In today's digital world, where security breaches are all too common, protecting your booking data is a top priority. That's why Hotelbeds group is taking a proactive approach by requiring a new security layer called Mutual TLS (mTLS) for all booking API integrations. This ensures a more secure connection between your systems and our API.
Next will detail the specific operations affected by this mTLS requirement:
Any use of these operations requires the implementation of the mTLS.
Specification details for these operations as available here: https://developer.hotelbeds.com/documentation/hotels/booking-api/api-reference/
Mutual TLS, often abbreviated as mTLS, is a security protocol that enhances communication between applications by ensuring two-way authentication. This means that both the client (typically, your booking system) and our API server verify each other's identities before exchanging data.
Here's a breakdown of how mTLS works:
By implementing mTLS, we achieve several security benefits:
Hotelbeds APIs leverage mTLS, which requires a secure two-way exchange of TLS certificates between your booking system (client) and the Hotelbeds server. This mTLS process relies on two key components:
The way to provide this information is by uploading the certificate with the use of the intranet of developer.hotelbeds.com and associated with the Api Key you would like to use.
Hotelbeds only accepts certificates signed by any of the trusted certificate authorities (CA) listed in the “Mozilla Root CA Program” here:
https://ccadb.my.salesforce-sites.com/mozilla/IncludedCACertificateReport.
The trusted Certificate Authority (CA) will provide both the private key and public certificate.
The mTLS layer utilizes this public certificate to establish a secure encrypted connection.
How you renew certificates is very dependent of the Certificate Authority (CA) so will be out of the scope of this document but keep in mind that you will require to renew your certificates before they expire as it won’t be possible to connect to mTLS Hotelbeds APIs with an expired certificate.
HBX will automatically send a notification email one month before the expiration date. The email will be sent to the email address associated with the user of the developer portal.
To connect to Hotelbeds using mTLS the requests should be authenticated requests using your certificate and private key and should be sent to Hotelbeds mTLS endpoints api-mtls.hotelbeds.com.
Production: api-mtls.hotelbeds.com
Test: api-mtls.test.hotelbeds.com
Note: While this document details the implementation of mTLS for enhanced security, it's important to note that mTLS is not currently used for payment endpoints as these method already implement other security mechanisms. This means that if you're utilizing our payment solutions, you can continue using the existing endpoint: api-secure.hotelbeds.com.
Pass your certificate(client.crt), private key(client.key), and root CA certificate(ca.crt) to curl to authenticate your request. Also see how Api-key and X-Signature are still needed.
curl --cert client.crt --key client.key --cacert ca.crt -H "Api-key: 01cbfa32284202c2f0348e8912a21535" -H "X-Signature:7a11334bfb4cb5deb70d367d4ef872c52be2211379aabf4f8c9ba1bf6fc4abf5" https://api-mtls.hotelbeds.comTo set up mTLS authentication user will be required to upload a valid certificate to the Hotelbeds developer portal (http://developer.hotelbeds.com) and associate it to the desired Api Keys.
After Loging in the developer portal (developer.hotelbeds.com) in the DASHBOARD tab and under MY API KEYS it will be a new MY API CERTIFICATES tab.
This new tab will contain the list of certificates of the user logged in the developer portal and from here it will be possible to upload a new certificate, give it an alias, associate it to Api Keys and delete them from the developer portal.
On the top right side of the MY API CERTIFICATES page it will be a button Add Certificate that will upload the new certificate.
Optionally an Alias can be given to the certificate.
The only accepted certificates will be .crt, .pem and .cer certificates.
After uploading a Certificate a new modal Associate Certificate to Api Keys will open where it will be possible to associate Api Keys to the certificate.
In the Associate Certificate to Api Keys modal will be two columns My API Keys that will list all the Api Keys of the user and Associated API Keys that will list all the API Keys associated with the certificate.
From here the user will be able to Add/Remove an Api Key to the certificate.
Also, on the MY API CERTIFICATES page clicking on a given certificate will open the modal Associate Certificate to Api Keys where it will be possible to associate Api Keys to the certificate.
Important: Once you associate an Api Key with a certificate you will lose access to the non-MTLS endpoints after X days (14 by default) for the given Api Key. Be aware that Api Keys can only be associated with two certificates. Also, Api Keys associated with a single certificate can’t be removed from the certificate to prevent losing connection.
On the MY API CERTIFICATES page for each certificate it will be a button Delete that will delete the certificate.
Important: Be aware that the system will not allow deleting the certificate if it’s associated with Api Keys. Expired/Revoked certificates will be automatically removed from the system after 6 months.
On the MY API KEYS page by clicking on a given Api Key opens Apikey detail modal where it will be displayed the certificates associated with the Api Key.
The email address associated with your developer portal user account is crucial for staying informed about important updates. This includes notifications regarding the expiration of your certifications. If the email address is incorrect or outdated, you risk missing critical reminders that could lead to lapsed certifications.
Additionally, we would like to provide you with tips for using the Developer portal (https://developer.hotelbeds.com):
If you have any questions, please don't hesitate to reach out to your Technical Account Manager (TAM) directly. Alternatively, you can email us at apitude@hotelbeds.com