End of life notice
The credential-based authentication scheme is soon to be sunset on 31 December, 2025. Make sure to migrate to using token-based authentication scheme for enhanced security. For more information, see the [Deprecation and sunsetting topic.](/connectivity/docs/deprecation-policy/deprecation-and-sunsetting)

# Using the Credentials-based authentication scheme

You can use the [credential-based authentication scheme](https://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA) to authenticate an incoming request. However, we recommend that you use the more secure [token-based authentication method.](/connectivity/docs/token-based-authentication)

To get a successful response from Booking.com Connectivity APIs, you must provide a Base64-encoded credential in the `Authorization` header for each request.

For example:


```http
Authorization: Basic {username:password}
```

`{username:password}` represents the Base64-encoded ([RFC2045-MIME](https://www.ietf.org/rfc/rfc2045.txt)) credentials for your [machine account](/connectivity/docs/glossary_of_terms#machine-account).

## Enhanced authentication rules

Booking.com enforces the following authentication and authorisation rules for enhanced protection and security:

- Specify the authentication details such as username and password only using the request `Header`. Credentials provided in the request body are ignored.
- Make sure the username is case-sensitive and doesn't contain leading white space.
- We have revised our password policy and no longer support the `+` character in the password. If your existing password contains `+` character, make sure to create a new password using the [Connectivity Portal](https://connect.booking.com).


## Authentication failure

The API returns `HTTP 401` for failed authentication attempts. The response body will be different for OTA and B.XML endpoints.

### B.XML example


```xml
<?xml version='1.0' standalone='yes'?>
<reservations>
    <fault code="401"
         string="Authorization Required" />
</reservations>
```

### OTA example


```xml
<OTA_HotelResModifyNotifRS xmlns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_HotelResModifyNotifRS.xsd" TimeStamp="2018-06-22T14:56:37+00:00" Target="Production" Version="2.001">
  <Errors>
    <Error ShortText="Authorization Required"/>
  </Errors>
</OTA_HotelResModifyNotifRS>
```

## Troubleshooting

If your requests repeatedly fail authentication, check that:

* Your request includes the `Authorization` header;
* Your [machine account](/connectivity/docs/glossary_of_terms#machine-account) credentials are correct;
* The [IP allowlist](https://connect.booking.com/machine-account) for your machine account is up-to-date;
* You have access to the endpoint you're calling ([contact us](https://connect.booking.com/user_guide/site/en-US/content/#support-feedback) if you're not sure).


## Related links

-> [Authentication best practices](/connectivity/docs/authentication-best-practices)