Authentication
An application provides your with a Client ID and Secret Key that you need to create an authenticated OAuth2 session you can use to communicate with Wink and TripPay APIs.
Here are the steps to create an authenticated session.
Step 1. Retrieve an access token on staging or in our production environment:
You will, most likely, be working with a robust OAuth2 library for your language, which will do all the heavy lifting for you.
Our examples will show the most basic usage from the command line using curl.
Staging
Section titled “Staging”curl -X POST https://staging-iam.wink.travel/oauth2/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=<YOUR_CLIENT_ID>" \ -d "client_secret=<YOUR_SECRET_KEY>"Production
Section titled “Production”curl -X POST https://iam.wink.travel/oauth2/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=<YOUR_CLIENT_ID>" \ -d "client_secret=<YOUR_SECRET_KEY>"This will return an access token, along with other OAuth2 response data:
{ "access_token": "abc123"}When you make a call to any of our endpoints, include the following in the header:
Wink-Version=2.0Latest - See our API docs for other available versions.Authorization=Bearer ${access_token}Insert your access token.
Scopes
Section titled “Scopes”A scope is a permission your access token carries. When you request a token, you pass a
space-delimited list of scopes in the scope parameter, and the token can only reach the areas
those scopes cover. With the client_credentials grant you set the scopes on your token request —
see the curl examples above and the Postman walkthrough.
Scopes are named section.action, where the action is one of:
read— view resources (safeGETrequests)write— create and update resources (POST/PUT/PATCH)remove— delete resources (DELETE)
Wink groups permissions by functional area. Request only the scopes your integration needs:
| Scope group | Scopes | What they unlock | Risk |
|---|---|---|---|
| Account | account.read account.write account.remove | Managing entities, team members, settings, applications | Low–Medium |
| Inventory | inventory.read inventory.write inventory.remove | Properties, room-types, rate-plans, rates, add-ons, availability, activities, attractions | Low–Medium |
| Booking | booking.read booking.write booking.remove | Search, view, create, cancel, and refund bookings; checkout; cancellation policies | Low–Medium |
| Marketing | marketing.read marketing.write marketing.remove | Campaigns, perks, sales channels, WinkLinks, managed social, loyalty | Low–Medium |
| Content | content.read content.write content.remove | Property descriptions, reviews, media, maps, green-index | Low–Medium |
| Analytics | analytics.read analytics.write analytics.remove | Reporting and analytics — revenue, leaderboards | Low–Medium |
| Integrations | integrations.read integrations.write integrations.remove | Channel managers, external booking systems, Google Hotel, notification endpoints, booking sync | Low–Medium |
| Payment | payment.read payment.write payment.remove | Payment processing, Stripe, Revolut, payouts, subscriptions | Medium–High |
| Accounting | accounting.read accounting.write accounting.remove | Accounting, withdrawal ledger, reconciliation | Medium–High |
| MCP | mcp.read mcp.write mcp.remove | Opens the MCP transport (/mcp) for AI agents | Low–Medium |
A few things to keep in mind:
- Request the minimum. Ask only for the scopes your integration actually uses — a token issued with broader access than necessary is a larger blast radius if leaked.
- Unknown scopes are rejected. Requesting a scope your application isn’t registered for, or one that doesn’t exist, fails at token issuance.
mcp.*is only for AI-agent clients. You need it to open the MCP transport; it isn’t required for regular REST API calls. See Model Context Protocol.