> For the complete documentation index, see [llms.txt](https://developer.siteminder.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://developer.siteminder.com/smx-api/guides/integration-requirements.md).

# Integration Requirements

This page defines the technical standards, security protocols, and operational requirements that apply across all SMX API operations. These requirements ensure reliable, secure, and efficient connectivity between your application and the SiteMinder platform.

## Compliance Policy

All integration partners must adhere to these requirements. Due to the growing number of partner integrations, SiteMinder can no longer accommodate exceptions.

**Non-Compliance Timeline**:

* Partners have **90 days** to remediate non-compliance issues after notification.
* Failure to comply may result in interface deactivation.
* **Critical issues** affecting production stability may result in **immediate temporary suspension**.

***

## Technical Foundation

SMX uses two protocols depending on the operation:

* **Reservations** — SOAP/XML over HTTPS (`OTA_HotelResNotifRQ`)
* **Availability and Rates** — REST/JSON over HTTPS

Both protocols share the same transport and TLS requirements. Authentication differs per protocol — see Security below.

### SOAP Protocol Requirements

SMX Reservations exclusively support **SOAP 1.1**.

**Message Structure Standards**:

* All messages follow SOAP envelope structure
* OTA message must be within `<SOAP-ENV:Body>`
* Requests include SOAP Security Header (see Security)
* Responses must use empty SOAP Header: `<SOAP-ENV:Header/>`
* Content-Type: `application/xml; charset=utf-8` (no other Content-Types accepted)
* Character Encoding: UTF-8 exclusively

{% hint style="danger" %}
SOAP 1.2 or other protocols are **not supported** for reservation messages. Systems using alternative protocols must be modified to use SOAP 1.1.
{% endhint %}

### REST Protocol Requirements

SMX Availability, Restrictions, and Rates use REST/JSON.

**Message Structure Standards**:

* All requests and responses are encoded as **UTF-8**
* Content-Type: `application/json`
* Responses include an `X-SM-REFERENCE-ID` header for request tracing
* Write operations (POST, PUT) return `202 Accepted` with a `messageId` for async status tracking

***

## Security

### Transport Layer Security

**Minimum Standard**: TLS 1.2 or higher

**Requirements**:

* All communication **must** use HTTPS over port 443
* HTTP (non-secure) connections are **prohibited**
* Production endpoints must use valid SSL certificates
* Self-signed certificates are **not supported**

### Authentication

SMX uses different authentication methods per protocol:

**Reservations (SOAP)**

Authentication uses WS-Security (WSSE) UsernameToken within the SOAP Security Header. Credentials are transmitted as plain text within the HTTPS encrypted channel.

* One set of credentials covers all properties in your integration
* Your endpoint must validate credentials on every incoming request
* Invalid credentials must return a SOAP fault with appropriate error code

```xml
<SOAP-ENV:Header>
  <wsse:Security SOAP-ENV:mustUnderstand="1"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:UsernameToken>
      <wsse:Username>USERNAME</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
    </wsse:UsernameToken>
  </wsse:Security>
</SOAP-ENV:Header>
```

**Availability, Restrictions, and Rates (REST)**

Authentication uses **JWT Bearer Token** passed in the `Authorization` header.

* Token obtained via the [SMX Subscriber Admin portal](https://tpi-subscriberx-subscribers.preprod.siteminderlabs.com/)
* Include on every REST request

```bash
Authorization: Bearer {token}
```

{% hint style="info" %}
For further details on JWT, see [jwt.io](https://jwt.io).
{% endhint %}

### Strong Password Policy (Reservations)

**Minimum Requirements**:

* At least **12 characters** long
* Mix of uppercase and lowercase letters
* At least one number
* At least one special character (e.g., `!` `@` `#` `?` `]`)

**Example Strong Password**: `MyP@ssw0rd2024!Secure`

{% hint style="warning" %}
**Restricted Characters**: Do **NOT** use the characters `<` `>` `&` `"` `'` in usernames or passwords as they cause XML parsing issues.
{% endhint %}

### IP Whitelisting (Optional)

Partners may whitelist SiteMinder IPs for additional security.

**Pre-Production IPs**:

* `52.13.134.140`
* `34.213.128.113`
* `35.164.250.223`

**Production IPs**: Provided by the Partner Integrations team during go-live.

{% hint style="success" %}
All SiteMinder requests originate from **port 443** (HTTPS).
{% endhint %}

***

## Configuration

### Endpoint Requirements

**Your Endpoint Requirements** (Partner Provides):

* A single global HTTPS endpoint to receive `OTA_HotelResNotifRQ` reservation messages from SiteMinder
* Must use a **registered domain name** — direct IP addresses are not supported
* Must be accessible via HTTPS on port 443
* Must accept SOAP 1.1 messages with Content-Type `application/xml; charset=utf-8`
* One set of credentials covers all properties — authentication is **application-level**, not property-level

**SiteMinder Endpoints** (SiteMinder Provides):

REST base URL and credentials are provided by the Partner Integrations team during onboarding. DNS TTL must be respected — do not cache IP addresses indefinitely as this will cause connection timeouts.

{% hint style="success" icon="sparkles" %}

## Still have questions?

Use the <i class="fa-gitbook-assistant">:gitbook-assistant:</i> **Ask** button at the top of the page to chat with our AI assistant — it can help you navigate the guide, understand requirements, and troubleshoot issues.

If you need more support, visit [Integration Support](/integration-support/integration-support.md).
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.siteminder.com/smx-api/guides/integration-requirements.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.