Authentication
Gordian controls access to airline information and processes through the Gordian API. To get access to the Gordian API, contact your Account Manager to receive your API key. If you do not have an Account Manager, request a demo.
The Gordian API uses HTTP Basic Auth header with your API key as the username and a blank password, that is, you do not need a password. You must use HTTPS as the transport protocol.
Most request libraries have the ability to send requests with basic auth. For example, curl uses the curl -u 'username:password' flag.
Attention
Your API key carries many privileges, so be sure to keep it secure! Do not share your API key in publicly accessible areas such as client-side code, GitHub, and so forth.
Tip
Gordian's API has both a sandbox and production environment. Both environments use the same endpoint. Each API key issued to you by Gordian is associated with a single environment, and all requests using that API key will occur within that environment. Gordian will initially issue you an API key associated with the sandbox environment to help you integrate into the API, and then will provide you production API keys once you're ready to go live.
Creating a trip
Creating a trip is the first step to using the API. Gordian provides two paths to create trips. You can select the path best suited to your implementation:
- Direct trip creation: For architectures that handle trips creation in the backend and are capable of backend-to-backend communication.
- Indirect trip creation: For architectures that require your frontend application to handle trip creation and require frontend-to-backend communication.
Direct trip creation
To create a trip directly, follow these steps:
- From your backend server, use the
POST /v2.2/tripendpoint with yourapi_key. You receive two tokens to use in the subsequent steps of the customer journey:trip_access_tokenandrefresh_token.
The following diagram summarizes this process:
Indirect trip creation
To create a trip indirectly, follow these steps:
- From your backend server, use the
POST /v2.2/authorizeendpoint with yourapi_key. You receive one token:trip_creation_token. - From your backend server or frontend application, use the
POST /v2.2/tripendpoint withtrip_creation_token. You receive two tokens to use in the following steps of the customer journey:trip_access_tokenandrefresh_token.
The following diagram summarizes this process:
API key and Trip Access Token
After creating a trip, you get a JSON Web Token called trip_access_token as an alternative for authentication. The difference between this and the API key is as follows:
| Auth option | Expiration | Communication |
|---|---|---|
| API key | Does not expire | backend-to-backend |
trip_access_token |
Requires refreshing | backend-to-backend and frontend-to-backend |
Refreshing a token
When creating a trip, you receive two tokens with different expiration times:
trip_access_token– 30 minutes since its creation time.refresh_token– 45 minutes since its creation time.
To refresh the trip access token, use the POST /v2.2/refresh_token endpoint.
Which authentication to use?
With the trip created, you can implement the rest of the customer journey with a mix of authentication options. The following table lists which of the authentication options you can use in each of the actions of the customer journey.