Authentication
This topic explains how to authenticate your identity while calling the Booking.com Connectivity APIs.
Booking.com currently supports two methods to authenticate and authorize API requests:
- OAuth 2.0 authorization framework
- Basic authentication scheme (Soon to be deprecated)
Advantages of using OAuth 2.0
This section lists the advantages of using OAuth 2.0 over the Basic authentication scheme.
| Functionality | Basic authentication scheme | OAuth 2.0 |
|---|---|---|
| Using machine account credentials | With every API request | Once every hour to generate a new short-lived token. |
| Short lived tokens | No | Yes. Every one hour. |
| Token revocation after expiry | No expiry | Yes |
| Supports Json Web Tokens | No | Yes |
| Machine account details shared only once at the time of creation | Yes | Yes |
Introducing machine accounts
Machine accounts provide access credentials to either generate an API token (using the OAuth 2.0 authorisation framework) or to call the Booking.com Connectivity APIs directly (using the basic authentication scheme). Support for the latter will be deprecated in the future.
You can create machine accounts using the Connectivity Portal.
If you don't have access to the Connectivity Portal, your colleague with an existing account can create an account for you. Booking.com typically shares access to the Connectivity Portal during the onboarding process.
Understanding the access scope using machine accounts
The following diagram illustrates the access scope for the Booking.com Connectivity APIs.
- Machine accounts are created at the property-level.
- You can add more than one property to a machine account.
- API access to individual property resources are restricted based on the connection type with the property.
- Each connection type grants access to a specific set of APIs and their corresponding endpoints.
Guidelines around machine account usage
When working with machine accounts, follow the guidelines below:
- Enforce separation of concerns by creating dedicated machine accounts for testing and production environments.
- Configure test machine accounts with test properties and production machine accounts with production properties.
- Add at most 5000 properties per machine account. Some APIs like Reservations API can produce and return large response payloads. Configuring fewer properties per machine account helps generate manageable response payload size. This is especially beneficial when retrieving pending reservations immediately after an outage. With multiple accounts, you can sync missed reservations faster.