...
To be able to send requests to the API, the partner has to send different headers with the request. Those headers are used to identify the sending partner, the customer and the version of the API.
x-hotelkit-api-customer-key
Will identify the customer that the request is for. As soon as the API is enabled for a customer, the customer-key will be provided.
The header must not be sent in requests that are used for the partner instead of a specific customer.
The customer-key is a string of a length up to 50 UTF8 encoded chars.
x-hotelkit-api-nonce
The nonce is a (pseudo)random string, that will be unique for each request. It will ensure that the signature is different for every request sent to hotelkit. As every nonce must be used only for one request it also prevents replay attacks. If a request is sent with a duplicate nonce header it will get a 403 response.
In the Functionality – Security section is a more detailed description of how to sign the requests correctly.
...
x-hotelkit-api-public-key
The public-key will be used for identifying the requesting partner and for getting the correct private-key.
It is constant for every request and will not be changed during the partnership.
It will be provided to the partner as soon as the functionality is granted.
x-hotelkit-api-version
The common version of the api is 3.0. Some parts (User Synchronization) are on version 3.1. Please check this seperately in the Swagger-files.
x-hotelkit-api-signature
The signature is a security mechanic based on the previously mentioned headers. How it’s generated will be described in Security.