Authentication model

Partner-grade integrations can use:

• X-Api-Key + X-Api-Secret
• Authorization: Bearer ...

Security model

Credentials support:

• hotel allowlists
• scopes
• expiration
• revocation
• IP restrictions
• audit metadata

Operational guidance

1. Store secrets in a vault
2. Rotate credentials regularly
3. Use one credential set per integration
4. Avoid sharing a single token across environments

Idempotency

Write endpoints should use an Idempotency-Key when required by the integration contract.