GETTING STARTED
/
Credential-based authentication
Last updated
End of life notice

The credential-based authentication scheme is soon to be sunset on 31 December, 2025. Make sure to migrate to using token-based authentication scheme for enhanced security. For more information, see the Deprecation and sunsetting topic.

Using the Credentials-based authentication scheme

You can use the credential-based authentication scheme to authenticate an incoming request. However, we recommend that you use the more secure token-based authentication method.

To get a successful response from Booking.com Connectivity APIs, you must provide a Base64-encoded credential in the Authorization header for each request.

For example:

Authorization: Basic {username:password}

{username:password} represents the Base64-encoded (RFC2045-MIME) credentials for your machine account.

Enhanced authentication rules

Booking.com enforces the following authentication and authorisation rules for enhanced protection and security:

  • Specify the authentication details such as username and password only using the request Header. Credentials provided in the request body are ignored.
  • Make sure the username is case-sensitive and doesn't contain leading white space.
  • We have revised our password policy and no longer support the + character in the password. If your existing password contains + character, make sure to create a new password using the Connectivity Portal.

Authentication failure

The API returns HTTP 401 for failed authentication attempts. The response body will be different for OTA and B.XML endpoints.

B.XML example

<?xml version='1.0' standalone='yes'?>
<reservations>
    <fault code="401"
         string="Authorization Required" />
</reservations>

OTA example

<OTA_HotelResModifyNotifRS xmlns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_HotelResModifyNotifRS.xsd" TimeStamp="2018-06-22T14:56:37+00:00" Target="Production" Version="2.001">
  <Errors>
    <Error ShortText="Authorization Required"/>
  </Errors>
</OTA_HotelResModifyNotifRS>

Troubleshooting

If your requests repeatedly fail authentication, check that:

  • Your request includes the Authorization header;
  • Your machine account credentials are correct;
  • The IP allowlist for your machine account is up-to-date;
  • You have access to the endpoint you're calling (contact us if you're not sure).

-> Authentication best practices

Previous page
Next page