Norba.ioAPI reference
LandingOverviewGet API key
Guides · Airlines

Airlines

NDC is a standard. Real airline implementations are not standardised. Every carrier picks its own subset, auth scheme, sandbox setup, and certification process. This page is the cheat-sheet.

The certification game

Before an airline gives you production credentials, you typically go through:

  1. Commercial agreement — a bilateral distribution contract, sometimes via a connection provider (Travelport, Sabre, Amadeus NDC-X, Duffel, Verteil, AirGateway…). Some airlines accept direct connect.
  2. Technical certification — a scenario list you must pass against the sandbox: round-trip shopping, multi-pax, infants, ancillary sell, seat sell, change, cancel, refund, schedule change.
  3. L2B contract — the look-to-book ratio you must maintain (typical: 50:1 to 500:1). Exceed it and you get throttled, then suspended.
  4. Go-live — production credentials are issued. Most airlines reuse the sandbox OAuth client ID with a different secret and endpoint.

Supported carriers

AirlineCodeAuthStatus
British AirwaysBAOAuth2 client_credentialsLive
IberiaIBOAuth2 client_credentialsLive
American AirlinesAAmTLS + OAuth2Beta
Lufthansa GroupLH/LX/OS/SNOAuth2 client_credentialsBeta
Air FranceAFOAuth2 client_credentialsComing soon
KLMKLOAuth2 client_credentialsComing soon
EmiratesEKOAuth2 client_credentialsComing soon
QantasQFOAuth2 client_credentialsComing soon
Turkish AirlinesTKOAuth2 + HTTP Basic tokenComing soon

Common quirks by carrier

These are well-known traps that recur across most integrations. Treat each integration as a fresh exercise and re-read the carrier's spec.

British Airways (BA)

OAuth2 client_credentials, scope "ndc". Office ID (PCC) required even though the request is direct. Schedule-change push via webhook subscription on their portal, not via polling.

Iberia (IB)

Same OAuth2 family as BA (IAG group), separate credentials. The Currency element is required at offer level even when the response already carries it per-fare-component.

American Airlines (AA)

Mutual TLS and OAuth2 on top. Requires ARC accreditation. Strict on PTC codes — using ADT for someone under 18 will fail validation.

Lufthansa Group (LH/LX/OS/SN)

All four carriers behind a single endpoint. The carrier code goes into the OwnerCode element of each offer; one request can return mixed carriers.

Ryanair, easyJet, Wizz

No NDC at all. JSON direct-connect APIs. Integrated by writing an adapter that talks JSON but maps to the same canonical Offer model.

Auth schemes

OAuth2 client_credentials (RFC 6749 §4.4)

POST { token_url }
Authorization: Basic base64(client_id:client_secret)
Content-Type:  application/x-www-form-urlencoded
Body: grant_type=client_credentials&scope={ airline_scope }

→ { "access_token": "…", "expires_in": 3600, "token_type": "Bearer" }

Use as: Authorization: Bearer { access_token }
Cache until ~30s before expiry.

HTTP Basic (RFC 7617)

Authorization: Basic base64(username:password)
// Sent on every call — no token endpoint, no caching.
// Used by some legacy carriers and sandboxes.

mTLS + OAuth2

// Client presents a TLS certificate signed by the airline's CA
// in addition to standard OAuth2.
// Used by AA and DL.