# Authentication Travelport has updated all TripServices API authentication and authorization endpoints. All previous endpoints have been deprecated as of 30 Jan 2026. See [Endpoint Migration](#endpoint-migration) below. All Travelport TripServices APIs require authentication with OAuth 2.0. Before calling any API, you must follow an OAuth-based authorization procedure to obtain an access token. That access token is valid for 24 hours and must be sent with every call during that time. Do not request a new token for each API call. This topic details how to obtain the access token and provides the endpoints for authentication, which must happen every 24 hours, and for authorization, which is part of every API request. ## Technical Requirements Protocol: HTTPS/1.1 Minimum TLS Version: 1.2 HTTP Method: POST (preferred, GET supported only in legacy cases) Token Validity: 24 hours (86,400 seconds) Token Caching: Cache and reuse tokens until expiry Rate Limit: 50 token requests per second per unique IP address Do not request a new token for every API call. ## Credentials and Authorization OAuth is an open standard that defines how access to a resource is granted to requesters. The Travelport TripServices APIs use the two-legged OAuth process for generating tokens. This means the requester provides a token and the resource returns a token. For detailed information about how an OAuth connection is established, refer to the [OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749). You pass your client credentials to our resource and receive a token that you provide in all calls to any Travelport TripServices API. The token is valid for 24 hours. When it expires, make another call and receive another token. You can request tokens either via the language of your choice or by sending a request from the Postman collection included in the developer toolkits linked below. Travelport provides your credentials when you are provisioned for the TripServices APIs. Travelport assigns your organization one or more usernames and access groups, based on their point(s) of sale. An access group contains information about an organization, including PCC, location, currency, NDC and GDS carrier information for the Flights APIs, and printer linkages. An access group identifies to Travelport the content to which an application or user has access. Each username is assigned at least one access group and is sent in the API authentication request. The auth token returned ensures that the API responses return data that is relevant to an organization’s specific location. ### Authentication Endpoints Per above, a new authentication token is required every 24 hours. Do not request tokens more frequently than just under every 24 hours, and do not request a new token for every API call. To receive a new token, send your authentication request to the following [post-migration](#endpoint-migration) endpoint as appropriate for each environment:    *Pre-production* https://auth.pp.travelport.net/oauth/token    *Production* https://auth.travelport.net/oauth/token ### Authorization Endpoint Base Paths Every TripServices API requires a request sent to a unique authorization endpoint. This endpoint is listed at the top of every API Reference in this online help. In addition, a consolidated list of all endpoints is provided for all [Flights APIs](/docs/flights/general/flights-api-endpoints), [Stays APIs](/docs/stays/general/stays-api-endpoints), and [Pay APIs](/docs/pay/general/pay-api-endpoints). The beginning string of these endpoints are the same across all Flights, Stays, and Pay APIs, and is called a *base path* because it is shared across APIs. The following are the current, [post-migration](#endpoint-migration) base paths for the endpoints required for every Travelport TripServices API. **Air APIs base paths:**    *Pre-production* https://api.pp.travelport.net/11/air/    *Production* https://api.travelport.net/11/air/ A small number of TripServices Flights APIs do not use */air* in their base path, as noted in [Air Endpoints](/docs/flights/general/flights-api-endpoints) and the individual API References: Cancel Workbench Item, Document History, Document List, and Exchange Air Offer. **Stays APIs base paths, v11:**    *Pre-production* https://api.pp.travelport.net/11/hotel/    *Production* https://api.travelport.net/11/hotel/ **Stays APIs base paths, v12:**    *Pre-production* https://api.pp.travelport.net/12/hotel/    *Production* https://api.travelport.net/12/hotel/ **Pay APIs base paths:**    *Pre-production* https://api.pp.travelport.net/11/payment/    *Production* https://api.travelport.net/11/payment/ ### Endpoint Migration Travelport has implemented new security and identity management standards across its products and services. As part of this initiative, Travelport has updated all authentication and authorization endpoints for all TripServices APIs (listed immediately above), and provided new credentials to all customers. All previous authentication and authorization endpoints, listed below for reference only, were deprecated 30 Jan 2026 for production and 5 Dec 2025 for pre-production. Transactions sent to the deprecated endpoints will fail. If you have not received your new credentials, contact your Travelport Account Manager immediately. The deprecated authentication endpoints are:    *Pre-production* https://oauth.pp.travelport.com/oauth/oauth20/token    *Production* https://oauth.travelport.com/oauth/oauth20/token The deprecated authorization endpoint base paths for the TripServices APIs are:    *Pre-production* https://api.pp.travelport.com    *Production* https://api.travelport.com ## Generate Token in Language of Choice To generate the auth token in a language of your choice, you must populate the following credentials provided when you were provisioned with the Travelport TripServices APIs: - username - password - client_id - client_secret Send the request to the [Authentication Endpoint](#authentication-endpoints) listed above. ## Generate Token from Postman Developer Toolkits for Air The following steps detail how to enter credentials and generate the OAuth token from any of the [Flights Developer Toolkits](/resources/devkits-and-downloads#flights-api-devkits). Travelport provides the credentials required here when your company is provisioned with the TripServices Flights APIs. If you aren't yet a provisioned user, you can still browse request and response examples in the [Developer Toolkits](/resources/devkits-and-downloads) Postman collections. 1. Open any of the Travelport Postman collections. 2. Open the dropdown for **OAuth** and click **OAuth**. The folder and transaction name may vary between collections, but it is the first transaction in the collection. 1. in the **Body** tab at the top of the collection, enter your [customer-specific credentials](#credentials-and-authorization) in the following fields: - username - password - client_id - client_secret 1. Click the **Tests** tab. In the list of variables, populate with the value *XAUTH_TRAVELPORT_ACCESSGROUP_1G* between double quotes per below. 1. Generate the OAuth token by clicking the **Send** button. Postman returns the access token, which consists of all text between the quotes after **access_token**, as shown below. This value is valid for 24 hours and automatically populates the authorization values in all transactions in the Postman collection. You can also copy this token value into your pre-production or production environments. ## Generate Token from Postman Developer Toolkits for Hotel and Pay The following steps detail how to enter credentials and generate the OAuth token from the [Hotel DevKit](/resources/devkits-and-downloads#stays-kits) or Pay DevKit. Travelport provides the credentials required here when your company is provisioned with the TripServices Stays or Pay APIs. If you aren't yet a provisioned user, you can still browse example requests in the Postman collections in the [Hotel](/resources/devkits-and-downloads#stays-kits) or Pay Developer Toolkits. 1. Open any of the Travelport Postman collections. 2. Open the dropdown for **OAuth** and click **OAuth**. The folder and transaction name may vary between collections, or it may appear standalone instead of in a folder, but it is the first transaction in the collection. 1. Click the **Body** tab at the top of the collection. Populate the following with the values provided specifically for your company at provisioning: - username - password - client_id - client_secret 1. Generate the OAuth token by clicking the **Send** button. Postman returns the access token, which consists of all text between the quotes after **access_token**. This value is valid for 24 hours. 2. Copy all of the text between the quotes after **access_token**. 3. Navigate out of the OAuth folder. In the first transaction to send, open the **Headers** tab at the top. In the Authorization field, after the word *Bearer*, replace the brackets and any existing text (such as `` or another token value with or without brackets) with the value copied from the OAuth transaction. After you send this transaction, the token populates into all following transactions.