API Reference

Public REST API endpoints, authentication, rate limits, and webhook events.

Authentication

BookingMachine uses two authentication methods:

Method	Endpoints	How It Works
No auth (public)	/api/v1/public/*	Public endpoints require no authentication. Rate-limited by IP.
Session (business)	/api/v1/business/*	Requires an authenticated NextAuth.js session (JWT). Used by the dashboard.

Info: API access for programmatic integrations is available on Business plans. Public endpoints are available on all plans.

https://bookingmachine.io/api/v1/

These endpoints require no authentication and are used by the widget:

Method	Path	Description
GET	/public/businesses/:slug/config	Business configuration, services, and widget settings
GET	/public/businesses/:slug/availability	Available time slots for a date range
POST	/public/businesses/:slug/bookings	Create a new booking
GET	/public/businesses/:slug/reviews	Public reviews for the business
POST	/public/businesses/:slug/quotes	Calculate a quote based on selections
POST	/public/businesses/:slug/leads	Submit a lead (quote-mode capture)
GET	/public/bookings/:id	Get booking details by ID (public view)
GET	/public/tiers	Available plan tiers and pricing

Require an authenticated session. These power the dashboard:

Method	Path	Description
GET	/business	Current business profile and settings
GET	/business/bookings	List bookings with filters
PUT	/business/bookings/:id/status	Update booking status
GET	/business/customers	List customers
GET	/business/services	List services and pricing
GET	/business/analytics	Revenue and booking analytics
GET	/business/team	List team members
GET/PUT	/business/notification-preferences	Notification settings

All API endpoints are rate-limited using an in-memory sliding window per IP + endpoint. Typical limits:

When rate-limited, the API returns HTTP 429 with a JSON error body.

BookingMachine sends webhook events for Stripe payment processing. Stripe webhooks are handled at /api/v1/webhooks/stripe.

Still have questions? Contact support