Skip to main content

Tokens

Once a guest registers an account and logs in, they are redirected back to the partner's website. At this point, the partner will receive a code within the query string of the URL. This code is instrumental in obtaining both a refresh token and an access token. Using this access token, the partner can interface with the Stratech Guest API1.

It's pivotal to understand that partners cannot autonomously request tokens for communication between the Self Service website and the Stratech Guest API. Instead, they must relay the procured access token from the guest to the Stratech Guest API. The API then authenticates the access token and fetches the relevant guest information.

For safety reasons the access token can not be directly used to communicate with the Stratech Guest API. The access token from the Self Service website has to be delegated with a partner client to make sure that the request comes from a trusted source.

Delegation flow sequenceDelegation flow sequence Sequence flow for delegation

Token endpoint

The token endpoint is the URL where the Stratech Identity Provider handles token requests. This endpoint is unique for each organization. The URL is https://identity.stratechbooking.nl/<organizationReference>/connect/token.

Code

The code functions as a single-use token. It serves the purpose of obtaining both a refresh token and an access token. After a successful login, this code is delivered to the redirect_uri.

Example of a redirect_uri with a code
https://twentschehoogte.stratechbooking.nl/login-callback?code=Yzk5ZDczMzRlNDEwY&state=5ca75bd30&scope=...

Upon receiving the code, the website has the responsibility of requesting a refresh token. This is done through a POST request to the token endpoint2 of the Stratech Identity Provider.

Refresh token

The refresh token is a long-lived token that can be used to request a new access token when the current one expires. This token is used to authenticate the guest with the Stratech Guest API.

An example of a refresh token request

Example of a refresh token request
POST /connect/token HTTP/1.1
Host: identity.stratechbooking.nl/org_1234

code=Yzk5ZDczMzRlNDEwY
&grant_type=code
&redirect_uri=https://example-app.com/cb
&client_id=mRkZGFjM
&code_verifier=Th7UHJdLswIYQxwSg29DbK1a_d9o41uNMTRmuH0PM8zyoMAQ

The client_id for this request will be provided through an webhook event when a Stratech Booking users makes a connection with the partner in Stratech Booking.

Access token

The access token serves as a temporary authentication token for the guest. Partners utilize this token to obtain a delegation token3 for interfacing with the Stratech Guest API.

When requesting a refresh token, an access token is invariably included in the response. This access token carries a validity period of 1 hour. Once this duration lapses, you can refresh the access token using the associated refresh token.

note

Refresh tokens are currently reusable, allowing them to be used in obtaining multiple access tokens. However, it's important to note that this behavior might be modified in future updates. See: 2.2.2. Refresh Tokens

Delegation token

The delegation token serves as temporary authentication token for the partner. This token will allow the partner to retrieve guest information from the Stratech Guest Api.

Example of a delegation token request
POST /connect/token HTTP/1.1
Host: identity.stratechbooking.nl/org_1234

subject_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkJCMTJFMjA4MzdDODI5NzYxRTdBOUU2Mzk5OTJDOEQ0IiwidHlwIjoiYXQrand0In0...
&subject_token_type=urn:ietf:params:oauth:token-type:access_token
&grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&exchange_style=delegation
&client_id=bookingpartnerclient_example
&client_secret=secret

The client_id and client_secret for this request will be provided to you by your contact from Stratech.

  1. To acquire a token, it's mandatory for the website to be accessible exclusively through HTTPS.
  2. The token endpoint is the URL where the Stratech Identity Provider handles token requests. This endpoint is unique for each organization. The URL can be retrieved in the event dispatched to the partner.
  3. A partner requires to execute an delegation flow to obtain an access token for the Stratech Guest API. See Delegation flow for more information.