>
        <eb:MessageData>
            <eb:MessageId>ba8a19cc-7fdc-443c-bc97-b86100b4c332@33</eb:MessageId>
            <eb:RefToMessageId>1000</eb:RefToMessageId>
            <eb:Timestamp>2005-10-31T21:13:02</eb:Timestamp>
        </eb:MessageData>
    </eb:MessageHeader>
    <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
        <wsse:BinarySecurityToken valueType="String" EncodingType="wsse:Base64Binary"> Shared/IDL:IceSess\/SessMgr:1\.0.IDL/Common/!ICESMS\/RESB!ICESMSLB\/RES.LB!-4766997140656846583!105529!0
        </wsse:BinarySecurityToken>
    </wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
    <eb:SessionCloseRQ xmlns:eb="http://webservices.sabre.com/sabreXML/2003/07" TimeStamp="2011-01-26T12:30:00-06:00" Version="1.0.1">
        <eb:POS>
            <eb:Source PseudoCityCode="IPCC" />
            </eb:POS>
            </eb:SessionCloseRQ>
</SOAP-ENV:Body>

Note: If an application does not make use of SessionCloseRQ, it risks running out of system resources.

Step 4: Handle sessions and token expirations

We recommend you design logic to handle token expirations using the handling session token expirations best practices.

Sessionless token: basic steps

Step 1: Get an access token

Make a call to the Create Access Token API (TokenCreateRQ) with your Sabre APIs credentials to get an access token. See the SOAP basics: environments page for the testing and production endpoints.

Note: the below steps include required parameters only. See the Create Access Token API (TokenCreateRQ) for more information on the optional parameters available for this API.

Field Description
eb:Action The TokenCreateRQ action code
wsse:Username Your Sabre APIs user name
wsse:Password Your Sabre APIs password
Organization The Internet Pseudo City Code or airline code (Note: this value must match the value in <eb:CPAId> and <PseudoCityCode>
Domain A Sabre extension that specifies a domain location that is associated with the Sabre APIs user name, password, and organization (usually DEFAULT for TN-based subscribers or an airline code for SabreSonic-based subscribers)

This step assumes you have obtained the security credentials necessary to access and call SOAP-based Sabre APIs. Contact your Sabre representative for details.

An example of an access token request is shown below:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsd="http://www.w3.org/1999/XMLSchema">
    <SOAP-ENV:Header>
        <eb:MessageHeader SOAP-ENV:mustUnderstand="1" eb:version="1.0">
            <eb:ConversationId/>
            <eb:From>
                <eb:PartyId type="urn:x12.org:IO5:01">999999</eb:PartyId>
            </eb:From>
            <eb:To>
                <eb:PartyId type="urn:x12.org:IO5:01">123123</eb:PartyId>
            </eb:To>
            <eb:CPAId>IPCC</eb:CPAId>
            <eb:Service eb:type="OTA">TokenCreateRQ</eb:Service>
                <eb:Action>TokenCreateRQ</eb:Action>
                <eb:MessageData>
                <eb:MessageId>1000</eb:MessageId>
                <eb:Timestamp>2001-02-15T11:15:12Z</eb:Timestamp>
                <eb:TimeToLive>2001-02-15T11:15:12Z</eb:TimeToLive>
            </eb:MessageData>
        </eb:MessageHeader>
            <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
                <wsse:UsernameToken>
                    <wsse:Username>USERNAME</wsse:Username>
                    <wsse:Password>PASSWORD</wsse:Password>
                    <Organization>IPCC</Organization>
                    <Domain>DEFAULT</Domain>
                </wsse:UsernameToken>
            </wsse:Security>
        </SOAP-ENV:Header>
        <SOAP-ENV:Body>
        <eb:Manifest SOAP-ENV:mustUnderstand="1" eb:version="1.0">
            <eb:Reference xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="cid:rootelement" xlink:type="simple"/>
        </eb:Manifest>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Access token response

If the request is valid, the API will send a response that contains the access token.

Field Description
wsse:BinarySecurityToken The access token that should be used for subsequent requests

An example of an access token response is shown below:

<?xml version="1.0" encoding="UTF-8"?>
    <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
        <soap-env:Header>
            <eb:MessageHeader xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" eb:version="1.0" soap-env:mustUnderstand="1">
                <eb:From>
                    <eb:PartyId eb:type="URI">123123</eb:PartyId>
                </eb:From>
                <eb:To>
                    <eb:PartyId eb:type="URI">999999</eb:PartyId>
                </eb:To>
                <eb:CPAId>IPCC</eb:CPAId>
                <eb:ConversationId>YourConversationId</eb:ConversationId>
                <eb:Service eb:type="sabreXML">TokenCreateRS</eb:Service>
                <eb:Action>TokenCreateRS</eb:Action>
                <eb:MessageData>
                    <eb:MessageId>be5031b4-f539-47e0-8a34-8db0e7b8c7bb@19</eb:MessageId>
                    <eb:Timestamp>2015-09-30T15:22:20</eb:Timestamp>
                    <eb:RefToMessageId>1000</eb:RefToMessageId>
                </eb:MessageData>
            </eb:MessageHeader>
            <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
                <wsse:BinarySecurityToken valueType="String" EncodingType="wsse:Base64Binary">T1RLAQKvhOegyUujiZpE+uDAjHHmRfRmxRDDuJCPlszyUSmyhKGXWR0JAACgeveXEFWUPWzsmw9+Ihd9BSDYEtpikXHi8yJ9iW7vXgJpDNqnktLD4W8P7UP3zdra5szeuNXQB3yNbkjcK+3Vl1Gr/f8g00qU8ZhtzIBVz/PoD48GuaxNH7/Uq7ZztI1bXu7ve9NEW6tVsp6qxbt9Jatn/B5IXf2t+T7S2l5QJU46kNg3r1H0ndhCp/pDwVT3FIo8sVSnWNZbIvUhrH6gQg**</wsse:BinarySecurityToken>
            </wsse:Security>
        </soap-env:Header>
        <soap-env:Body>
            <eb:Manifest xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" eb:id="Manifest" eb:version="1.0">
                <eb:Reference eb:id="TokenCreateRS" xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="cid:TokenCreateRS">
                    <eb:Description xml:lang="en-US">Token Create Response Message</eb:Description>
                </eb:Reference>
            </eb:Manifest>
        </soap-env:Body>
    </soap-env:Envelope>

Store the access token in <eb:BinarySecurityToken> for step 2.

If the request is invalid, the server returns an error message. See the status codes and errors page for a full list of authentication errors.

Step 2: Call the Bargain Finder Max API

You are now ready to make subsequent Bargain Finder Max API calls. Use the access token in <eb:BinarySecurityToken> from the TokenCreateRS response in step 1 (above). We recommend you reuse the same access token for multiple requests, until it expires.

Field Description
wsse:BinarySecurityToken The access token obtained from step 1 in the access token response
eb:Action

Identifies the action that acts on the service

Sample value: <eb:Action>BargainFinderMaxRQ</eb:Action>

Part of an example of a subsequent request (with security credentials in the header) to the Bargain Finder Max API is shown below:

<?xml version='1.0' encoding='UTF-8'?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        <SOAP-ENV:Header>
            <eb:MessageHeader xmlns:eb="http://www.ebxml.org/namespaces/messageHeader" SOAP-ENV:mustUnderstand="0">
                <eb:From>
                    <eb:PartyId eb:type="urn:x12.org:IO5:01">from</eb:PartyId>
                </eb:From>
                <eb:To>
                    <eb:PartyId eb:type="urn:x12.org:IO5:01">ws</eb:PartyId>
                </eb:To>
                <eb:CPAId>YOURPCC</eb:CPAId>
                <eb:ConversationId>YourConversationId</eb:ConversationId>
                <eb:Service eb:type="sabreXML"></eb:Service>
                <eb:Action>BargainFinderMaxRQ</eb:Action>
                </eb:MessageData>
            </eb:MessageHeader>
            <eb:Security xmlns:ns6="http://schemas.xmlsoap.org/ws/2002/12/secext" SOAP-ENV:mustUnderstand="0">
                <eb:BinarySecurityToken> T1RLAQKvhOegyUujiZpE+uDAjHHmRfRmxRDDuJCPlszyUSmyhKGXWR0JAACgeveXEFWUPWzsmw9+Ihd9BSDYEtpikXHi8yJ9iW7vXgJpDNqnktLD4W8P7UP3zdra5szeuNXQB3yNbkjcK+3Vl1Gr/f8g00qU8ZhtzIBVz/PoD48GuaxNH7/Uq7ZztI1bXu7ve9NEW6tVsp6qxbt9Jatn/B5IXf2t+T7S2l5QJU46kNg3r1H0ndhCp/pDwVT3FIo8sVSnWNZbIvUhrH6gQg**</eb:BinarySecurityToken>
            </eb:Security>
        </SOAP-ENV:Header>
        <SOAP-ENV:Body>
            <eb:OTA_AirLowFareSearchRQ...
              ...
                    ...
                       [NOTE: see Bargain Finder Max API 
                       documentation for a sample request.]
                    ...
              ...
            </eb:OTA_AirLowFareSearchRQ>
        </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

Note: the access token should not be passed to any subsequent Sabre® SOAP API calls.

Step 3: Handle token expirations

We recommend you design logic to handle token expirations using the handling sessionless token expirations best practices.

Docs Navigation