Authentication Options

Authentication with API Key

The API key is generated from the User's Portal by using the "Generate API Key" feature. Read more on Managing API Keys.

The API key should be provided in the Authorization header in the following format: APIKEY <value of API Key>

Example: bd3ce883352e42539a2b7644f72e63aa

📘

The term APIKEY should be capitalized in the Authorization header

📘

While there are several methods in PCI Booking that support authentication using an API Key, we recommend using the API key authentication for the Start a Temporary Session method only.

POST /api/<method> HTTP/1.1
Host: service.pcibooking.net
Authorization: APIKEY bd3ce883352e42539a2b7644f72e63aa
curl -X POST \
  https://service.pcibooking.net/api/%3Cmethod%3E \
  -H 'authorization: APIKEY bd3ce883352e42539a2b7644f72e63aa' \

You can use our Authenticate method to check that the API key you are using is valid.

Authentication with Basic Authentication

Basic Authentication is a Base64 encoded representation of {BookerID}@{PropertyID}:{Property password}. The Basic Authentication is used primarily in the Property Management service.

Basic Authentication should be provided in the Authorization header in the following format: Basic <value>

Example: encoding Booking@hotelUK:pass1234 to Base64 would result in Qm9va2luZ0Bob3RlbFVLOnBhc3MxMjM0IA==

POST /api/<method> HTTP/1.1
Host: service.pcibooking.net
Authorization: Basic Qm9va2luZ0Bob3RlbFVLOnBhc3MxMjM0IA==
curl -X POST \
  https://service.pcibooking.net/api/%3Cmethod%3E \
  -H 'authorization: Basic Qm9va2luZ0Bob3RlbFVLOnBhc3MxMjM0IA==' \

Authentication with Session Token

The Session Token is a string value that is returned by calling the Start a Temporary Session method.
A Session Token will expire 5 minutes after it was created. During that time frame, the same Session Token can be used on an unlimited number of requests.

The Session Token should be provided in the query string parameter sessionToken of the subsequent request to PCI Booking.

Example: 98687cb1510b4e58a5916d3d2f4483b0

POST /api/<method>?sessionToken=98687cb1510b4e58a5916d3d2f4483b0 HTTP/1.1
Host: service.pcibooking.net
curl -X POST \
  'https://service.pcibooking.net/api/%3Cmethod%3E?sessionToken=98687cb1510b4e58a5916d3d2f4483b0' \

📘

Access Token Vs. Session Token

Between the two options of using the Access Token or the Session Token, we would recommend using the Access Token.

📘

Read more in our reference documentation on the Start a Session method.

Authentication with Access Token

The Access Token is a string value that is generated locally on the server side. It is a made of your API key and expiration date and time and is signed with the PCI Booking SSL certificate.
An Access Token is good for one request to the PCI Booking service before it is invalid. The Access Token is valid until the expiration date and time listed - the expiration date and time can be between 10 seconds and 1 hour. Read more on generating an Access Token.

The Acess Token should be provided in the query string parameter accessToken of the subsequent request to PCI Booking.

Example:

5E49BC0EB51CC2CB6EA580CC644067058DAC186E3040203E96D45F1E8D43ED1196E9090D08
EC27108005EB7B02F3CC1DBCFD804373536DBB10D5AB6C3843BF40E6780959736D9F9B7E9B
39739B5047ABE539AB14386616EE9A77007EC8EBFCEA903DA26814C421B26D137E0BACA36F
DCA4A41AEA84A394CD28FF1B3B632D549391F510EA5AD73F50F46DA0E68945A677DEF35DCF
5A42E2702D7294CF76A68097C5970194A6B6B8E83D020483B94FD373515D9592B3BB305B75
6795A1D68BA54FB82AA093B15B2722BA6AA797E5C10534C7715AB66254EE6A2FE307167753
16849D9CDE2D08A465EF9A2A1F863E1D0A57F85D8F796EF8A4CE1162FC9D83D701FC
POST /api/<method>?accessToken=5E49BC0EB51CC2CB6EA580CC644067058DAC186E3040203E96D45F1E8D43ED1196E9090D08EC27108005EB7B02F3CC1DBCFD804373536DBB10D5AB6C3843BF40E6780959736D9F9B7E9B39739B5047ABE539AB14386616EE9A77007EC8EBFCEA903DA26814C421B26D137E0BACA36FDCA4A41AEA84A394CD28FF1B3B632D549391F510EA5AD73F50F46DA0E68945A677DEF35DCF5A42E2702D7294CF76A68097C5970194A6B6B8E83D020483B94FD373515D9592B3BB305B756795A1D68BA54FB82AA093B15B2722BA6AA797E5C10534C7715AB66254EE6A2FE30716775316849D9CDE2D08A465EF9A2A1F863E1D0A57F85D8F796EF8A4CE1162FC9D83D701FC HTTP/1.1
Host: service.pcibooking.net
curl -X POST \
  'https://service.pcibooking.net/api/%3Cmethod%3E?accessToken=5E49BC0EB51CC2CB6EA580CC644067058DAC186E3040203E96D45F1E8D43ED1196E9090D08EC27108005EB7B02F3CC1DBCFD804373536DBB10D5AB6C3843BF40E6780959736D9F9B7E9B39739B5047ABE539AB14386616EE9A77007EC8EBFCEA903DA26814C421B26D137E0BACA36FDCA4A41AEA84A394CD28FF1B3B632D549391F510EA5AD73F50F46DA0E68945A677DEF35DCF5A42E2702D7294CF76A68097C5970194A6B6B8E83D020483B94FD373515D9592B3BB305B756795A1D68BA54FB82AA093B15B2722BA6AA797E5C10534C7715AB66254EE6A2FE30716775316849D9CDE2D08A465EF9A2A1F863E1D0A57F85D8F796EF8A4CE1162FC9D83D701FC' \

📘

Providing both Access Token and Session Token in the same request

If both Session Token and Access Token are listed in the request's query string parameters, the Session Token will take precedence.