Authenticate Your App

In order to successfully call Hilton’s APIs, your application must prove its identity. You can do this is one of two ways: Basic Authentication or Token authentication. For more information on Authentication, refer to Authentication Page.

Basic Auth (Recommended)

When using Basic Auth, there is no separate call to obtain a token. Instead, you include your identifying information in each request message’s header info. For example, where Check for Available Rooms shows “Authorization: “Bearer YOUR_ACCESS_TOKEN_HERE”” in the request header, you would instead insert “Authorization: Basic YOUR_BASE64_ENCODED_CLIENTID:CLIENTSECRET”

Token Auth

When using Token Auth, you must first do a POST to /realms/applications/token to obtain your Temporary Access Token (TAT). Your TAT will be valid for about an hour. You should track the expiry provided in the response and call for a new Token when the current one expires.

Note: You should only call for a new TAT when the current one expires. Do not send the token call before every transaction call.

Below is the endpoint that is called, and the contents included in the body of the request:

POST https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token 

Request Body: 
{ 
  "client_id":"frCQ....................FWQa", 
  "client_secret":"81Qa....................m50a" 
}

Response 200:
{
  "access_token": "8df4c63..................ae53bb659f25f0282",
  "scope": "am_application_scope default",
  "token_type": "Bearer",
  "expires_in": 3190
}
curl -d '{"client_id":"frCQ....................FWQa","client_secret":"81Qa....................m50a"}' -H "Content-Type: application/json" -X POST https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token
String token = null;
String quote = "\"";
    
// client id and client secret
String clientId = "YOUR_CLIENT_ID_HERE";
String clientSecret = "YOUR_CLIENT_SECRET_HERE"; 

// token endpoint url
String endpointUrl = "https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token";
    
// build the payload
StringBuilder payload = new StringBuilder();
payload.append("{");
payload.append(quote + "client_id" + quote + ":" + quote + clientId + quote +   ",");
payload.append(quote + "client_secret" + quote + ":" + quote + clientSecret +    quote);
payload.append("}");

// jersey client
ClientConfig client = new DefaultClientConfig();
client.getClasses().add(JacksonJsonProvider.class);
Client clientWithJacksonSerializer = Client.create(client);
WebResource webResource =     clientWithJacksonSerializer.resource(endpointUrl);
ClientResponse jsonResponse = webResource.type("application/json")
      .post(ClientResponse.class, payload.toString());

// retrieve the parsed JSONObject from the response
String value = jsonResponse.getEntity(String.class);

// convert the response to a JSONObject
JSONObject jsonObject = new JSONObject(value);

// pull out the "token" attribute and save its value
this.token = jsonObject.getString("access_token");
String token = null;
String quote = "\"";

// client id and client secret
String clientId = "YOUR_CLIENT_ID_HERE";
String clientSecret = "YOUR_CLIENT_SECRET_HERE"; 

// token endpoint url
String endpointUrl = "https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token";
    
// build the payload
StringBuilder payload = new StringBuilder();
payload.append("{");
payload.append(quote + "client_id" + quote + ":" + quote + clientId + quote + ",");
payload.append(quote + "client_secret" + quote + ":" + quote + clientSecret + quote);
payload.append("}");

// resteasy client
ResteasyClient client = new ResteasyClientBuilder().build();
ResteasyWebTarget target = client.target(endpointUrl);
Response jsonResponse = target.request().post(Entity.json(payload.toString()));

// retrieve the parsed JSONObject from the response
String value = jsonResponse.readEntity(String.class);

// convert the response to a JSONObject
JSONObject jsonObject = new JSONObject(value);

// pull out the "token" attribute and save its value
this.token = jsonObject.getString("access_token");
String token = null;
String quote = "\"";

// client id and client secret
String clientId = "YOUR_CLIENT_ID_HERE";
String clientSecret = "YOUR_CLIENT_SECRET_HERE"; 

// token endpoint url
String endpointUrl = "https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token";
    
// build the payload
StringBuilder payload = new StringBuilder();
payload.append("{"); 
payload.append(quote + "client_id" + quote + ":" + quote + clientId + quote + ",");
payload.append(quote + "client_secret" + quote + ":" + quote + clientSecret + quote);
payload.append("}");

// unirest client
HttpResponse jsonResponse =
    Unirest.post(endpointUrl).header("Content-Type", "application/json")
        .header("accept", "application/json").body(payload.toString()).asJson();

// retrieve the parsed JSONObject from the response
JSONObject jsonObject = jsonResponse.getBody().getObject();

// pull out the "token" attribute and save its value
this.token = jsonObject.getString("access_token");
var token;

// client id and client secret
var clientId = "YOUR_CLIENT_ID_HERE";
var clientSecret = "YOUR_CLIENT_SECRET_HERE"; 

// token endpoint url
var endpointUrl = "https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token";

// payload
var payload = {
  "client_id" : String(clientId),
  "client_secret" : String(clientSecret)
};

// xhttp client
var xhttp = new XMLHttpRequest();
xhttp.open("POST", endpointUrl, true);
xhttp.setRequestHeader("Content-type", "application/json");
xhttp.onreadystatechange = function() {
    
  // retrieve the parsed JSONObject from the response
  var response = JSON.parse(xhttp.responseText);

  // pull out the "token" attribute and save it's value
  token = response["access_token"];
}
  
// do the POST call to the endpoint, passing in the payload
xhttp.send(JSON.stringify(payload));
var token;

// client id and client secret
var clientId = "YOUR_CLIENT_ID_HERE";
var clientSecret = "YOUR_CLIENT_SECRET_HERE"; 

// token endpoint url
var endpointUrl = "https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token";

// payload
var payload = {
  "client_id" : String(clientId),
  "client_secret" : String(clientSecret)
};
  
// ajax client
$.ajax({
    type: "POST",
    url: endpointUrl,
    data: JSON.stringify(payload),
    contentType: 'application/json',
    success: function(data, statusText, xhr) {
        
      // pull out the "token" attribute and save its value
      token = data.access_token;
    }
});
var token;

// client id and client secret
var clientId = "YOUR_CLIENT_ID_HERE";
var clientSecret = "YOUR_CLIENT_SECRET_HERE"; 

// token endpoint url
var endpointUrl = "https://kapip-s.hilton.io/hospitality-partner/v2/realms/applications/token";

// payload
var payload = {
  "client_id" : String(clientId),
  "client_secret" : String(clientSecret)
};
 
// http client
return $http({
  method: 'POST',
  url: endpointUrl,
  headers: {
    'Content-Type': 'application/json'
  },
  data: payload
  }).then(function(response) {
    
    // retrieve the response
    var data = response.data;

    // pull out the "token" attribute and save its value
    token = data.access_token;
  }
})
var token;

// host address
var host = "kapip-s.hilton.io";
var basePath = "/hospitality-partner/v2";

// create http object
var http = require('https');
  
// client id and client secret
var clientId = "YOUR_CLIENT_ID_HERE";
var clientSecret = "YOUR_CLIENT_SECRET_HERE";

// token endpoint path
var endpointPath = basePath + "/realms/applications/token";

// payload
var payload = {
  "client_id" : String(clientId),
  "client_secret" : String(clientSecret)
};

// An object of options to indicate where to post to
var post_options = {
  host: host,
  path: endpointPath,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Accept' : 'application/json'
  }
};

// Set up post the request
var post_req = http.request(post_options, function(response) {
  response.setEncoding("utf8");
  var rawData = '';
    
  // process the response object to json
  response.on('data', (chunk) => { 
    rawData += chunk; 
  });
    
  // parse the json and print the objects
  response.on('end', () => {
      
    // retrieve the parsed JSONObject from the response
    var jsonObject = JSON.parse(rawData);
	      
    // pull out the "token" attribute and save its value
    token = jsonObject.access_token;
  });
});

// post the data
post_req.write(JSON.stringify(payload));
post_req.end();
  • If the call is successful, the response will contain a valid Access TokenThe temporary access token received from the realms API using your Client ID and Client Secret.
    (Synonym(s) - API Access Token, Application token)
    , in the "access_token" field. Your application should store the token value.
  • If the call is not successful, the response code will provide information about the issue. It will probably be due to one of the following problems:
    • response code "401 - not authorized" signifies a bad Client ID and / or Client Secret
    • response code "403 - forbidden" signifies that the credentials do not allow access to the particular endpoint
    • response code "503 - service unavailable" signifies that the Realms service is down

Calling a Service

Now that you have an Access Token, use it in the header of each API call - in the “Authorization” field. The request header must also include the “Content-type” and “Accept” fields to specify that you will be sending and receiving content using the JSON format.

Content-Type: application/json
accept: application/json
Authorization: "Bearer " + Bearer token value

The string "Bearer", followed by a space, must precede the value of the token.