Authentication
Overview
API keys authenticate your requests to Reservly. Generate keys from your dashboard under Settings → Integrations. Every key uses the format rsvly_ followed by 64 hexadecimal characters.
Using Your API Key
Include your key in the Authorization header as a Bearer token:
curl https://reservly.io/api/public/luxe-salon/services \ -H "Authorization: Bearer rsvly_your_key_here"bash
Scopes
Each API key is assigned a scope that determines which operations it can perform.
| Scope | Access | Use Case |
|---|---|---|
read | GET endpoints only | Read-only integrations, dashboards |
write | GET + POST endpoints | Booking bots, automation |
all | Everything | Full access |
Which Endpoints Need Authentication?
All GET endpoints are public and do not require an API key. Anyone can read your business info, services, staff, events, rentals, and available time slots without authenticating.
POST /book requires an API key with write or all scope — unauthenticated requests are rejected with 401. Authenticated requests are rate limited to 100 requests per minute and support source tracking for your bookings.
Security Best Practices
- Never expose keys in client-side code. API keys should only be used in server-to-server requests or backend environments.
- Use environment variables. Store your key in an environment variable (e.g.
RESERVLY_API_KEY) rather than hardcoding it. - Rotate keys if compromised. If a key is accidentally exposed, revoke it immediately in Settings and generate a new one.
- Use the minimum required scope. If your integration only reads data, use a
readscope key. Only usewriteorallwhen you need to create bookings.