Authentication
The Ticket Buyback Partner API uses a two-step client credentials flow. You exchange your client_id and client_secret for a short-lived access token, then include that token on every subsequent request.
Credentials
Credentials are provisioned manually by Ticket Buyback during partner onboarding. You will receive:
| Credential | Description |
|---|---|
client_id | Your public partner identifier |
client_secret | Your secret key — treat this like a password, never expose it publicly |
warning
Never commit your client_secret to source control or log it anywhere. TBB can rotate credentials on request or automatically upon suspected compromise.
Step 1 — Get an Access Token
Exchange your credentials for a Bearer token.
Endpoint
POST /v1/auth/token
No Authorization header is required on this endpoint.
Request
cURL
curl -X POST https://api.ticketbuyback.com/partner/v1/auth/token \
-H "Content-Type: application/json" \
-d '{
"client_id": "tbb_partner_clientid_abc123",
"client_secret": "tbb_partner_secret_xxxxxxxxxxxxxxxx",
"grant_type": "client_credentials"
}'
JavaScript
const response = await fetch("https://api.ticketbuyback.com/partner/v1/auth/token", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_id: "tbb_partner_clientid_abc123",
client_secret: "tbb_partner_secret_xxxxxxxxxxxxxxxx",
grant_type: "client_credentials",
}),
});
const { data } = await response.json();
const token = data.access_token;
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Your partner client ID |
client_secret | string | Yes | Your partner client secret |
grant_type | string | Yes | Must be client_credentials |
Response — 200 OK
{
"success": true,
"data": {
"access_token": "eyJwYXJ0bmVyX2lkIjoiZ...",
"token_type": "Bearer",
"expires_at": "2026-02-27T10:30:00Z",
"expires_in": 3600,
"scope": "events:read quotes:write orders:write"
},
"meta": {
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"timestamp": "2026-02-26T10:30:00Z"
}
}
| Field | Description |
|---|---|
access_token | Bearer token to use on all subsequent requests |
token_type | Always Bearer |
expires_at | UTC timestamp when the token expires |
expires_in | Seconds until expiry (3600 = 1 hour) |
scope | Permissions granted to this token |
Step 2 — Use the Token
Include the access token as a Bearer token in the Authorization header on every authenticated request.
cURL
curl https://api.ticketbuyback.com/partner/v1/events \
-H "Authorization: Bearer eyJwYXJ0bmVyX2lkIjoiZ..." \
-H "Accept: application/json"
JavaScript
const response = await fetch("https://api.ticketbuyback.com/partner/v1/events", {
headers: {
Authorization: `Bearer ${token}`,
Accept: "application/json",
},
});
Token Lifecycle
POST /auth/token
│
▼
Validate client_id + client_secret
│
├── Invalid → 401 INVALID_CREDENTIALS
│
▼
Check partner account status
│
├── Inactive → 403 ACCOUNT_SUSPENDED
│
▼
Create session record
│
▼
Generate HMAC-SHA256 signed token
(encrypted partner_id + session_id + expiry)
│
▼
Return access_token — valid for 1 hour
- When your token expires, simply repeat Step 1 to get a new one.
Authorization Rules
| Endpoint | Requirement |
|---|---|
POST /v1/auth/token | client_id + client_secret |
| All Discovery endpoints | Valid Bearer token |
POST /v1/quotes | Valid Bearer token + Payout configured |
POST /v1/orders | Valid Bearer token + Payout configured |
Error Scenarios
| Scenario | HTTP Status | Error Code |
|---|---|---|
Invalid client_id or client_secret | 401 | INVALID_CREDENTIALS |
| Partner account inactive or suspended | 403 | ACCOUNT_SUSPENDED |
| Missing required fields | 400 | VALIDATION_ERROR |
Unsupported grant_type | 400 | UNSUPPORTED_GRANT_TYPE |
| Token expired on a later request | 401 | TOKEN_EXPIRED |
Security Notes
client_secretis never logged, stored in plaintext, or echoed in any response.- Each partner token is scoped to your own TBB account only — you cannot access another partner's data.
Next Step
With your token in hand, start discovering events: