Authentication
Create tokens under Settings > API & Webhooks. The clear secret is displayed once after creation; store it in a secret manager.
Scopes
read: verify the token and read availability, services, providers, customers, and reservations.write: use mutation endpoints. Write access also includes read access.
Use the least-privileged scope required by the integration.
Bearer token
curl "https://example.com/wp-json/thebooking/v1/API/auth/verify/" \
-H "Authorization: Bearer $TBK_API_TOKEN"
API key header
curl "https://example.com/wp-json/thebooking/v1/API/auth/verify/" \
-H "X-TBK-API-Key: $TBK_API_TOKEN"
Do not send both headers. Never place tokens in URLs or browser-side source code.
Verify response
{
"status": "OK",
"response": {
"name": "Automation production",
"scopes": ["read", "write"],
"siteUrl": "https://example.com"
}
}
Token usage records the last usage time and source IP. Revoke tokens that are no longer required.