Compare Flight Prices Authentication: API Key & OAuth 2.0 (2026)

Authentication overview

Authentication for the Compare Flight Prices API ensures that only authorized applications and users can access flight comparison data and associated services. The API employs industry-standard security protocols to protect both the integrity of the data and the privacy of user interactions. All interactions with the Compare Flight Prices API must occur over HTTPS/TLS encrypted connections, preventing eavesdropping and tampering of data in transit.

The choice of authentication method depends on the integration type. Server-to-server applications, such as backend services or data aggregation tools, typically use API keys for straightforward and secure access. For applications that require user consent to access specific data or perform actions on their behalf, such as a personalized travel planning app, OAuth 2.0 is the recommended and supported method. This layered approach to authentication allows developers to implement the most appropriate security model for their specific use case while adhering to best practices in API security, as detailed in the OAuth 2.0 Authorization Framework documentation.

Supported authentication methods

Compare Flight Prices supports two primary authentication methods tailored for different integration scenarios:

• API Key: A simple token-based method suitable for server-side applications where the API key can be securely stored and managed. It grants direct access to the API based on the permissions associated with the key.
• OAuth 2.0: An authorization framework that enables third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This is ideal for user-facing applications that need to interact with Compare Flight Prices services on behalf of a user without handling their credentials directly. The official OAuth.net website provides comprehensive resources on its implementation.

Authentication method comparison

Getting your credentials

Accessing the Compare Flight Prices API requires obtaining appropriate credentials from your developer account. The process typically involves registering an application and generating the necessary keys or setting up OAuth 2.0 client details.

For API Keys:

1. Register a Developer Account: Navigate to the Compare Flight Prices developer portal and create a new account or log in if you already have one.
2. Create a New Application: Within your developer dashboard, locate the section for 'Applications' or 'Projects' and create a new application entry. This step helps organize your API usage and associate specific keys with specific projects.
3. Generate API Key: Once your application is created, the dashboard will provide an option to generate an API key. This key is a unique string that identifies your application. Copy this key immediately upon generation, as it may only be shown once for security reasons.
4. Assign Permissions (Optional): Depending on your use case, you might need to assign specific permissions or scopes to your API key. Review the available options in your dashboard to ensure your key has the necessary access to the Compare Flight Prices API endpoints you intend to use.

For OAuth 2.0:

1. Register a Developer Account: Similar to API keys, begin by registering or logging into your Compare Flight Prices developer portal account.
2. Create an OAuth 2.0 Application: In your developer dashboard, create a new application, specifying that it will use OAuth 2.0 for authorization.
3. Configure Redirect URIs: Provide one or more Redirect URIs (also known as Callback URLs). These are the URLs to which the user will be redirected after granting or denying consent to your application. This is a critical security measure to prevent unauthorized redirects.
4. Obtain Client ID and Client Secret: Upon successful application registration, you will receive a Client ID and a Client Secret. The Client ID is public and identifies your application to the authorization server. The Client Secret is confidential and used to authenticate your application itself when requesting tokens.
5. Define Scopes: Specify the OAuth scopes your application requires. Scopes define the level of access your application requests from the user (e.g., read:flight_data, manage:alerts).
6. Implement Authorization Flow: Integrate the chosen OAuth 2.0 flow (e.g., Authorization Code Flow for web applications) into your application logic to guide users through the consent process and obtain access tokens.

Authenticated request example

The following examples demonstrate how to include your credentials in API requests using common methods. It is crucial to replace placeholder values with your actual API key or access token.

API Key example (Header-based)

For API key authentication, the key is typically passed in a custom HTTP header, such as X-Api-Key, or as a query parameter. Using a header is generally preferred for security.

curl -X GET \
  'https://api.compareflightprices.com/v1/flights/search?origin=JFK&destination=LAX&date=2026-08-15' \
  -H 'X-Api-Key: YOUR_API_KEY_HERE' \
  -H 'Content-Type: application/json'

OAuth 2.0 example (Bearer Token)

With OAuth 2.0, after your application successfully completes the authorization flow and obtains an access token, this token is included in the Authorization header using the Bearer scheme.

curl -X GET \
  'https://api.compareflightprices.com/v1/flights/search?origin=JFK&destination=LAX&date=2026-08-15' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN_HERE' \
  -H 'Content-Type: application/json'

For more detailed information on constructing OAuth 2.0 requests and managing tokens, refer to the Bearer Token Usage RFC 6750.

Security best practices

Proper management of your API credentials is vital to maintaining the security and integrity of your applications and data. Adhere to the following best practices:

• Keep API Keys Confidential: Never hardcode API keys directly into client-side code (e.g., JavaScript in a browser). Store them securely on your server, using environment variables, or a dedicated secrets management service.
• Protect Client Secrets: For OAuth 2.0, the Client Secret must be treated with the same level of confidentiality as an API key. It should only be used by your server-side application to request tokens.
• Use HTTPS/TLS: Always ensure all API communications occur over HTTPS/TLS. The Compare Flight Prices API strictly enforces this, but it's a fundamental principle for any secure web communication.
• Implement Least Privilege: Grant your API keys or OAuth applications only the minimum necessary permissions (scopes) required for their intended function. Avoid granting broad access if specific, limited access will suffice.
• Rotate Credentials Periodically: Regularly rotate your API keys and OAuth client secrets. This reduces the risk associated with a compromised credential remaining active indefinitely.
• Secure Redirect URIs (OAuth 2.0): For OAuth 2.0 applications, register and carefully manage your Redirect URIs. Only allow redirects to trusted and controlled URLs to prevent authorization code interception attacks.
• Validate and Sanitize Inputs: Any data sent to the API, especially in search queries, should be validated and sanitized to prevent injection attacks and ensure the API behaves as expected.
• Monitor API Usage: Regularly review your API usage logs for any unusual activity or excessive requests that might indicate a compromised key or application.
• Error Handling: Implement robust error handling in your application to gracefully manage API errors, including authentication failures. Avoid exposing sensitive error details to end-users.
• Token Revocation (OAuth 2.0): If an access token or refresh token is compromised, ensure you have a mechanism to revoke it immediately through the Compare Flight Prices developer portal or API.