Skip to content

Authentication

The Autocore API uses different authentication mechanisms depending on the product you are integrating with.

Authentication Methods Overview

Method Used By Mechanism
API Key Bookings, Virtual Cards, Preloaded Balances, Gift Cards access_key + secret_key headers
Auth-Token Payment Gateways (Direct Charge) Base64-encoded HMAC token in auth_token header

API Key Authentication

Include your access_key and secret_key directly in the request headers.

Headers:

Header Description
access_key Your public API key
secret_key Your private API key

Example:

curl --location --request GET 'https://api.autocore.pro/v1/bookings/123456?hotel_id=15265' \
  --header 'access_key: ENY3DRcc7WqwqMxL' \
  --header 'secret_key: MxLYPdu9V6dliZXJfW8RF8Sih1YRaUY1'

Auth-Token Authentication

The auth_token is a Base64-encoded string with the following structure:

ACCESS_KEY;UNIXTIMESTAMP;UNIQ-TOKEN
Component Description
ACCESS_KEY Your public API key
UNIXTIMESTAMP Current UTC time in seconds (must be generated at request time)
UNIQ-TOKEN SHA-256 hex digest of secret_key + timestamp

Token Expiration

The token is valid for 30 seconds only. After this time, requests will be rejected with a 401 Unauthorized error.

Building the Auth-Token

import hashlib
from datetime import datetime
from base64 import b64encode

unix_timestamp = str(datetime.now().timestamp())[:10]
uniq_token_string = secret_key + unix_timestamp
uniq_token_hash = hashlib.sha256(
    uniq_token_string.encode("ascii"),
).hexdigest()
auth_token = b64encode(
    bytes(
        f"{access_key};{unix_timestamp};{uniq_token_hash}",
        "ascii",
    )
)
base64_str = auth_token.decode("ascii")

const crypto = require('crypto');

const unixTimestamp = Math.floor(Date.now() / 1000).toString();
const uniqTokenString = secretKey + unixTimestamp;
const uniqTokenHash = crypto
  .createHash('sha256')
  .update(uniqTokenString)
  .digest('hex');
const authToken = Buffer
  .from(`${accessKey};${unixTimestamp};${uniqTokenHash}`)
  .toString('base64');

Authentication Flow

sequenceDiagram
    participant Client
    participant API as Autocore API

    alt API Key Auth
        Client->>API: Request with access_key + secret_key headers
        API->>API: Validate credentials
        API-->>Client: Response
    else Auth-Token Auth
        Client->>Client: Generate UNIX timestamp
        Client->>Client: Create SHA-256 hash
        Client->>Client: Encode as Base64
        Client->>API: Request with auth_token header
        API->>API: Decode and validate token
        API-->>Client: Response
    end

Getting Your Credentials

Contact your account manager or email info@autocore.pro to obtain:

  • access_key --- Public API key
  • secret_key --- Private API key
  • Public key --- For RSA-OAEP encryption of sensitive card data (required for direct charge)
  • Private key --- For decryption operations