The credential-based authentication scheme is soon to be sunset on 31 December, 2025. Make sure to migrate to using token-based authentication scheme for enhanced security. For more information, see the Deprecation and sunsetting topic.
Using the Credentials-based authentication scheme
You can use the credential-based authentication scheme to authenticate an incoming request. However, we recommend that you use the more secure token-based authentication method.
To get a successful response from Booking.com Connectivity APIs, you must provide a Base64-encoded credential in the Authorization
header for each request.
For example:
Authorization: Basic {username:password}
{username:password}
represents the Base64-encoded (RFC2045-MIME) credentials for your machine account.
Enhanced authentication rules
Booking.com enforces the following authentication and authorisation rules for enhanced protection and security:
- Specify the authentication details such as username and password only using the request
Header
. Credentials provided in the request body are ignored. - Make sure the username is case-sensitive and doesn't contain leading white space.
- We have revised our password policy and no longer support the
+
character in the password. If your existing password contains+
character, make sure to create a new password using the Connectivity Portal.
Authentication failure
The API returns HTTP 401
for failed authentication attempts. The response body will be different for OTA and B.XML endpoints.
B.XML example
<?xml version='1.0' standalone='yes'?>
<reservations>
<fault code="401"
string="Authorization Required" />
</reservations>
OTA example
<OTA_HotelResModifyNotifRS xmlns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_HotelResModifyNotifRS.xsd" TimeStamp="2018-06-22T14:56:37+00:00" Target="Production" Version="2.001">
<Errors>
<Error ShortText="Authorization Required"/>
</Errors>
</OTA_HotelResModifyNotifRS>
Troubleshooting
If your requests repeatedly fail authentication, check that:
- Your request includes the
Authorization
header; - Your machine account credentials are correct;
- The IP allowlist for your machine account is up-to-date;
- You have access to the endpoint you're calling (contact us if you're not sure).