StayBindDevelopers
Get started

Authentication

Create an org-scoped API key and authenticate Booking API requests. Channel webhooks use a separate per-connection secret.

There are two independent credentials, for two different surfaces:

  • Booking API (/public/trpc/*) is authenticated with an org-scoped API key.
  • Channel webhooks (/webhooks/channel/:connectionId) are authenticated with a per-connection secret set when the connection is created. That is covered in Connect a custom OTA.

This page is about the API key.

Create an API key

An operator creates the key inside the StayBind console, under Settings → API keys. A key is scoped to one organization: every call made with it can only read and write that org's data. Treat it like a password, it grants booking and cancellation rights for the org.

API keys are shown once at creation. Store the key in a secret manager, never in client-side code or a public repo. If a key leaks, revoke it from the same Settings screen and issue a new one.

Send the key

Pass the key on every Booking API request, in either header (both are accepted):

x-api-key: sb_live_xxxxxxxxxxxxxxxxxxxx

or

Authorization: Bearer sb_live_xxxxxxxxxxxxxxxxxxxx

A request without a valid key to an authenticated procedure returns UNAUTHORIZED (HTTP 401).

Verify it works

The health procedure needs no key and the properties procedure needs a valid one, so this is a quick two-step check:

No key required
curl https://api.staybind.com/public/trpc/health
# {"result":{"data":"OK"}}
Key required
curl https://api.staybind.com/public/trpc/properties \
  -H "x-api-key: $STAYBIND_API_KEY"
# {"result":{"data":[ ... your org's active properties ... ]}}

If the second call returns 401, the key is missing, malformed, revoked, or for a different environment.

What an API key can and cannot do

The Booking API is narrow by design. With a key you can:

  • list active properties and search availability,
  • get a server-priced quote,
  • create and cancel bookings, open a self-serve checkout,
  • drive the guest KYC link flow.

You cannot reach operator-only surfaces (staff, channels, billing, analytics, audit), read another org's data, or move money outside the booking/checkout flow. Those live behind the session-authenticated operator API, which is not part of this integration surface.

Next: Quickstart.

On this page