Skip to main content

OAuth Token Create REST API

Session Management
REST API
Travel Agency
Try Now

What is it?

This API is a utility service exposing an authentication endpoint which generates an ATK access token, which enables access to other Sabre APIs. It follows the OAuth2 specification to delegate access to Sabre's resources.

Why use it?

Access token gets you connected to Sabre APIs. Once created, the session less token may be used with multiple calls as long as it is valid and not expired. Using access tokens is a more secure way to authenticate and authorize users, which is why Sabre restricts access using this approach.

How it works

Version v3 introduces the trusted developer application ClientID as an addition to user credentials (EPR and password) and new grant_type 'password'.

Accessing Sabre APIs works as follows:

  1. If you do not have user credentials (EPR - user-group-domain triplet) or a clientID contact your account manager for provisioning.
  2. Call the /v3/auth/token API. In response you will get an access token.
  3. Use the access token in Sabre APIs business calls:
    • REST API: Authorization http header with Bearer prefix, eg:

      Authorization: Bearer T1RLAQKvhOegyUujiZpE+uDAjHHmRfRmxRDDuJCPlszyUSmyhKGXWR0JAACgeveXEFWUPWzsmw9+Ihd9BSDYEtpikXHi8yJ9iW7vXgJpDNqnktLD4W8P7UP3zdra5szeuNXQB3yNbkjcK+3Vl1Gr/f8g00qU8ZhtzIBVz/PoD48GuaxNH7/Uq7ZztI1bXu7ve9NEW6tVsp6qxbt9Jatn/B5IXf2t+T7S2l5QJU46kNg3r1H0ndhCp/pDwVT3FIo8sVSnWNZbIvUhrH6gQg**

    • SOAP API: <wsse:BinarySecurityToken> element in <wsse:Security> eg.:

      ... <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext&quot;&gt; <wsse:BinarySecurityToken valueType="String" EncodingType="wsse:Base64Binary">T1RLAQKvhOegyUujiZpE+uDAjHHmRfRmxRDDuJCPlszyUSmyhKGXWR0JAACgeveXEFWUPWzsmw9+Ihd9BSDYEtpikXHi8yJ9iW7vXgJpDNqnktLD4W8P7UP3zdra5szeuNXQB3yNbkjcK+3Vl1Gr/f8g00qU8ZhtzIBVz/PoD48GuaxNH7/Uq7ZztI1bXu7ve9NEW6tVsp6qxbt9Jatn/B5IXf2t+T7S2l5QJU46kNg3r1H0ndhCp/pDwVT3FIo8sVSnWNZbIvUhrH6gQg**</wsse:BinarySecurityToken> </wsse:Security> ...

How to use

Send the request for acquiring an authentication ATK session token.

Endpoints information

Authentication

  1. Authentication without two factor authentication

    The request requires the following:

    • application/x-www-form-urlencoded as Content-Type header
    • clientId credentials encoded with base64 algorithm passed as Authorization header (Authorization: Basic base64(cliendId:clientSecret))
    • user credentials(EPR) in form user-group-domain as username body parameter
    • EPR password as password body parameter
    • password as a grant_type body parameter
      curl --request POST \
      --header "Content-Type: application/x-www-form-urlencoded" \
      --header "Authorization: Basic [Base64(clientId:clientSecret)]" \
      -d "grant_type=password&username=ugt4binobrc3kyy8-DEVCENTER-EXT&password=abcd1234" \
      http://api.internal.prod.ha.sabre.com/v3/auth/token

    In a successful response, you will get the following:

        {
            "access_token": "T1RLAQJnxo/ptzEjQc75wV+AiaBCXAyHkRBxph6xNhkZvUzxPom2MKACAACQnl4vSYlcOYQnv6xf4Eytihqxn0mWTDEG1vT6BxlKbRTQSc3WnU51/BFL8ifFEngT3Zr4jqpc7ATARVOHnKLGMra9KR6a9SiM8Qtv+Ct/kDg7qFRnoUWBkDjb43QimidHmE1bHyNsrlp2Fdpjw+1jSPRfsk/HTZZQjEzMIh1yakmj0prNYWvFnPhmfkkhRvQ6",
            "expires_in": 604800,
            "token_type": "bearer"
        }

    where access_token is atk session token, expires_in is a TTL for this token given in minutes.

  2. Errors:

    1. Missing grant_type parameter in the body.

              {
                  "error":"invalid_request",
                  "error_description":"Invalid payload: grant_type must be specified"
              }

      status code 401

    2. Not supported grant type was send.

              {
                  "error":"invalid_request",
                  "error_description":"Invalid grant type. The only supported type is 'password'"
              }

      status code 401

    3. Invalid HTTP method. Only POST supported.

              {
                  "error":"invalid_request",
                  "error_description":"HTTP method not allowed"
              }

      status code 401

    4. Invalid Content-Type. Only application/x-www-form-urlencoded.

              {
                  "error":"invalid_request",
                  "error_description":"Incorrect Content-Type. Only application/x-www-form-urlencoded is allowed"
              }

      status code 401

    5. Either clienId or user EPR authentication failed.

              {
                 "error":"invalid_client",
                 "error_description":"Wrong clientID or clientSecret"
              }

      status code 401

    6. Security data was not present in request or are invalid e.g. credentials are encoded wrong.

              {
                  "error":"invalid_client",
                  "error_description":"Credentials are missing or the syntax is not correct"
              }

      status code 401