Authentication

Previous authentication and authorization endpoints are scheduled for deprecation 5 Dec 2025 for pre-production and 30 Jan 2026 for production. You must migrate these environments before those dates or transactions in those environments will fail. See Endpoint Migration below.

All Travelport JSON APIs require authentication with OAuth 2.0. Before calling any API, you must follow an OAuth-based authorization procedure to obtain an access token. That access token is valid for 24 hours and must be sent with every call during that time. Do not request a new token for each API call.

This topic details how to obtain the access token and provides the endpoints for authentication, which must happen every 24 hours, and for authorization, which is part of every API request.

In this topic:

Technical Requirements
Credentials and Authorization
Generate Token in Language of Choice
Generate Token from Postman Developer Toolkit for Air
Generate Token from Postman Developer Toolkit for Hotel and Pay

Technical Requirements

Protocol: HTTPS/1.1

Minimum TLS Version: 1.2

HTTP Method: POST (preferred, GET supported only in legacy cases

Token Validity: 24 hours (86,400 seconds)

Token Caching: Cache and reuse tokens until expiry

Rate Limit: 50 token requests per second per unique IP address

Do not request a new token for every API call.

Credentials and Authorization

OAuth is an open standard that defines how access to a resource is granted to requesters. The Travelport JSON APIs use the two-legged OAuth process for generating tokens. This means the requester provides a token and the resource returns a token. For detailed information about how an OAuth connection is established, refer to the OAuth 2.0 Authorization Framework.

You pass your client credentials to our resource and receive a token that you provide in all calls to any Travelport JSON API. The token is valid for 24 hours. When it expires, make another call and receive another token. You can request tokens either via the language of your choice or by sending a request from the Postman collection included in the developer toolkits linked below.

Travelport provides your credentials when you are provisioned for the JSON APIs. Travelport assigns your organization one or more usernames and access groups, based on their point(s) of sale. An access group contains information about an organization, including PCC Pseudo city code. A travel provider's identification code for the JSON APIs, provisioned from Travelport. Used to determine access and other settings in the JSON APIs for your company., location, currency, NDC and GDS carrier information for the Air APIs, and printer linkages. An access group identifies to Travelport the content to which an application or user has access. Each username is assigned at least one access group and is sent in the API authentication request. The auth token returned ensures that the API responses return data that is relevant to an organization’s specific location.

Endpoint Migration

Travelport has implemented new security and identity management standards across its products and services. As part of this initiative, Travelport has updated all authentication and authorization endpoints for all JSON APIs, and provided new credentials to all customers. These updated authentication and authorization endpoints are listed in the sections immediately below.

All previous authentication and authorization endpoints, listed for reference only below in Endpoints Scheduled for Deprecation, are scheduled for deprecation 5 Dec 2025 for pre-production and 30 Jan 2026 for production. You must migrate these environments before those dates or transactions in those environments will fail.

Please ensure the updated endpoints have been fully implemented before 5 Dec 2025 for pre-production and 30 Jan 2026 for production.

If you have not received your new credentials, contact your Travelport Account Manager immediately.

Authentication Endpoints

Per above, a new authentication token is required every 24 hours. Do not request tokens more frequently than just under every 24 hours, and do not request a new token for every API call.

To receive a new token, send your authentication request to the following post-migration endpoint as appropriate for each environment:

Pre-production https://auth.pp.travelport.net/oauth/token

Production https://auth.travelport.net/oauth/token

Authorization Endpoint Base Paths

Every JSON API requires a request sent to a unique authorization endpoint. This endpoint is listed at the top of every API Reference in this online help. In addition, a consolidated list of all endpoints is provided for all Air APIs, Hotel APIs, and Pay APIs.

The beginning string of these endpoints are the same across all Air, Hotel, and Pay APIs, and is called a base path because it is shared across APIs. The following are the current, post-migration base paths for the endpoints required for every Travelport JSON API.

Air APIs base paths:

Pre-production https://api.pp.travelport.net/11/air/

Production https://api.travelport.net/11/air/

A small number of JSON Air APIs do not use /air in their base path, as noted in Air Endpoints and the individual API References: Cancel Workbench Item, Document History, Document List, and Exchange Air Offer.

Hotel APIs base paths, v11:

Pre-production https://api.pp.travelport.net/11/hotel/

Production https://api.travelport.net/11/hotel/

Hotel APIs base paths, v12:

Pre-production https://api.pp.travelport.net/12/hotel/

Production https://api.travelport.net/12/hotel/

Pay APIs base paths:

Pre-production https://api.pp.travelport.net/11/payment/

Production https://api.travelport.net/11/payment/

Endpoints Scheduled for Deprecation

For reference purposes only, the previously used endpoints scheduled for deprecation are listed below. Do not code to these endpoints for any new development. You should migrate to the current endpoints as listed in the preceding sections.

Authentication

The previously used endpoints for authentication requests are:

Pre-production https://oauth.pp.travelport.com/oauth/oauth20/token

Production https://oauth.travelport.com/oauth/oauth20/token

These endpoints will be deprecated 5 Dec 2025 (pre-prod) and 30 Jan 2026 (production).

Authorization

The previously used authorization endpoint base paths for air, hotel, and pay are:

Pre-production https://api.pp.travelport.com/11/air/ | Production https://api.travelport.com/11/air/

Pre-production https://api.pp.travelport.com/11/ | Production https://api.travelport.com/11/ (specific APIs only as noted in applicable API References)

Pre-production https://api.pp.travelport.com/11/hotel/ | Production https://api.travelport.com/11/hotel/

Pre-production https://api.apim-a.adc.pp.travelport.io:443/11/payment/ | Production https://api.apim-a.adc.prod.travelport.io:443/11/payment/

These endpoints will be deprecated 5 Dec 2025 (pre-prod) and 30 Jan 2026 (production).

Generate Token in Language of Choice

To generate the auth token in a language of your choice, you must populate the following credentials provided when you were provisioned with the Travelport JSON APIs:

username
password
client_id
client_secret

Send the request to the Authentication Endpoint listed above.

Generate Token from Postman Developer Toolkits for Air

The following steps detail how to enter credentials and generate the OAuth token from any of the Air developer toolkits.

Travelport provides the credentials required here when your company is provisioned with the JSON Air APIs. If you aren't yet a provisioned user, you can still browse request and response examples in the Developer Toolkit Postman collections.

Open any of the Travelport Postman collections.
Open the dropdown for OAuth and click OAuth. The folder and transaction name may vary between collections, but it is the first transaction in the collection.

in the Body tab at the top of the collection, enter your customer-specific credentials in the following fields:
- username
- password
- client_id
- client_secret

Click the Tests tab. In the list of variables, populate with the value XAUTH_TRAVELPORT_ACCESSGROUP_1G between double quotes per below.

Generate the OAuth token by clicking the Send button. Postman returns the access token, which consists of all text between the quotes after access_token, as shown below. This value is valid for 24 hours and automatically populates the authorization values in all transactions in the Postman collection. You can also copy this token value into your pre-production or production environments.

Generate Token from Postman Developer Toolkits for Hotel and Pay

The following steps detail how to enter credentials and generate the OAuth token from the Hotel DevKit or Pay DevKit.

Travelport provides the credentials required here when your company is provisioned with the JSON Hotel or Pay APIs. If you aren't yet a provisioned user, you can still browse example requests in the Postman collections in the Hotel or Pay Developer Toolkits.

Open any of the Travelport Postman collections.
Open the dropdown for OAuth and click OAuth. The folder and transaction name may vary between collections, or it may appear standalone instead of in a folder, but it is the first transaction in the collection.

Click the Body tab at the top of the collection. Populate the following with the values provided specifically for your company at provisioning:
- username
- password
- client_id
- client_secret

Generate the OAuth token by clicking the Send button. Postman returns the access token, which consists of all text between the quotes after access_token. This value is valid for 24 hours.
Copy all of the text between the quotes after access_token.
Navigate out of the OAuth folder. In the first transaction to send, open the Headers tab at the top. In the Authorization field, after the word Bearer, replace the brackets and any existing text (such as <token> or another token value with or without brackets) with the value copied from the OAuth transaction. After you send this transaction, the token populates into all following transactions.