TABLE OF CONTENTS

Introduction

DerbySoft employs a comprehensive, defense-in-depth security program to safeguard all data hosted on its infrastructure. This program combines industry-leading encryption, strict least-privilege access controls, continuous monitoring, and rigorous audit trails. Leveraging native AWS security services, DerbySoft operates an isolated, PCI-DSS-compliant data environment that mitigates risks related to data exfiltration, identity compromise, and unauthorized transactions.

For GO Suppliers who require pushing hotels and ARIs to DerbySoft, the following connectivity security controls are mandated to maintain the security for data exchange and system integration.



Get Client ID and Client Secret

Firstly, you need to designate 1 or multiple Security Owner(s) as the receiver of the AuthData, and provide the contact information to the GoHelp team. 


When it comes to the onboarding process, the Security Owner needs to click ‘Send Rotate Email’ to initialize the generation of the Client Secret.


Subsequently, the Security Owner who clicked the button will receive the AuthData via email, which will contain a unique Client ID and Client Secret.


Application

Step 1: Access DerbySoft Gateway to gain the Access Token

Once you have the Client ID and Client Secret, you need to access DerbySoft Gateway first to acquire an Access Token in preparation for your requests to GO.


Request Sample (Certification Environment)

GET https://solo.derbysoft-test.com/authorizer/toker
Accept-Encoding: gzip, deflate, br
client-id: 596a9560065d40cgb45baf8cf2eed20
client-secret: p;fdHalvm27A)2UAa3J8n7NLn5roVP1
Note: DerbySoft Access Token Endpoint to be referred from the Console page.

Response Sample- Successful
{
      "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJrZXkiOiJKV1QtVEVTVCIsIm5iZiI6MTcyNTQxOTk5NywiaXNzIjoiZGVyYnlzb2Z0IiwiaWF0IjoxNzI1NDIwMTE3LCJkaXMiOiJKV1QtVEVTVCIsImp0aSI6ImJmZjZkYjY4OTNlOTQxYWNiM2Y1MjUwOWIyZDA3ZmU3IiwiZXhwIjoxNzI1NDIzNzE3LCJzdWIiOiJkZXJieXNvZnQgZGdhdGV3YXkgVjIiLCJhdWQiOlsiSldULVRFU1QiXX0.MqBR5kKY-uy3gtqv7IeqAawul3OCQLO1DhZ3wdoxWNZ7FZYb-AJwlgqGHXyjj_oJuiqPGeMfI_44TonIGfXfkqhtcE2nScTtVGeeVAA2NTzZSEGD5GLxJZ4rrTILUq9zLGDc0z44edo36g_kw_NuSjlBvq2l9BDJ793jxjijQ4XgoVJZslYQmFh-1uLSMy0aCCdfceUp8-YO7Bh3eWE0PFyZvDCU4O2mZKASuK4Jc4rf-XCNP8rLJpM03Aurek3AeRBcTOtfJDMW9vFGQ-g4BOXhEa0hVz8qQGFwLVY94dc5F74xs5i4C2ybIgZHf6GHQ_G9sIxm3nr1foT7YyfJcA",
    "token_type": "Bearer",
    "expires_in": 7200
}

Note: The Access Token is valid for 2 hours, you need to obtain a new one once it expires.
Response Sample- Failure
HTTP STATUS CODERETURN
401
{"message":"Missing JWT token in request","source":"Derbysoft DGateway2"}
401{"message":"JWT token invalid","source":"Derbysoft DGateway2"}
401{"message":"missing user key in JWT token","source":"Derbysoft DGateway2"}
401{"message":"Invalid user key in JWT token","source":"Derbysoft DGateway2"}
401{"message":"failed to verify jwt","source":"Derbysoft DGateway2"}
403{"message":"The consumer_name is forbidden","source":"Derbysoft DGateway2"}

Step 2: Fill in the Access Token in your ARI/Hotel Push API request

Fill the access token in the header(Authorization) of your ARI/Hotel Push API request to GO, Upon verification, your request will go through successfully.

Note: If the token has expired, the API will return HTTP 401 Unauthorized; the client must repeat Step 1 to retrieve a fresh token.


Rotate and Revoke of Client ID and Client Secret

Rotate

Client ID and Client Secret expire every 180 days; the expiry date can be found on the Console>Customer Setting page.

You will have the appropriate permissions(i.e. Security Owner) can request rotation in the Console>Customer Setting page. If the button is gray, it means you do not have permission to perform the rotation. 


Please contact go.help@derbysoft.net to apply for permission if needed.

GO will also send decadal email notifications to the Security Owner starting 30 days pre-expiry, then escalate to a daily reminder during the final 72-hour period. Users can follow the guidance provided in the email to proceed accordingly. Check your spam folder in case you cannot find it in your Inbox.




Upon successful rotation, the new Client ID and Client Secret will be sent to the Security Owner’s e-mail address.  

Note:Post rotation, your old credentials will remain valid for 7 days, you may continue using it until it becomes invalid along with the new credentials.

Revoke

In case of a suspected security breach, the revoke option will promptly issue you new credentials. Similar to rotation, users who have the appropriate permissions (i.e., Security Owner) can request revocation through the same page in GO Console. 


GO will send an email to the Security Owner for 2nd confirmation. Following the user’s reconfirmation, the new credential will be issued to the Security Owner. Meanwhile, the old credentials will be invalidated immediately.