OAuth 2.0 for Webhooks¶
What does it do?¶
When Booking.com calls your webhook endpoints, we first authenticate by requesting a token from YOUR OAuth 2.0 endpoint. This ensures all communication is secure.
Warning
This is the reverse of the API authentication flow. Here, Booking.com calls YOUR token endpoint to obtain a token before calling your webhook.
How does it work?¶
- You build an OAuth 2.0
client_credentialstoken endpoint on your server - You provide us with a Client ID and Client Secret (via webhook registration)
- Before each webhook call, Booking.com exchanges your credentials for an access token
- Booking.com includes the token in the
Authorizationheader when calling your webhook endpoints
Credentials you provide¶
| Credential | Description | Example |
|---|---|---|
| Client ID | A public identifier for the integration. Should not be guessable. | f2a1ed52710d4533bde25be6da03b6e3 |
| Client Secret | A private secret. Must be cryptographically random. Minimum 8 characters. | d0110942d4d23a1d66c4ed95505e16257c5adb5174e4ac21e0bd008f8e657435 |
Note
The Search webhook authenticates for every request. Bear this in mind before setting up rate limiting on your token endpoint — it may receive a high volume of calls.
See the reference for the endpoint specification you must implement.