A configuration setting can be applied to a partner site that requires authorization to view all pages other than the homepage or itinerary page. This setting is intended to apply only to sites that choose not to utilize the core TravelWin account management functionality or full SSO. It is a lightweight method for unauthenticated customers to access the hotel shopping capabilities of the platform without actually logging in themselves.

In order for a user to access the site, an authorization token must be passed to the homepage through a query string through the parameter “loginToken”:

https://{{siteURL}}/?loginToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxNTQ1IiwiZXhwIjoxNjM4NDc3ODI3LCJpYXQiOjE2Mzg0NTk4Mjd9.9anqZzOl01dJqDDcSB65xv0w-tpBhgPx-4Vms2bIoHL_sg0HvNAL2hnlMWFxLLZINUbpZ6GIsXAUep2MY4Q_dA

This token can be retrieved prior to building this link through an authentication service, by passing a username and password

https://{{siteURL}}/GetToken?username={{username}}&password={{password}}

If the authentication is successful, a token will be included in a JSON response:

{“result”:200,”message”:”Success”,”token”:”eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxNTQ1IiwiZXhwIjoxNjM4NDc3ODI3LCJpYXQiOjE2Mzg0NTk4Mjd9.9anqZzOl01dJqDDcSB65xv0w-tpBhgPx-4Vms2bIoHL_sg0HvNAL2hnlMWFxLLZINUbpZ6GIsXAUep2MY4Q_dA”}

Once a session has been validated with this token, it. will be authorized for the entirety of the session. A new session will require a new token.

The token is valid for 15 minutes after issuance.