> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pageonetravel.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Auth modes, headers, and token usage.

The platform has 2 authentication modes:

1. `api-key` header for OTA flow APIs (`/search`, `/quote`, `/book`, `/cancel`, `/v1/content/accommodations`)
2. `Authorization: Bearer <partner_jwt>` for partner management APIs

## 1) API Key Authentication

Used by:

* `POST /api/search`
* `POST /api/search/tgx`
* `POST /api/quote`
* `POST /api/book`
* `POST /api/cancel`
* `POST /api/v1/content/accommodations`

Header:

```http theme={null}
api-key: <partner-api-key>
```

Behavior:

* API key must exist in `partner_api_keys`
* API key must map to a valid partner
* Backend injects that partner into request context

## 2) Partner JWT Authentication

Login endpoint:

```http theme={null}
POST /api/auth/login
```

Request:

```json theme={null}
{
  "accountType": "email",
  "accountValue": "ops@partner.com",
  "password": "<MD5_PASSWORD_HASH>"
}
```

Notes:

* `password` must be MD5 string when `accountType = "email"`
* `accountType = "phone"` is currently not supported and returns `400`

Use token:

```http theme={null}
Authorization: Bearer <accessToken>
```

## Additional Headers

| Header            | Required       | Description                                  |
| ----------------- | -------------- | -------------------------------------------- |
| `Content-Type`    | Yes            | Must be `application/json` for body requests |
| `api-key`         | Core APIs only | Partner API key                              |
| `Authorization`   | JWT APIs only  | Partner bearer token                         |
| `session-id`      | Optional       | Auto-generated if missing                    |
| `connection-code` | Optional       | Auto-populated from `settings.access.code`   |
| `user-agent`      | Optional       | Captured in logs if provided                 |
