Authentication

The Ticket Buyback Partner API uses a two-step client credentials flow. You exchange your client_id and client_secret for a short-lived access token, then include that token on every subsequent request.

Credentials

Credentials are provisioned manually by Ticket Buyback during partner onboarding. You will receive:

Credential	Description
`client_id`	Your public partner identifier
`client_secret`	Your secret key — treat this like a password, never expose it publicly

warning

Never commit your client_secret to source control or log it anywhere. TBB can rotate credentials on request or automatically upon suspected compromise.

Step 1 — Get an Access Token

Exchange your credentials for a Bearer token.

Endpoint

POST /v1/auth/token

No Authorization header is required on this endpoint.

Request

cURL
curl -X POST https://api.ticketbuyback.com/partner/v1/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "tbb_partner_clientid_abc123",
    "client_secret": "tbb_partner_secret_xxxxxxxxxxxxxxxx",
    "grant_type": "client_credentials"
  }'

JavaScript
const response = await fetch("https://api.ticketbuyback.com/partner/v1/auth/token", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    client_id: "tbb_partner_clientid_abc123",
    client_secret: "tbb_partner_secret_xxxxxxxxxxxxxxxx",
    grant_type: "client_credentials",
  }),
});

const { data } = await response.json();
const token = data.access_token;

Request Body

Field	Type	Required	Description
`client_id`	string	Yes	Your partner client ID
`client_secret`	string	Yes	Your partner client secret
`grant_type`	string	Yes	Must be `client_credentials`

Response — 200 OK

{
  "success": true,
  "data": {
    "access_token": "eyJwYXJ0bmVyX2lkIjoiZ...",
    "token_type": "Bearer",
    "expires_at": "2026-02-27T10:30:00Z",
    "expires_in": 3600,
    "scope": "events:read quotes:write orders:write"
  },
  "meta": {
    "request_id": "550e8400-e29b-41d4-a716-446655440000",
    "timestamp": "2026-02-26T10:30:00Z"
  }
}

Field	Description
`access_token`	Bearer token to use on all subsequent requests
`token_type`	Always `Bearer`
`expires_at`	UTC timestamp when the token expires
`expires_in`	Seconds until expiry (3600 = 1 hour)
`scope`	Permissions granted to this token

Step 2 — Use the Token

Include the access token as a Bearer token in the Authorization header on every authenticated request.

cURL
curl https://api.ticketbuyback.com/partner/v1/events \
  -H "Authorization: Bearer eyJwYXJ0bmVyX2lkIjoiZ..." \
  -H "Accept: application/json"

JavaScript
const response = await fetch("https://api.ticketbuyback.com/partner/v1/events", {
  headers: {
    Authorization: `Bearer ${token}`,
    Accept: "application/json",
  },
});

Token Lifecycle

POST /auth/token
      │
      ▼
 Validate client_id + client_secret
      │
      ├── Invalid → 401 INVALID_CREDENTIALS
      │
      ▼
 Check partner account status
      │
      ├── Inactive → 403 ACCOUNT_SUSPENDED
      │
      ▼
 Create session record
      │
      ▼
 Generate HMAC-SHA256 signed token
 (encrypted partner_id + session_id + expiry)
      │
      ▼
 Return access_token — valid for 1 hour

When your token expires, simply repeat Step 1 to get a new one.

Authorization Rules

Endpoint	Requirement
`POST /v1/auth/token`	`client_id` + `client_secret`
All Discovery endpoints	Valid Bearer token
`POST /v1/quotes`	Valid Bearer token + Routable configured
`POST /v1/orders`	Valid Bearer token + Routable configured

Error Scenarios

Scenario	HTTP Status	Error Code
Invalid `client_id` or `client_secret`	401	`INVALID_CREDENTIALS`
Partner account inactive or suspended	403	`ACCOUNT_SUSPENDED`
Missing required fields	400	`VALIDATION_ERROR`
Unsupported `grant_type`	400	`UNSUPPORTED_GRANT_TYPE`
Token expired on a later request	401	`TOKEN_EXPIRED`

Security Notes

client_secret is never logged, stored in plaintext, or echoed in any response.
Failed authentication attempts are rate-limited. After 5 consecutive failures within 10 minutes, the IP is temporarily blocked.
Each partner token is scoped to your own TBB account only — you cannot access another partner's data.

Next Step

With your token in hand, start discovering events:

→ Discovery — Search Events

Credentials​

Step 1 — Get an Access Token​

Endpoint​

Request​

Request Body​

Response — 200 OK​

Step 2 — Use the Token​

Token Lifecycle​

Authorization Rules​

Error Scenarios​

Security Notes​

Next Step​