Last updated

Using the Basic authentication scheme

You can also use the HTTP basic authentication scheme to authenticate an incoming request instead of the token-based authentication method. To get a successful response from Booking.com Connectivity APIs, you must provide your credentials as an Authorization header in each request.

For example:

Authorization: Basic {username:password}

{username:password} represents the Base64-encoded (RFC2045-MIME) credentials for your machine account.

Enhanced authentication rules

Booking.com enforces the following authentication and authorisation rules for enhanced protection and security:

  • Specify the authentication details such as username and password only using the request Header. Credentials provided in the request body are ignored.
  • Make sure the username is case-sensitive and doesn't contain leading white space.
  • We have revised our password policy and no longer support the + character in the password. If your existing password contains + character, make sure to create a new password using the Connectivity Portal.

Authentication failure

The API returns HTTP 401 for failed authentication attempts. The response body will be different for OTA and B.XML endpoints.

B.XML example

<?xml version='1.0' standalone='yes'?>
<reservations>
    <fault code="401"
         string="Authorization Required" />
</reservations>

OTA example

<OTA_HotelResModifyNotifRS xmlns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_HotelResModifyNotifRS.xsd" TimeStamp="2018-06-22T14:56:37+00:00" Target="Production" Version="2.001">
  <Errors>
    <Error ShortText="Authorization Required"/>
  </Errors>
</OTA_HotelResModifyNotifRS>

Troubleshooting

If your requests repeatedly fail authentication, check that:

  • Your request includes the Authorization header;
  • Your machine account credentials are correct;
  • The IP whitelist for your machine account is up-to-date;
  • You have access to the endpoint you're calling (contact us if you're not sure).
Previous page
Next page