API reference

Endpoints

Base URL is your deployment origin. All paths are relative to it (e.g. https://your-app.vercel.app).

Authentication legend

Session — Supabase session cookie; user must be logged in on this app.
Publishable key — x-publishable-key, Authorization: Bearer, or ?key=.

Dashboard & tenant (session)

Typical use: dashboard UI or authenticated pages on the same origin.

GET/api/tenantSession

Tenant profile and company fields for the current user.

PATCH/api/tenantSession

Update allowed tenant / company fields.

GET/api/resourcesSession

List resources for the tenant.

POST/api/resourcesSession

Create a resource (type, name, capacity, meta).

GET/api/resources/[id]Session

Get one resource.

PATCH/api/resources/[id]Session

Update resource.

DELETE/api/resources/[id]Session

Delete resource.

GET/api/schedulesSession

List schedules (optional filters).

POST/api/schedulesSession

Create schedule.

GET/api/schedules/[id]Session

Get schedule.

PATCH/api/schedules/[id]Session

Update schedule.

DELETE/api/schedules/[id]Session

Delete schedule.

GET/api/availabilitySession

Availability for tenant resources (query: dates, resource_id, etc.).

GET/api/bookingsSession

List bookings with optional filters (status, resource_id, dates, search).

POST/api/bookingsSession

Create booking (dashboard flow).

GET/api/bookings/[id]Session

Get booking.

PATCH/api/bookings/[id]Session

Update booking.

POST/api/bookings/[id]/statusSession

Transition booking status.

GET/api/bookings/by-sessionPublishable key

Look up booking by legacy Stripe Checkout session id (older embed return URLs).

GET/api/api-keysSession

List API keys (metadata).

POST/api/api-keysSession

Create API key.

GET/api/api-keys/baseSession

Base publishable key handling (per product rules).

GET/api/widget-configsSession

List widget configurations.

POST/api/widget-configsSession

Create widget configuration.

GET/api/widget-configs/[id]Session

Get widget configuration.

PATCH/api/widget-configs/[id]Session

Update widget configuration.

DELETE/api/widget-configs/[id]Session

Delete widget configuration.

POST/api/widget-configs/[id]/set-defaultSession

Set default widget config.

POST/api/widget-configs/[id]/duplicateSession

Duplicate widget config.

GET/api/webhooks/subscriptionsSession

List webhook subscriptions.

POST/api/webhooks/subscriptionsSession

Create webhook (returns secret once).

DELETE/api/webhooks/subscriptions?id=Session

Delete webhook by id query param (owner/admin).

GET/api/usersSession

List users in tenant.

POST/api/usersSession

Invite / create user (per handler rules).

PATCH/api/users/[id]Session

Update user.

DELETE/api/users/[id]Session

Remove user.

GET/api/analyticsSession

Analytics summary.

POST/api/slots/generateSession

Generate slots.

POST/api/slots/ensureSession

Ensure slots exist.

POST/api/slots/deleteSession

Delete slots (bulk/helper).

POST/api/payments/create-sessionSession

Create Mollie payment for a booking (connected Mollie account).

GET/api/payments/mollie-fee-configSession

Connect application-fee readiness: live OAuth org id vs platform org, ineligibility codes, no API keys.

GET/api/mollie/connectSession

Mollie Connect OAuth: ?action=authorize or ?action=status.

GET/api/mollie/connect/callbackSession

Mollie Connect OAuth callback (Mollie redirects here after authorization).

POST/api/mollie/connect/client-linkSession

Mollie Client Link prefilled onboarding: returns url and sets an OAuth state cookie.

POST/api/mollie/connectSession

Optional token exchange: body code + state (must match signed-in tenant).

PATCH/api/mollie/connect/profileSession

Choose Mollie website profile when the connected organization has multiple profiles.

GET/api/stripe/connectSession

Legacy: Stripe Connect onboarding (if still enabled).

GET/api/stripe/connect/callbackSession

Legacy: Stripe Connect OAuth callback.

GET/api/email/templatesSession

List email templates.

POST/api/email/templatesSession

Create email template.

GET/api/email/templates/[id]Session

Get template.

PATCH/api/email/templates/[id]Session

Update template.

DELETE/api/email/templates/[id]Session

Delete template.

GET/api/email/preferencesSession

Email notification preferences.

PATCH/api/email/preferencesSession

Update preferences.

POST/api/uploadSession

Upload asset (e.g. logos), per handler.

GET/api/onboardingSession

Onboarding state; creates tenant for new OAuth users when needed.

POST/api/onboardingSession

Save onboarding progress.

PATCH/api/onboardingSession

Complete onboarding.

POST/api/account/deleteSession

Permanently delete tenant (owner-only, confirmation phrases).

Use from embeds, SPAs, or mobile clients. Requires correct scopes on the key.

GET/api/widget/availabilityPublishable key

Slots / availability for a resource and date range (query params).

GET/api/widget/configPublishable key

Widget configuration JSON for branding and flow.

POST/api/widget/bookingPublishable key

Create booking / start payment flow (bookings:write).

POST/api/widget/verifyPublishable key

Start email/SMS verification if enabled on widget.

POST/api/widget/verify/confirmPublishable key

Confirm verification code.

Platform webhooks (incoming to your app)

POST/api/webhooks/mollieMollie

Mollie webhook endpoint (payment state updates).

POST/api/webhooks/stripeStripe signature

Legacy Stripe webhook endpoint (if still in use).

Auth & registration (public)

POST/api/auth/send-codePublic

Send email verification code (registration flow).

POST/api/auth/verify-codePublic

Verify code.

POST/api/auth/create-tenantPublic

Create tenant after verified signup (server validates auth user).

Cron and admin routes exist for operations and migrations; they are not listed here. See Authentication and Webhooks for related behavior.

Endpoints

Authentication legend

Dashboard & tenant (session)

Public widget API (publishable key)

Platform webhooks (incoming to your app)

Auth & registration (public)