Authentication
BOOQR supports API Key authentication for server-to-server integrations and OAuth 2.0 for third-party applications.
API Key Authentication
API keys are the simplest way to authenticate. Create a key in your admin dashboard under API Keys. Include the key in theAuthorization header:
API Key headerhttp
Authorization: Bearer booqr_your_api_keyAPI Key Scopes
Each API key can be assigned specific scopes to limit access:
| Scope | Description |
|---|---|
bookings:read | Read booking data |
bookings:write | Create and update bookings |
objects:read | Read objects and availability |
objects:write | Manage objects |
webhooks:read | Read webhook configurations |
webhooks:write | Manage webhooks |
devices:read | Read device and door data |
devices:write | Manage devices and doors |
OAuth 2.0
For third-party applications that need to act on behalf of a tenant, use OAuth 2.0 with the Authorization Code flow.
1. Register an OAuth Client
Create an OAuth client in your admin dashboard under API Keys → OAuth Clients. You'll receive a client_id and client_secret.
2. Redirect to Authorization
Authorization requesthttp
GET /api/oauth/authorize
?client_id=your_client_id
&redirect_uri=https://your-app.com/callback
&response_type=code
&scope=bookings:read objects:read
&state=random_state_string3. Exchange Code for Token
Token exchangebash
curl -X POST "https://your-domain.booqr.nl/api/oauth/token" \
-H "Content-Type: application/json" \
-d '{
"grant_type": "authorization_code",
"code": "auth_code_from_redirect",
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"redirect_uri": "https://your-app.com/callback"
}'4. Use the Access Token
OAuth Bearer headerhttp
Authorization: Bearer oauth_access_tokenSecurity Best Practices
- Never expose API keys in client-side code
- Use environment variables to store keys
- Rotate keys periodically
- Use the minimum required scopes
- Monitor API usage in your dashboard