Skip to content

Authentication

Gordian controls access to airline information and processes through the Gordian API. To get access to the Gordian API, contact your Account Manager to receive your API key. If you do not have an Account Manager, request a demo.

The Gordian API uses HTTP Basic Auth header with your API key as the username and a blank password, that is, you do not need a password. You must use HTTPS as the transport protocol.

Most request libraries have the ability to send requests with basic auth. For example, curl uses the curl -u 'username:password' flag.

Attention

Your API key carries many privileges, so be sure to keep it secure! Do not share your API key in publicly accessible areas such as client-side code, GitHub, and so forth.

Creating a trip

Creating a trip is the first step to use the API. Gordian provides two paths to create trips. You can select the path best suited to your implementation:

  • Direct trip creation: For architectures that handle trips creation in the backend and are capable of backend-to-backend communication.
  • Indirect trip creation: For architectures that require your frontend application to handle trip creation and require frontend-to-backend communication.

Direct trip creation

To create a trip directly, follow these steps:

  1. From your backend server, use the POST /v2.2/trip endpoint with your api_key. You receive two tokens to use in the subsequent steps of the customer journey: trip_access_token and refresh_token.

The following diagram summarizes this process:

Authorization direct Trip Creation

Indirect trip creation

To create a trip indirectly, follow these steps:

  1. From your backend server, use the POST /v2.2/authorize endpoint with your api_key. You receive one token: trip_creation_token.
  2. From your backend server or frontend application, use the POST /v2.2/trip endpoint with trip_creation_token. You receive two tokens to use in the following steps of the customer journey: trip_access_token and refresh_token.

The following diagram summarizes this process:

Authorization for indirect trip creation

API key and Trip Access Token

After creating a trip, you get a JSON Web Token called trip_access_token as an alternative for authentication. The difference between this and the API key is as follows:

Auth option Expiration Communication
API key Does not expire backend-to-backend
trip_access_token Requires refreshing backend-to-backend and frontend-to-backend

Refreshing a token

When creating a trip, you receive two tokens with different expiration times:

  • trip_access_token – 30 minutes since its creation time.
  • refresh_token – 45 minutes since its creation time.

To refresh the trip access token, use the POST /v2.2/refresh_token endpoint.

Which authentication to use?

With the trip created, you can implement the rest of the customer journey with a mix of authentication options. The following table lists which of the authentication options you can use in each of the actions of the customer journey.

Action api_key trip_access_token
Trips
Get the trip information Yes Yes
Update the trip information Yes Yes
Start a check of all the bookings Yes Yes
Product search
Start a search for flights and ancillaries Yes Yes
Get the results of a search Yes Yes
Get the results of a search limited to a product type Yes Yes
Trip basket
Get the contents of the basket Yes Yes
Replace products in the basket with another set Yes Yes
Add products to the basket Yes Yes
Replace a specific type of products Yes Yes
Replace a specific type of products for a specific passenger Yes Yes
Start a check of all the products in the basket Yes Yes
Fulfillment
Purchase all the products from the trip basket Yes No
Set booking on hold (Only available for certain airlines) Yes No
Cancellation
Start a check for whether orders can be canceled Yes Yes
Get the details of the cancellation, including the refund amount Yes Yes
Confirm cancellation of booking Yes No
Callbacks
Subscribe to a trip event Yes No
Unsubscribe to a trip event Yes No