Getting Started

Authentication

The Salonify API authenticates every request with an API key. Keys are scoped, revocable, and tied to a single business.

PRO plan required

API keys can only be created on the PRO and ENTERPRISE plans. Each business may hold up to 5 active keys.

API keys

Salonify keys are prefixed with sk_live_. Only a SHA-256 hash is stored on our side, so the full value is shown exactly once at creation. If you lose it, rotate the key.

Creating, rotating, and revoking keys

Manage keys in the dashboard under Settings → Developer:

  • Create: name the key, choose scopes, optionally set an expiry date.
  • Rotate: create a new key, deploy it, then revoke the old one for zero downtime.
  • Revoke: revoking is immediate and irreversible. Subsequent requests with that key return 401.

Using your key

Send the key in the X-API-Key header on every request:

curl "https://api.salonify.eu/api/v1/businesses/{businessId}/services" \
  -H "X-API-Key: sk_live_your_key_here"

Scopes

A key only carries the scopes you grant it. Each protected route requires a specific resource:action scope. A :write scope does not imply :read; grant both when an integration needs to read and write. Some sensitive routes (refunds, payouts, billing, deletions of programs or businesses) are never available to API keys, regardless of scope.

ScopeGrants
bookings:readRead bookings and appointments
bookings:writeCreate, reschedule, and cancel bookings
services:readRead services, variants, and pricing
services:writeCreate, update, and delete services
staff:readRead staff members
staff:writeCreate and update staff members
customers:readRead customer records
customers:writeCreate and update customer records
schedule:readRead business hours and staff schedules
schedule:writeUpdate business hours and staff schedules
availability:readRead open slots and availability
products:readRead retail products and inventory
products:writeCreate and update products
gift-cards:readRead gift cards and balances
gift-cards:writeIssue and redeem gift cards
loyalty:readRead loyalty points, stamps, and rewards
loyalty:writeAdjust points and grant rewards
reviews:readRead customer reviews
payments:readRead transactions and payments (read only)
analytics:readRead reporting and analytics (read only)
locations:readRead multilocation branches
locations:writeCreate and update locations
business:readRead business profile and settings

Authentication errors

401 Unauthorized — missing or invalid key
{
  "statusCode": 401,
  "message": "Invalid API key",
  "error": "Unauthorized"
}
403 Forbidden — key missing a required scope
{
  "statusCode": 403,
  "message": "API key missing required scope: bookings:write",
  "error": "Forbidden"
}

Security best practices

Keep keys server-side

Treat API keys like passwords. A leaked key can read and modify your business data within its scopes.
  • Never embed keys in browser, mobile, or other client-side code, and never commit them to version control. Call the API from your own server.
  • Store keys in a secret manager or environment variables, not in source.
  • Grant the least privilege: only the scopes an integration actually needs.
  • Use a separate key per integration so you can revoke one without affecting others.
  • Rotate keys regularly and set expiry dates on temporary keys.
  • Revoke unused keys immediately and audit your active keys periodically.
  • Restrict outbound calls to https://api.salonify.eu and validate TLS.

Next: review Rate Limits and the Errors reference.