At hoteliga, we value the integrity and security of our customers' data above all else. In order for your applications to access hoteliga customer data and/or act on their behalf, they must be authenticated. hoteliga relies on the industry standard OAuth 2.0 protocol for granting access, due to its simplicity and ease of implementation.
One of the features of OAuth is the use of tokens, strings which act as a sort of key. They represent the user’s consent to act on their behalf. This has several advantages: client apps do not need to request or store user’s passwords, and tokens can expire or be revoked on a per-client basis. Unlike a username + password combination, which can be used all over the place, tokens can only be used by the client that requested them.
The basic endpoint for all requests is
All requests need to be authenticated. For this to happen, you will need to use the Token method to get a bearer token. After doing that, use the following HTTP header for all following requests:
Authorization: Bearer <access_token>
You can make requests in either JSON or XML format, depending on the tools you use and what is more convienient.
For JSON requests, use the header:
Content-Type: application/json
For XML requests, use the header:
Content-Type: text/xml
For JSON responses, use the header:
Accept: application/json
For XML responses, use the header:
Accept: application/xml
In summary, each HTTP request should have the Authorization, the Content-Type and the Accept HTTP headers included.
You can do a maximum of 100 request per day, if you are a free user, or 1.500 requests per day if you are paying for the API license. Contact us for getting the paid license.
The daily limit is universal per hoteliga domain. Third-party applications using the hoteliga API for the same hoteliga domain will share the same request limit (i.e. 1,500 requests per day in total - in case for paid API license - for all the third-party applications). Therefore, appropriate coordination is needed so that none of the third-party applications is making more calls than needed. Some of the best practices are to reuse access tokens (they expire after 24 hours) and to make use of webhooks to avoid making too many pull requests.
Every response to a request includes three additional headers shown below that contain information about your limit, its usage and the time remaining before it is reset (in compliance with IETF standards) :
Indicates the daily limit of requests:
RateLimit-Limit: 1500
Indicates the remaining requests for a day:
RateLimit-Remaining: 1499
Indicates the total number of seconds remaining before a daily quota is reset:
RateLimit-Reset: 86399
Note: The countdown is activated when you make a first request to the API after your daily quota has already been reset.
The hoteliga API uses the standard HTTP status codes for every request to indicate the result.
| Code | Description |
|---|---|
| 200 | Success! |
| 400 | Bad request. The request was invalid on a business logic level. |
| 401 | Forbidden. Probably the authentication header is missing or the token is wrong or expired. |
| 403 | Forbidden. The request was interpreted as malicious and was blocked. |
| 405 | Method not allowed. Usually when the method requires GET but POST is used and vice versa. |
| 429 | Quota exceeded. You can't make more than 100 requests per day (free use) or 1.500 requests per day (paid API license). |
| 500 | Internal server error. Something is broken on our side. Please let us know. |