Getting Started
Authentication
The Salonify API authenticates every request with an API key. Keys are scoped, revocable, and tied to a single business.
PRO plan required
API keys
Salonify keys are prefixed with sk_live_. Only a SHA-256 hash is stored on our side, so the full value is shown exactly once at creation. If you lose it, rotate the key.
Creating, rotating, and revoking keys
Manage keys in the dashboard under Settings → Developer:
- Create: name the key, choose scopes, optionally set an expiry date.
- Rotate: create a new key, deploy it, then revoke the old one for zero downtime.
- Revoke: revoking is immediate and irreversible. Subsequent requests with that key return
401.
Using your key
Send the key in the X-API-Key header on every request:
curl "https://api.salonify.eu/api/v1/businesses/{businessId}/services" \
-H "X-API-Key: sk_live_your_key_here"Scopes
A key only carries the scopes you grant it. Each protected route requires a specific resource:action scope. A :write scope does not imply :read; grant both when an integration needs to read and write. Some sensitive routes (refunds, payouts, billing, deletions of programs or businesses) are never available to API keys, regardless of scope.
Authentication errors
{
"statusCode": 401,
"message": "Invalid API key",
"error": "Unauthorized"
}{
"statusCode": 403,
"message": "API key missing required scope: bookings:write",
"error": "Forbidden"
}Security best practices
Keep keys server-side
- Never embed keys in browser, mobile, or other client-side code, and never commit them to version control. Call the API from your own server.
- Store keys in a secret manager or environment variables, not in source.
- Grant the least privilege: only the scopes an integration actually needs.
- Use a separate key per integration so you can revoke one without affecting others.
- Rotate keys regularly and set expiry dates on temporary keys.
- Revoke unused keys immediately and audit your active keys periodically.
- Restrict outbound calls to
https://api.salonify.euand validate TLS.
Next: review Rate Limits and the Errors reference.