Skip to content

SOAP & Authentication

The authentication credentials need to be part of the SOAP envelope provided with the HTTP POST request to the API endpoint. The following different SOAP envelope tags are supported and automatically detected by the API.

<?xml version="1.0"?>
<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
        ...
    </soap:Header>
    <soap:Body>
        ...
    </soap:Body>
</soap:Envelope>
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        ...
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        ...
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
<?xml version="1.0"?>
<soapenv:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        ...
    </soapenv:Header>
    <soapenv:Body>
        ...
    </soapenv:Body>
</soapenv:Envelope>
<?xml version="1.0"?>
...

Posting XML without an envelope

You can post the XML requests from the OpenTravel protocol directly to the endpoint and provide the credentials inside a RequestorID-tag instead of the SOAP header.

Any combination of Envelope-Versions or Tags with any combination of authentication profiles or formats is supported. The system will automatically detect the corresponding format and accept the credentials.

Which authentication format shall I use?

Which authentication format to use solely depends on your implementation. We recommend the WS-Security UsernameToken Profile as it is the most common formats used for current OTA implementations. There are no functional differences for the different protocol forms.

The WS-Security UserNameToken Profile provides the username and password in an wsse:Security XML-tag inside the SOAP header.

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:mustUnderstand="1">
            <wsse:UsernameToken>
                <wsse:Username>MyUserName</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MyPassword</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        ...
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

AccessHeader-Tag in the SOAP header

An AccessHeader xml tag with a UserName and Password tag will be used inside the SOAP header to provide the username and the password as configured.

<?xml version="1.0"?>
<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
        <AccessHeader>
            <UserName>MyUserName</UserName>
            <Password>MyPassword</Password>
        </AccessHeader>
    </soap:Header>
    <soap:Body> 
        ...
    </soap:Body>
</soap:Envelope>

XML-only without a SOAP-envelope

If you want to push the XML requests directly without wrapping them in a SOAP-envelope, you can do so by putting the authentication credentials inside a POS and Source XML node.

<?xml version="1.0"?>
<OTA_PingRQ xmlns="http://www.opentravel.org/OTA/2003/05"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.opentravel.org/OTA/2003/05 OTA_PingRQ.xsd"
    TimeStamp="2003-03-17T09:30:47-05:00">
    <POS>
        <Source>
            <RequestorID ID="MyUserName" MessagePassword="MyPassword"></RequestorID>
        </Source>
    </POS>
    <EchoData>Ping Pong</EchoData>
</OTA_PingRQ>