Alternative OAuth 2.0. authentication method

Once you have access to your Partner Dev account, you can retrieve your API credentials and manage the settings on your App Details Page.

The below details will be required as part of the OAuth 2.0. authentication:

1. client_id - Client ID issued by Cloudbeds.
2. client_secret - You can click on 'Generate New Secret' to retrieve your client secret for the first time or to reset it.
3. redirect_uri  -  It is the predefined URL where the OAUth 2.0. authorization_code is forwarded to.
4. Permission scopes - Select the permission scopes required for the API endpoints you intend to use. You can find details on the scopes related to each endpoint in the API documentation.

Based on the User Authorization Flow Options implemented, the property user can find your App in Cloudbeds Marketplace.
When clicking on the Connect App option, the user is directed to your OAuth link (defined in the App Details page) to confirm your permission scopes and, upon successful authorization, they are redirected to your predefined redirect_uri  with the  authorization_code .

Once the user authorizes the integration with your App and is redirected to your redirect URI with the authorization_code, you need to send an access_token (grant_type: authorization_code) call to exchange the authorization_code for an access_token and refresh_token.

The access_token returned by /access_token may be used to access Cloudbeds API by including it in the authorization header of your requests (Authorization: Bearer vjsZOLa2tMazV09T01SlwIQGq8HC56LYL8kXcBBp).

The  access_token  is valid for 60 minutes and the refresh_token  is permanent and does not expire.
You can send a an access_token (grant_type: refresh_token) call to refresh the   access_token .

In the response, a new  access_token and the permanent refresh_token will be returned.

You can follow the steps in this guide to access our API resources with the OAuth 2.0. authentication method. 

We strongly recommend not using webhooks as a trigger to refresh the token pair as they can come in simultaneously and cause invalidation of tokens.

If the Refresh Token expires with token has expired error, then the property should re-authorize the app. 

It's possible to send information to Cloudbeds authorization and this information will be relayed back to you on your redirect URI endpoint.
The state parameter is defined on RFC 6749 (https://tools.ietf.org/html/rfc6749).

The request below is used to start the OAuth authorization flow and describes the usage of the state parameter:

This way, after the property staff authenticates into Cloudbeds and authorizes the integration, they'll be redirected to your endpoint with both the authorization_code and the state as described on the request:

If no state parameter is passed in the OAuth URL, a random state parameter will be still provided together with the authorization_code when the property is redirected to your redirect URI.

Read more on auth0.com.

PropertyID is a unique account identifier in the Cloudbeds system. Right after the OAuth flow is finished you may obtain the propertyID and other info using getHotels or getHotelDetails. These endpoints show you exactly to which properties the OAuth credentials give access.
Cloudbeds users don't know their propertyID and can't obtain it. It must be obtained through the API.