Skip to main content
The platform has 3 authentication modes:
  1. api-key header for OTA flow APIs (/search, /quote, /book, /cancel)
  2. Authorization: Bearer <partner_jwt> for partner management APIs
  3. Authorization: Bearer <admin_jwt> for admin APIs

1) API Key Authentication

Used by:
  • POST /api/search
  • POST /api/search/tgx
  • POST /api/quote
  • POST /api/book
  • POST /api/cancel
Header: 
api-key: <partner-api-key>
Behavior:
  • API key must exist in partner_api_keys
  • API key must map to a valid partner
  • Backend injects that partner into request context

2) Partner JWT Authentication

Login endpoint: 
POST /api/auth/login
Request: 
{
  "accountType": "email",
  "accountValue": "ops@partner.com",
  "password": "<MD5_PASSWORD_HASH>"
}
Notes:
  • password must be MD5 string when accountType = "email"
  • accountType = "phone" is currently not supported and returns 400
Use token: 
Authorization: Bearer <accessToken>

3) Admin JWT Authentication

Admin login endpoint: 
POST /api/admin/login
Request: 
{
  "email": "admin@company.com",
  "password": "<MD5_PASSWORD_HASH>"
}
Use token: 
Authorization: Bearer <adminAccessToken>
Admin token is required by endpoints such as:
  • POST /api/connections
  • PATCH /api/connections/:id
  • PUT /api/connections/:id/enable
  • POST /api/admin/partners/users

Additional Headers

HeaderRequiredDescription
Content-TypeYesMust be application/json for body requests
api-keyCore APIs onlyPartner API key
AuthorizationJWT APIs onlyPartner/Admin bearer token
session-idOptionalAuto-generated if missing
connection-codeOptionalAuto-populated from settings.access.code
user-agentOptionalCaptured in logs if provided