API reference
Authentication
Dashboard routes use your logged-in session. Public widget routes use a publishable or server secret API key.
API keys
Keys are created in Settings → API keys. Stored values are hashed (and encrypted at rest for base keys).
- Publishable. prefix
zentier_publishable_. Intended for browsers, embeds, and mobile apps. Limited to scopes you assign (e.g.availability:read,bookings:write). - Server secret. prefix
zentier_server_secret_. Full access for trusted servers only; never expose to clients.
How to get a server secret key
.env). Server secret keys grant full permissions (all scopes) and must never be used in frontend code, JavaScript bundles, or mobile apps.Passing a publishable key (widget API)
Widget routes accept the key in any of these forms:
- Header
x-publishable-key: zentier_publishable_…(recommended) - Header
Authorization: Bearer zentier_publishable_… - Query string
?key=zentier_publishable_…(simple for demos; watch referrer logs in production)
x-publishable-key: zentier_publishable_xxxxxxxx
# or
Authorization: Bearer zentier_publishable_xxxxxxxxAffected routes include widget availability, booking, config, and verify.
Dashboard API (session cookie)
Routes such as /api/resources, /api/bookings, /api/tenant, and /api/webhooks/subscriptions expect a valid Supabase session: the user must be signed in to your deployment (same site). Use cookies automatically with fetch from the browser, or forward session from your authenticated app if you integrate server-to-server differently.
No API key required for dashboard JSON
getUser() on the server and resolve tenant_id from the users table. They are not designed for third-party anonymous access.Scopes
Publishable keys are checked against scopes (e.g. availability:read, bookings:write). Server secret keys bypass scope checks for widget validators. Configure scopes when creating keys in the dashboard.