Authentication
Stratech booking has two types of authentication:
- Partner access token: grants access to partner and channel-manager level data (see Partner and Channel-manager).
- Organization access token: grants access to organization level data and the ability to calculate and create bookings (see Organization).
For each connected organization a different Organization access token is used.
Requesting a Partner access token
The Partner access token can be requested using the client_credentials flow.
This is a 'POST' request with an 'x-www-form-urlencoded' body with the properties:
- client_id=bookingpartnerclient_example
- client_secret=your_secret
- grant_type=client_credentials
See Authentication spec for examples of the client_credentials flow.
Requesting an Organization access token
Before the refresh_token flow can be used to request an Organization access token,
the authorization_code flow must be used to request a valid refresh_token.
Authorization code flow
The refresh_token can be requested with the authorization_code flow.
This is a 'POST' request with an 'x-www-form-urlencoded' body with the properties:
- client_id=bookingpartnerclient_example
- code=6C0AEA7F9AED5A5F85B53A1F4
- redirect_uri=https://booking.stratechbooking.nl/login-client-callback
- grant_type=authorization_code
The code and redirect_uri will be delivered through the webhook.
See Authentication spec for examples of the authorization_code flow.
Refresh token flow
The Organization access token can be requested using the refresh_token flow.
This is a 'POST' request with an 'x-www-form-urlencoded' body with the properties:
- client_id=bookingpartnerclient_example
- refresh_token=56068BB2E1D93...
- grant_type=refresh_token
See Authentication spec for examples of the refresh_token
Sequence flow for retrieving an Organization access token
Authenticating API calls
To authenticate an API call the correct token must be provided in the Authorization header of the HTTP request with the Bearer method.
The Authorization header should look similar to this: bearer eyJhbGciOiJSUzI1Ni...
Make sure to use the correct token for accessing a specific endpoint.
Organization level data can't be accessed with a Partner access token and vice versa.