1. Default Module
YGO Client API
v1
  • v2
  • v1
  • Default Module
    • Overview
    • Core Concepts
    • Authentication
    • Quickstart Guide
    • AI Search & Trip Planning
    • Booking Flow
    • Environments
    • General
      • Check API health status
      • Get current API key context
    • AI Search & Trip Planning
      • Send message to YGO AI
    • Product Search (Deprecated)
      • Search for hotel & package offers
      • Get transfers for booking
      • Get package price calendar
    • Bookings
      • Get or create open booking
      • Check offer availability
      • Update open booking
      • Update booking status and trigger workflows
      • List bookings
      • Get booking
    • Schemas
      • Schemas
        • PackageSearchRequest
        • GetPackageCalendarRequest
        • GetBookingRequest
        • ListBookingsRequest
        • SaveBookingStatusRequest
        • SaveOpenBookingRequest
        • GetOpenBookingRequest
        • GetTransfersRequest
        • Product
        • Booking
        • TransferOptionsResponse
        • PackageCalendarResponse
        • ProductTexts
        • BookingDetails
        • TripReference
        • TransferOption
        • PackageCalendarDate
        • LocaleContent
        • BookingItemInput
        • Trip
        • ProductImage
        • TransferImage
        • BookingItem
        • Traveller
        • PickupInformation
        • ProductDetails
        • PackageOffer
        • PickupLocation
        • Image
        • Pickup
        • TourOperator
        • CheckPickup
        • Accommodation
        • TransferRemark
        • Room
        • CancellationPolicy
        • Transport
        • Flight
        • Airport
        • Price
        • PriceByPax
        • SuccessResponse
        • ErrorResponse
        • Hotel
        • HotelFeatures
        • FeatureState
        • RoomFeatures
        • RoomContent
        • Facility
      • Response
        • Unauthorized
  1. Default Module

Authentication

The YGO API uses Bearer token authentication. All API requests must include a valid API token in the Authorization header.

How API Tokens Work#

Each API token is:
Project-specific - Tied to a single Project (Sandbox or Production)
Environment-routing - Automatically directs requests to the correct environment
Long-lived - Tokens don't expire unless you revoke them
Scoped to your data - Only access bookings and data within that Project
TIP
Simplified Environment Management
The YGO API uses intelligent token-based routing. Each API token is connected to either a Sandbox or Production Project, and automatically routes your requests to the appropriate environment—all through the same base URL (https://api.ygo.ai/v1). No need to manage different endpoints.
WARNING
Keep your API tokens secure! Treat them like passwords:
Never commit them to version control
Don't expose them in client-side code
Store them securely (environment variables, secret managers)
Rotate tokens if you suspect they've been compromised

Getting Your First API Token#

During Onboarding#

When you first partner with YGO, we'll:
1.
Create your Organization and first Sandbox Project
2.
Generate your first API token
3.
Email it to you securely
This token is for your Sandbox environment, so you can start integrating immediately.

After Contract Signing#

Once your contract is finalized, you'll gain access to the YGO Console UI, where you can:
View all your API tokens
Generate new tokens for additional Projects
Revoke compromised tokens
Switch between Sandbox and Production tokens
TIP
Console UI Access: Your account manager will send you login credentials for the YGO Console once your contract is signed.

Making Authenticated Requests#

Include your API token in the Authorization header with every request using the Bearer scheme:
The API automatically routes your request to the correct environment (Sandbox or Production) based on the Project your API token is connected to.
Headers required for all requests:
HeaderValueRequired
AuthorizationBearer your_api_tokenYes
Content-Typeapplication/jsonYes (for POST/PUT requests)

Testing Your API Token#

To verify your API token is working, try this simple request:
Successful response (200 OK):
{
  "Data": {
    "OrgID": "org_xyz789",
    "ProjectID": "proj_abc123",
    "ProjectName": "My Sandbox Project",
    "Environment": "sandbox"
  },
  "Error": null
}

Authentication Errors#

Invalid or Missing Token#

HTTP 401 Unauthorized
{
  "Data": null,
  "Error": "Invalid or missing authorization token"
}
Common causes:
Authorization header not included
Missing "Bearer " prefix in Authorization header
Typo in the token value
Token has been revoked or expired

Managing API Tokens#

In the YGO Console#

Once you have Console access, you can:
1.
View all tokens - See which tokens belong to which Projects
2.
Generate new tokens - Create additional tokens for the same Project (useful for different services)
3.
Revoke tokens - Immediately invalidate compromised tokens
4.
Monitor usage - Track API calls per token (coming soon)

Best Practices#

DO:
Use separate API tokens for different environments (Sandbox vs Production)
Store tokens in environment variables or secret managers
Rotate tokens periodically (every 6-12 months)
Revoke tokens immediately if compromised
DON'T:
Hard-code tokens in your application
Commit tokens to Git repositories
Share tokens between team members (generate separate tokens instead)
Use Production tokens for testing

Rate Limits#

API tokens are subject to rate limits to ensure fair usage:
Sandbox: 100 requests per minute
Production: 1000 requests per minute (or custom limits per contract)
Rate limit information is included in response headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000
INFO
If you hit rate limits regularly, contact your account manager to discuss increasing your limits.

Next Steps#

Now that you're authenticated, try the Quickstart Guide to make your first search request.
Modified at 2026-04-14 07:26:40
Previous
Core Concepts
Next
Quickstart Guide
Built with