search
Tourpaq.com

Restful API authentication

hashtag
Overview

The Tourpaq Export API uses token-based authentication to ensure secure access. Authentication tokens are issued via the /api/token endpoint and are required for all subsequent API calls.

hashtag
Requesting a Token

The authentication token can be requested by making a POST call to:

https://api.tourpaq.com/api/token

hashtag
Example Request (using Fiddler)

POST https://api.tourpaq.com/api/token HTTP/1.1
User-Agent: Fiddler
Host: api.tourpaq.com
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Authorization: Basic Ym9va2luZy50b3VycGFxLmRrOjRkMjBlMDVlNDZmNmU0YjhlZGE5NWYzNDRlZGUxMGI1
Content-Length: 75
Origin: null

grant_type=password&scope=read&username=name&password=password123

hashtag
Example Response

hashtag
Request Parameters

Parameter
Description

grant_type

Defines the type of authentication. The value password requires a username and password.

scope

Currently not implemented (use read). Reserved for future functionality.

username

The Tourpaq username.

password

The Tourpaq password.

hashtag
Authorization Header

The Authorization header must use Basic authentication. The value should be a Base64-encoded string containing the client_id and secret, separated by a colon :.

Example:

Encoded as:

⚠️ Important: The client_id and secret must never be stored or exposed on the client side. The safest approach is to handle the token request on the server side.

Example:

hashtag
Response Fields

Field
Description

access_token

The token used to authorize subsequent API calls.

token_type

The authorization type (usually Bearer).

expires_in

Token validity period in seconds (e.g., 1799 seconds ≈ 30 minutes).

refresh_token

Used to obtain a new access token without resubmitting credentials. Should be stored securely on the server.

hashtag
Making an API Request

Once the access token is obtained, include it in the Authorization header for all API calls:

The Authorization header uses the Bearer scheme followed by the access token. The access token can safely be stored on the client side.

hashtag
Refreshing the Token

When the Access Token expires, the API will respond with:

In this case, a new Access Token must be requested using the Refresh Token.

hashtag
Example Request

The response will contain a new access_token and refresh_token pair.

hashtag
Summary

Action
Endpoint
Method
Authentication

Request Access Token

/api/token

POST

Basic Auth (client_id + secret)

Refresh Access Token

/api/token

POST

Basic Auth (with refresh_token)

Access Data

Various (e.g., /api/HotelListExport/{id})

GET

Bearer Token

Would you like me to make a shorter “developer quick reference” version too — with just the endpoints, headers, and key examples (for embedding in a dev portal or API guide)?

PreviousGDPR (General Data Protection Regulation)NextSecurity measures

Last updated

Was this helpful?