Authentication¶
This page explains how to authenticate for the Booking.com Connectivity APIs.
Machine account¶
You need a machine account to use the Booking.com Connectivity APIs. You can create machine accounts in the Connectivity Portal.
If you don't have access to the Connectivity Portal, you'll need to submit your details first.
Basic authentication scheme¶
The Booking.com Connectivity APIs use the HTTP basic authentication scheme. This means you must include an Authorization
header in each request, like so:
Authorization: Basic {username:password}
{username:password}
represents the Base64-encoded (RFC2045-MIME) credentials for your machine account.
Authentication failure¶
The API returns HTTP 401
for failed authentication attempts. The response body will be different for OTA and B.XML endpoints.
B.XML example¶
<?xml version='1.0' standalone='yes'?>
<reservations>
<fault code="401"
string="Authorization Required" />
</reservations>
OTA example¶
<OTA_HotelResModifyNotifRS xmlns="http://www.opentravel.org/OTA/2003/05" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_HotelResModifyNotifRS.xsd" TimeStamp="2018-06-22T14:56:37+00:00" Target="Production" Version="2.001">
<Errors>
<Error ShortText="Authorization Required"/>
</Errors>
</OTA_HotelResModifyNotifRS>
Troubleshooting¶
If your requests repeatedly fail authentication, check that:
- your request includes the
Authorization
header; - your machine account credentials are correct;
- the IP whitelist for your machine account is up-to-date;
- you have access to the endpoint you're calling (contact us if you're not sure).
Legacy authentication method¶
B.XML endpoints support an alternative to the Authorization
header. The header works for these endpoints, but you can also include username
and password
fields in the request body:
<?xml version="1.0" encoding="UTF-8"?>
<request>
<username>username</username>
<password>********</password>
</request>
We will continue to support this method for the time being, but consider it less secure than the Authorization
header. All API users should switch to the header method as soon as possible.