Authentication
Overview
API keys authenticate your requests to Reservly. Generate keys from your dashboard under Settings → Integrations. Every key uses the format rsvly_ followed by 64 hexadecimal characters.
Using Your API Key
Include your key in the Authorization header as a Bearer token:
curl https://reservly.io/api/public/luxe-salon/services \ -H "Authorization: Bearer rsvly_your_key_here"bash
Scopes
Each API key is assigned a scope that determines which operations it can perform.
| Scope | Access | Use Case |
|---|---|---|
read | GET endpoints only | Read-only integrations, dashboards |
write | GET + POST endpoints | Booking bots, automation |
all | Everything | Full access |
Which Endpoints Need Authentication?
All GET endpoints are public and do not require an API key. Anyone can read your business info, services, staff, events, rentals, and available time slots without authenticating.
POST /book can be used without an API key, but unauthenticated requests are subject to a lower rate limit of 10 requests per minute. Providing an API key increases the limit to 100 requests per minute and enables source tracking for your bookings.
Security Best Practices
- Never expose keys in client-side code. API keys should only be used in server-to-server requests or backend environments.
- Use environment variables. Store your key in an environment variable (e.g.
RESERVLY_API_KEY) rather than hardcoding it. - Rotate keys if compromised. If a key is accidentally exposed, revoke it immediately in Settings and generate a new one.
- Use the minimum required scope. If your integration only reads data, use a
readscope key. Only usewriteorallwhen you need to create bookings.