Access Token
Modified on: 2024-04-01 18:47
TABLE OF CONTENTS
- Purpose
- Introduction
- 1. Use different tokens for different APIs
- 2. Periodically renew the tokens
- 3. Upgrade Instructions for a user of the old security version
- FAQ:
Purpose
- The document is here for reference only and as an example of how DerbySoft is aware and staying on top of such things in the industry.
- Describes what Access Token is and how to renew it on GO Console
Introduction
We use various technologies and processes to secure the information stored on the DerbySoft servers. Data encryption, access limitation to system components and customer credit data, necessary tracking, and monitoring are used to ensure security. Based on AWS services, DerbySoft builds an isolated data environment that fully complies with PCI (Payment Card Industry) security compliance requirements, which can effectively reduce the risk of data theft, identity fraud, and unauthorized transactions.
To ensure secure data transfer and access, GO Distributors requires the following security measures for the connectivity service:
1. Use different tokens for different APIs
You can refer to the below table based on your API type:
| Version | Token |
|---|---|
| V4 | BookingUSB Token |
ShoppingEngine Token (Pull Model) | |
AvailabilityPeer Token (Push Model) | |
| V3 | Reservation Token |
Non-Reservation Token |
2. Periodically renew the tokens
Use two different Tokens for different APIs
| Token | APIs | |
|---|---|---|
V4: BookingUSB Token | BookingUSB Detect API | /ping |
| BookingUSB Hotel API | /hotels/{supplierId} | |
| BookingUSB Hotel API | /hotel/{supplierId}/{hotelId} | |
| BookingUSB Reservation API | /availability | |
| BookingUSB Reservation API | /reservation/prebook | |
| BookingUSB Reservation API | /reservation/book | |
| BookingUSB Reservation API | /reservation/modify | |
| BookingUSB Reservation API | /reservation/cancel | |
| BookingUSB Reservation API | /reservations | |
| BookingUSB Reservation API | /reservation/detail | |
V4: ShoppingEngine Token(Pull Model) | ShoppingEngine Detect API | /ping |
| ShoppingEngine Hotel Setup API | /hotels/{supplierId}/setup | |
| ShoppingEngine Shopping API | /shopping/multihotels | |
V4: AvailabilityPeer Token(Push Model) | AvailabilityPeer Detect API | /ping |
| AvailabilityPeer Hotel API | /hotels/{supplierId} | |
| AvailabilityPeer Hotel API | /hotel/{supplierId}/{hotelId} | |
| AvailabilityPeer ARI Push API | /ari/daily/push | |
| AvailabilityPeer ARI Push API | /ari/los/push | |
V3: Non-Reservation Token | Ping | |
Single Availability | ||
Multiple Availability | ||
V3: Reservation Token | Make Reservation | |
| Cancel Reservation | ||
| Query Reservation | ||
Renew Tokens
Important: Each token has a 180 days period of validity. The expiry date can be found on GO Console Env Setting Page. DerbySoft will send the notifications before expiration. Distributors need to renew and apply the tokens before the expiration date.
Once a new token has been generated by the Distributor in GO Console, the previous one will still be acceptable for another 7 days, you will have sufficient time to test your system. (If it is less than 7 days before the expiry date, the previous token will expire at the original expiry time.)
Here are the V4&V3 views for your reference:
- V4 View(GO Console v2)
- V4 View(GO Console v1)
- V3 View:
How to Renew Tokens
Users with permission can renew the tokens on the Setting - Env Setting Page, please contact go.help@derbysoft.net for permission application if needed.
Token Renewing process chart
3. Upgrade Instructions for a user of the old security version
We have introduced an advanced security policy to better support the security of data transfer and access for the connectivity service.
The major change
Two different tokens are to be used while requesting GO APIs. Each token is valid for 180 days.
| Token | APIs | |
|---|---|---|
V4: BookingUSB Token | BookingUSB Detect API | /ping |
| BookingUSB Hotel API | /hotels/{supplierId} | |
| BookingUSB Hotel API | /hotel/{supplierId}/{hotelId} | |
| BookingUSB Reservation API | /availability | |
| BookingUSB Reservation API | /reservation/prebook | |
| BookingUSB Reservation API | /reservation/book | |
| BookingUSB Reservation API | /reservation/modify | |
| BookingUSB Reservation API | /reservation/cancel | |
| BookingUSB Reservation API | /reservations | |
| BookingUSB Reservation API | /reservation/detail | |
V4: ShoppingEngine Token(Pull Model) | ShoppingEngine Detect API | /ping |
| ShoppingEngine Hotel Setup API | /hotels/{supplierId}/setup | |
| ShoppingEngine Shopping API | /shopping/multihotels | |
V4: AvailabilityPeer Token(Push Model) | AvailabilityPeer Detect API | /ping |
| AvailabilityPeer Hotel API | /hotels/{supplierId} | |
| AvailabilityPeer Hotel API | /hotel/{supplierId}/{hotelId} | |
| AvailabilityPeer ARI Push API | /ari/daily/push | |
| AvailabilityPeer ARI Push API | /ari/los/push | |
V3: Non-Reservation Token | Ping | |
Single Availability | ||
Multiple Availability | ||
V3: Reservation Token | Make Reservation | |
| Cancel Reservation | ||
| Query Reservation | ||
How to upgrade
Step 1: Make necessary changes in your system to support two different tokens.
Step 2 Click the upgrade button on the Env Setting Page.
Step 3 Go through the upgrade process.
The upgrade page before&after
- Token Setting Page Before Upgrade
- Token Setting Page After Upgrade
We highly recommend that you renew the BookingUSB Token & ShoppingEngine/AvailabilityPeer Token and apply them to your system right after the upgrade.
Notes: ① Your previous AccessToken is still valid before the expiry date after upgrading. You can check the expiry date on GO Console. ② Once a new Token has been generated, the previous one will still be acceptable for another 7 days, you will have sufficient time to test your system. (If it is less than 7 days before the expiry date, the previous token will expire at the original expiry time.)
FAQ:
Q: We are currently using GO v4 Push API. The Access Token in the request header is used to authenticate both Derbysoft endpoints and our endpoints. We would like to better understand how Derbysoft authenticates our requests and how we authenticate Derbysoft requests.
A: You may have observed that there are two Access tokens and two endpoints associated.
When you make a call to our BookingUSB API, please ensure that you pass the Access Token of BookingUSB in the request header. This Access Token will be verified by us upon receipt of your request.
Similarly, if we call your AvailabilityPeer API, we will pass the Access Token of AvailabilityPeer in the request header. It will then be up to your system to verify this Access Token.
Did you find it helpful? Yes No
Send feedback