API reference
Authentication
Dashboard routes use your logged-in session. Public widget routes use a publishable or server secret API key.
API keys
Keys are created in Settings → API keys. Stored values are hashed (and encrypted at rest for base keys).
- Publishable — prefix
baas_publishable_. Intended for browsers, embeds, and mobile apps. Limited to scopes you assign (e.g.availability:read,bookings:write). - Server secret — prefix
baas_server_secret_. Full access for trusted servers only; never expose to clients.
Passing a publishable key (widget API)
Widget routes accept the key in any of these forms:
- Header
x-publishable-key: baas_publishable_…(recommended) - Header
Authorization: Bearer baas_publishable_… - Query string
?key=baas_publishable_…(simple for demos; watch referrer logs in production)
x-publishable-key: baas_publishable_xxxxxxxx
# or
Authorization: Bearer baas_publishable_xxxxxxxxAffected routes include widget availability, booking, config, and verify.
Dashboard API (session cookie)
Routes such as /api/resources, /api/bookings, /api/tenant, and /api/webhooks/subscriptions expect a valid Supabase session: the user must be signed in to your deployment (same site). Use cookies automatically with fetch from the browser, or forward session from your authenticated app if you integrate server-to-server differently.
No API key required for dashboard JSON
getUser() on the server and resolve tenant_id from the users table. They are not designed for third-party anonymous access.Scopes
Publishable keys are checked against scopes (e.g. availability:read, bookings:write). Server secret keys bypass scope checks for widget validators. Configure scopes when creating keys in the dashboard.