Authentication

Secure your API requests with API keys and bearer tokens

Overview

The BookingScheduler API uses API keys to authenticate requests. You can view and manage your API keys in your organization settings dashboard.

All API requests must include your API key in the Authorization header using the Bearer authentication scheme.

Generating API Keys

1
Navigate to Settings
Log in to your BookingScheduler dashboard and go to Organization Settings
2
Open API Keys Section
Click on "API Keys" in the sidebar menu
3
Create New Key
Click "Generate New API Key" and give it a descriptive name
4
Copy and Store Securely
Copy your API key immediately - you won't be able to see it again

Making Authenticated Requests

Include your API key in the Authorization header

curl -X GET "https://api.bookingscheduler.com/v1/experiences" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Security Best Practices

1. Keep Your API Keys Secret

Never expose your API keys in public repositories, client-side code, or share them publicly. Treat them like passwords.

2. Use Environment Variables

Store API keys in environment variables, not in your code:

// .env file
BOOKINGSCHEDULER_API_KEY=your_api_key_here

// In your code
const apiKey = process.env.BOOKINGSCHEDULER_API_KEY;

3. Rotate Keys Regularly

Periodically rotate your API keys as a security precaution. You can have multiple active keys during the transition period.

4. Use Different Keys for Different Environments

Create separate API keys for development, staging, and production environments to limit potential security risks.

5. Revoke Compromised Keys Immediately

If you suspect an API key has been compromised, revoke it immediately in your dashboard and generate a new one.

Authentication Errors

Common authentication error responses:

401 Unauthorized - Missing API Key

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "No API key provided. Include your API key in the Authorization header."
  }
}

401 Unauthorized - Invalid API Key

{
  "success": false,
  "error": {
    "code": "INVALID_API_KEY",
    "message": "The API key provided is invalid or has been revoked."
  }
}

403 Forbidden - Insufficient Permissions

{
  "success": false,
  "error": {
    "code": "FORBIDDEN",
    "message": "Your API key does not have permission to access this resource."
  }
}

Important Security Notice

API keys provide full access to your account. Never share your API keys publicly or commit them to version control. If you believe an API key has been compromised, revoke it immediately and generate a new one.