As part of our design update, the screenshots are currently being revised.

TABLE OF CONTENTS

Purpose

  1. The document is here for reference only and as an example of how DerbySoft is aware and staying on top of such things in the industry.
  2. Describes what Access Token is and how to renew it on GO Console

Introduction

We use various technologies and processes to secure the information stored on the DerbySoft servers. Data encryption, access limitation to system components and customer credit data, necessary tracking, and monitoring are used to ensure security. Based on AWS services, DerbySoft builds an isolated data environment that fully complies with PCI (Payment Card Industry) security compliance requirements, which can effectively reduce the risk of data theft, identity fraud, and unauthorized transactions.


To ensure secure data transfer and access, GO Distributors requires the following security measures for the connectivity service:

1. Use different tokens for different APIs

You can refer to the below table based on your API type:


VersionToken
V4

BookingUSB Token

ShoppingEngine Token (Pull Model)

AvailabilityPeer Token (Push Model)

V3

Reservation Token

Non-Reservation Token


2. Periodically renew the tokens

Use two different Tokens for different APIs

TokenAPIs

V4: BookingUSB Token

BookingUSB Detect API/ping
BookingUSB Hotel API/hotels/{supplierId}
BookingUSB Hotel API/hotel/{supplierId}/{hotelId}
BookingUSB Reservation API/availability
BookingUSB Reservation API/reservation/prebook
BookingUSB Reservation API/reservation/book
BookingUSB Reservation API/reservation/modify
BookingUSB Reservation API/reservation/cancel
BookingUSB Reservation API

/reservations

BookingUSB Reservation API

/reservation/detail

V4: ShoppingEngine Token(Pull Model)

ShoppingEngine Detect API/ping
ShoppingEngine Hotel Setup API

/hotels/{supplierId}/setup

ShoppingEngine Shopping API/shopping/multihotels

V4: AvailabilityPeer Token(Push Model)

AvailabilityPeer Detect API/ping
AvailabilityPeer Hotel API/hotels/{supplierId}
AvailabilityPeer Hotel API/hotel/{supplierId}/{hotelId}
AvailabilityPeer ARI Push API/ari/daily/push
AvailabilityPeer ARI Push API/ari/los/push

V3: Non-Reservation Token

Ping

Single Availability

Multiple Availability

V3: Reservation Token

Make Reservation

Cancel Reservation
Query Reservation


Renew Tokens

Important:
Each token is valid for 180 days. The expiration date can be found on the GO Console Customer Setting page. DerbySoft will send notifications before expiration.

Distributors need to renew and apply the tokens before the expiration date.

Once a new token has been generated by the Distributor in GO Console, the previous one will still be acceptable for another 7 days, you will have sufficient time to test your system. (If it is less than 7 days before the expiry date, the previous token will expire at the original expiry time.)


Here are the V4&V3 views for your reference:

  • V4 View(GO Console v2)


  • V4 View(GO Console v1)

  • V3 View:




How to Renew Tokens

Users with permission can renew the tokens on the Setting - Env Setting Page, please contact [email protected] for permission application if needed.


Token Renewing process chart


3. Upgrade Instructions for a user of the old security version

We have introduced an advanced security policy to better support the security of data transfer and access for the connectivity service.


The major change

Two different tokens are to be used while requesting GO APIs. Each token is valid for 180 days.


TokenAPIs

V4: BookingUSB Token

BookingUSB Detect API/ping
BookingUSB Hotel API/hotels/{supplierId}
BookingUSB Hotel API/hotel/{supplierId}/{hotelId}
BookingUSB Reservation API/availability
BookingUSB Reservation API/reservation/prebook
BookingUSB Reservation API/reservation/book
BookingUSB Reservation API/reservation/modify
BookingUSB Reservation API/reservation/cancel
BookingUSB Reservation API

/reservations

BookingUSB Reservation API

/reservation/detail

V4: ShoppingEngine Token(Pull Model)

ShoppingEngine Detect API/ping
ShoppingEngine Hotel Setup API

/hotels/{supplierId}/setup

ShoppingEngine Shopping API/shopping/multihotels

V4: AvailabilityPeer Token(Push Model)

AvailabilityPeer Detect API/ping
AvailabilityPeer Hotel API/hotels/{supplierId}
AvailabilityPeer Hotel API/hotel/{supplierId}/{hotelId}
AvailabilityPeer ARI Push API/ari/daily/push
AvailabilityPeer ARI Push API/ari/los/push

V3: Non-Reservation Token

Ping

Single Availability

Multiple Availability

V3: Reservation Token

Make Reservation

Cancel Reservation
Query Reservation


How to upgrade

Step 1: Make necessary changes in your system to support two different tokens.

Step 2 Click the upgrade button on the Env Setting Page.


Step 3 Go through the upgrade process.


The upgrade page before&after

  • Token Setting Page Before Upgrade

  • Token Setting Page After Upgrade

We highly recommend that you renew the BookingUSB Token & ShoppingEngine/AvailabilityPeer Token and apply them to your system right after the upgrade.

Notes:
① Your previous AccessToken is still valid before the expiry date after upgrading. You can check the expiry date on GO Console.

② Once a new Token has been generated, the previous one will still be acceptable for another 7 days, you will have sufficient time to test your system. (If it is less than 7 days before the expiry date, the previous token will expire at the original expiry time.)

FAQ:

Q: We are currently using GO v4 Push API. The Access Token in the request header is used to authenticate both Derbysoft endpoints and our endpoints. We would like to better understand how Derbysoft authenticates our requests and how we authenticate Derbysoft requests.


A: You may have observed that there are two Access tokens and two endpoints associated.

When you make a call to our BookingUSB API, please ensure that you pass the Access Token of BookingUSB in the request header. This Access Token will be verified by us upon receipt of your request.

Similarly, if we call your AvailabilityPeer API, we will pass the Access Token of AvailabilityPeer in the request header. It will then be up to your system to verify this Access Token.