Skip to main content

Authentication

Create tokens under Settings > API & Webhooks. The clear secret is displayed once after creation; store it in a secret manager.

Scopes

  • read: verify the token and read availability, services, providers, customers, and reservations.
  • write: use mutation endpoints. Write access also includes read access.

Use the least-privileged scope required by the integration.

Bearer token

curl "https://example.com/wp-json/thebooking/v1/API/auth/verify/" \
-H "Authorization: Bearer $TBK_API_TOKEN"

API key header

curl "https://example.com/wp-json/thebooking/v1/API/auth/verify/" \
-H "X-TBK-API-Key: $TBK_API_TOKEN"

Do not send both headers. Never place tokens in URLs or browser-side source code.

Verify response

{
"status": "OK",
"response": {
"name": "Automation production",
"scopes": ["read", "write"],
"siteUrl": "https://example.com"
}
}

Token usage records the last usage time and source IP. Revoke tokens that are no longer required.