Authentication
Create an org-scoped API key and authenticate Booking API requests. Channel webhooks use a separate per-connection secret.
There are two independent credentials, for two different surfaces:
- Booking API (
/public/trpc/*) is authenticated with an org-scoped API key. - Channel webhooks (
/webhooks/channel/:connectionId) are authenticated with a per-connection secret set when the connection is created. That is covered in Connect a custom OTA.
This page is about the API key.
Create an API key
An operator creates the key inside the StayBind console, under Settings → API keys. A key is scoped to one organization: every call made with it can only read and write that org's data. Treat it like a password, it grants booking and cancellation rights for the org.
API keys are shown once at creation. Store the key in a secret manager, never in client-side code or a public repo. If a key leaks, revoke it from the same Settings screen and issue a new one.
Send the key
Pass the key on every Booking API request, in either header (both are accepted):
x-api-key: sb_live_xxxxxxxxxxxxxxxxxxxxor
Authorization: Bearer sb_live_xxxxxxxxxxxxxxxxxxxxA request without a valid key to an authenticated procedure returns UNAUTHORIZED (HTTP 401).
Verify it works
The health procedure needs no key and the properties procedure needs a valid one, so this is a quick two-step check:
curl https://api.staybind.com/public/trpc/health
# {"result":{"data":"OK"}}curl https://api.staybind.com/public/trpc/properties \
-H "x-api-key: $STAYBIND_API_KEY"
# {"result":{"data":[ ... your org's active properties ... ]}}If the second call returns 401, the key is missing, malformed, revoked, or for a different environment.
What an API key can and cannot do
The Booking API is narrow by design. With a key you can:
- list active properties and search availability,
- get a server-priced quote,
- create and cancel bookings, open a self-serve checkout,
- drive the guest KYC link flow.
You cannot reach operator-only surfaces (staff, channels, billing, analytics, audit), read another org's data, or move money outside the booking/checkout flow. Those live behind the session-authenticated operator API, which is not part of this integration surface.
Next: Quickstart.