Table of Contents

SwOTA REST Testing Guide

Quick Setup for REST Testing with Auth0 Authentication

1. Obtain Auth0 Credentials

Before testing, you need Auth0 credentials from your integration manager:

  • Client ID: Your application's Auth0 client identifier

  • Client Secret: Your application's Auth0 client secret

  • Audience: The API audience value for the environment

2. Import Environment

Create a Postman environment with these variables:

{
  "name": "SwOTA Development - REST",
  "values": [
    {
      "key": "rest_base_url",
      "value": "https://bookings-dev.sw.travelhx.com/ota/rest",
      "enabled": true
    },
    {
      "key": "auth0_url",
      "value": "https://travelhx-backend-stage.eu.auth0.com/oauth/token",
      "enabled": true
    },
    {
      "key": "auth0_client_id",
      "value": "YOUR_CLIENT_ID",
      "enabled": true
    },
    {
      "key": "auth0_client_secret",
      "value": "YOUR_CLIENT_SECRET",
      "enabled": true
    },
    {
      "key": "auth0_audience",
      "value": "https://partner.dev.travelhx.dev/api",
      "enabled": true
    },
    {
      "key": "access_token",
      "value": "",
      "enabled": true
    },
    {
      "key": "agency_id", 
      "value": "YOUR_AGENCY_ID",
      "enabled": true
    },
    {
      "key": "booking_source",
      "value": "OPENTRAVEL", 
      "enabled": true
    }
  ]
}

3. Get Access Token

Before making SwOTA REST API requests, you need to obtain an Auth0 access token.

Create a Token Request in Postman

POST {{auth0_url}}
Content-Type: application/json

{
"client_id": "{{auth0_client_id}}",
"client_secret": "{{auth0_client_secret}}",
"audience": "{{auth0_audience}}",
"grant_type": "client_credentials"
}

The response will contain an access_token. Copy this token and save it to your access_token environment variable.

Tip: You can automate this in Postman by adding a test script to extract and save the token:

// Postman test script to auto-save token
const response = pm.response.json();
if (response.access_token) {
    pm.environment.set("access_token", response.access_token);
}

4. REST Request Headers

All REST requests require these headers:

Authorization: Bearer {{access_token}}
Content-Type: application/xml; charset=utf-8

5. Sample REST Requests

Ping Test

POST {{rest_base_url}}/OTA_PingRQ

<OTA_PingRQ xmlns="http://www.opentravel.org/OTA/2003/05" Version="1.0" TimeStamp="2025-01-01T12:00:00Z">
<EchoData>REST API test connection</EchoData>
</OTA_PingRQ>

Sailing Availability

POST {{rest_base_url}}/OTA_CruiseSailAvailRQ

<OTA_CruiseSailAvailRQ xmlns="http://www.opentravel.org/OTA/2003/05" Version="1.0" TimeStamp="2025-01-01T12:00:00Z">
<POS>
<Source>
<RequestorID ID="{{agency_id}}" Type="5" ID_Context="SEAWARE"/>
<BookingChannel Type="1">
<CompanyName>{{booking_source}}</CompanyName>
</BookingChannel>
</Source>
</POS>
<SailingDateRange>
<StartDateWindow EarliestDate="2025-06-01"/>
<EndDateWindow LatestDate="2025-12-31"/>
</SailingDateRange>
</OTA_CruiseSailAvailRQ>

6. REST Endpoints

Each OTA operation has its own REST endpoint. The pattern is:

POST https://bookings-dev.sw.travelhx.com/ota/rest/<MessageName>

Environment Endpoints

  • Production: https://bookings.sw.travelhx.com/ota/rest/

  • Staging: https://bookings-stage.sw.travelhx.com/ota/rest/

  • Development: https://bookings-dev.sw.travelhx.com/ota/rest/

Common Endpoints

Operation

REST Endpoint

Ping

/ota/rest/OTA_PingRQ

Sailing Search

/ota/rest/OTA_CruiseSailAvailRQ

Category Availability

/ota/rest/OTA_CruiseCategoryAvailRQ

Cabin Availability

/ota/rest/OTA_CruiseCabinAvailRQ

Create Booking

/ota/rest/OTA_CruiseBookRQ

Retrieve Booking

/ota/rest/OTA_ReadRQ

Cancel Booking

/ota/rest/OTA_CancelRQ

Process Payment

/ota/rest/OTA_CruisePaymentRQ

For a complete list of all 25+ REST endpoints, see API Protocols.

7. Expected Responses

  • Ping: <OTA_PingRS><Success/><EchoData>...</EchoData></OTA_PingRS>

  • Availability: Error Code 168 (expected if using test credentials - confirms format is correct)

8. REST vs. SOAP Comparison

Aspect

REST

SOAP

Endpoint

/ota/rest/<MessageName>

/ota/ws

Authentication

Auth0 Bearer Token

SSL Client Certificate

Content-Type

application/xml; charset=utf-8

text/xml; charset=utf-8

Authorization Header

Required (Bearer token)

Not used

SOAPAction Header

Not needed

Required (can be empty)

Request Wrapper

None - just the OTA message

<Envelope><Body>...</Body></Envelope>

Response Wrapper

None - just the OTA response

<Envelope><Body>...</Body></Envelope>

9. cURL Examples

Get Access Token

curl -X POST https://travelhx-backend-stage.eu.auth0.com/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "audience": "https://partner.dev.travelhx.dev/api",
    "grant_type": "client_credentials"
  }'

Ping Request

curl -X POST https://bookings-dev.sw.travelhx.com/ota/rest/OTA_PingRQ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/xml; charset=utf-8" \
  -d '<OTA_PingRQ xmlns="http://www.opentravel.org/OTA/2003/05" Version="1.0" TimeStamp="2025-01-01T12:00:00Z">
  <EchoData>Test</EchoData>
</OTA_PingRQ>'

Sailing Availability Request

curl -X POST https://bookings-dev.sw.travelhx.com/ota/rest/OTA_CruiseSailAvailRQ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/xml; charset=utf-8" \
  -d '<OTA_CruiseSailAvailRQ xmlns="http://www.opentravel.org/OTA/2003/05" Version="1.0" TimeStamp="2025-01-01T12:00:00Z">
  <POS>
    <Source>
      <RequestorID ID="12345" Type="5" ID_Context="SEAWARE"/>
      <BookingChannel Type="1">
        <CompanyName>YOUR_COMPANY</CompanyName>
      </BookingChannel>
    </Source>
  </POS>
  <SailingDateRange>
    <StartDateWindow EarliestDate="2025-06-01"/>
    <EndDateWindow LatestDate="2025-12-31"/>
  </SailingDateRange>
</OTA_CruiseSailAvailRQ>'

10. Troubleshooting

401 Unauthorized

If you receive 401 errors:

  • Verify your access token is valid and not expired
  • Check that the Authorization: Bearer header is included in your request
  • Ensure your Auth0 credentials are correct
  • Verify you're using the correct audience for your environment
  • Get a fresh token - tokens expire after the time specified in expires_in

403 Forbidden

If you receive 403 errors:

  • Verify your client has the correct permissions/scopes
  • Contact your integration manager to verify your account setup

404 Not Found

If endpoint returns 404:

  • Check the message name in URL matches exactly (case-sensitive)
  • Verify you're using /ota/rest/ not /ota/ws
  • Confirm the operation is supported (see API Protocols)

400 Bad Request

If you get 400 errors:

  • Validate XML is well-formed
  • Check namespace is correct: http://www.opentravel.org/OTA/2003/05
  • Ensure Content-Type header is set correctly

11. Next Steps