API Keys

Common Tasks

How to Create an API Key (Generate Key, Add Key)

Create a new API key to give an external application access to your organization's data.

1. Go to Settings in the main navigation
2. Under the DEVELOPER section, click API Keys
3. Click Create API Key
4. Enter a Name for the key (e.g. "Website Booking Widget")
5. Select Scopes: check Read (for querying data) and/or Write (for creating reservations)
6. Optionally enter Allowed Origins as comma-separated domains (e.g. https://example.com)
7. Optionally adjust the Rate Limit (requests per minute, default 60)
8. Click Create Key
9. A dialog appears showing the full API key. Click the copy button to copy it to your clipboard

Result: The key appears in the API Keys table with status Active. You can now use it to authenticate requests to the Public Booking API.

How to Revoke an API Key (Disable Key, Deactivate Key)

Revoke a key to immediately block access without permanently deleting it.

1. Go to Settings → API Keys
2. Find the key in the table and click the ban icon in the Actions column
3. Confirm in the dialog

Result: The key shows a Revoked badge. Applications using this key immediately receive 401 Unauthorized responses.

How to Delete an API Key (Remove Key, Permanently Delete)

Permanently remove a key and its usage logs.

1. Go to Settings → API Keys
2. Find the key in the table and click the trash icon in the Actions column
3. Confirm in the dialog

Result: The key is permanently removed. This cannot be undone.

How to View API Key Usage

The API Keys table shows usage information for each key:

• Key — the key prefix (e.g. qv_pk_abc12345...)
• Scopes — the permissions assigned (Read, Write, or both)
• Status — Active or Revoked
• Last Used — when the key was last used (e.g. "2 days ago" or "Never")

Key Concepts

Scopes

Each API key has one or more scopes that control what it can access:

• Read — query availability, services, packages, and retrieve reservation details
• Write — create new reservations

A key with only Read scope cannot create reservations. A key with only Write scope cannot query services or availability. Most integrations need both.

Rate Limits

Each key has a configurable rate limit measured in requests per minute. The default is 60 requests per minute. You can set this between 1 and 1000 when creating the key. When the limit is exceeded, the API returns a 429 Too Many Requests response.

Allowed Origins

Restrict which domains can use the key by setting allowed origins. This is useful when the API key is used from a browser (e.g. a booking widget on your website). If no origins are specified, all origins are allowed. Enter origins as comma-separated values (e.g. https://example.com, https://booking.example.com).

Key Security

Only the SHA-256 hash of the key is stored in the database. The full key is displayed once at creation and cannot be retrieved afterward. If a key is compromised, revoke it immediately and create a new one.

Troubleshooting

API Key Not Working

Cause: Key may be revoked, expired, or missing the required scope.

Fix: In Settings → API Keys, check that the key status is Active (not Revoked). Verify that the key has the correct scopes for the endpoints you are calling (e.g. Write scope is needed to create reservations). If the key has an expiration date, check that it has not passed.

"Origin Not Allowed" Error (403 Forbidden)

Cause: The request is coming from a domain not listed in the key's allowed origins.

Fix: Add the requesting domain to the key's Allowed Origins list, or remove all origins to allow any domain. You may need to delete the key and create a new one with the correct origins.

Rate Limit Exceeded (429 Too Many Requests)

Cause: The key has exceeded its requests-per-minute limit.

Fix: Reduce the frequency of API calls, or create a new key with a higher rate limit (up to 1000 requests per minute).