Getting Started with the API

What is the M2M API?

The Reservie Machine-to-Machine (M2M) API lets external systems access your Reservie data programmatically. Use it to connect CRM integrations, reporting dashboards, custom apps, or any system that needs to read or update your customer and booking data.

The M2M API is a separate gateway from the admin UI — it has its own authentication, its own base URL, and fine-grained access controls so you can grant each integration only the permissions it needs.

How it works

The flow has three steps:

Create an API client in the Reservie admin UI — you receive a client ID and client secret
Exchange credentials for a token — your system calls POST /token with the client ID and secret to receive a short-lived access token
Call data endpoints — include the token in the Authorization header on every request

Your System                          Reservie M2M API
    │                                       │
    │  POST /token                          │
    │  { client_id, client_secret }  ──────▶│
    │                                       │
    │◀────── { access_token }               │
    │                                       │
    │  GET /customers                       │
    │  Authorization: Bearer <token> ──────▶│
    │                                       │
    │◀────── { data: [...] }                │

Creating an API client

In the Reservie admin portal, go to Settings > API Clients
Click Add Client
Fill in the required fields:

Field	Required	Description
Name	Yes	A human-readable label, e.g. “Acme CRM Integration”
Description	No	Optional notes about what this client is for
Scopes	Yes	Which data endpoints this client can access (see Scopes, Rate Limits & Errors)
Expires after (days)	No	Number of days until the client expires. Leave empty for no expiry.

On creation you receive two credentials:

Client ID — a unique identifier starting with m2m_. This is always visible in the admin UI.
Client Secret — a 64-character hex string. This is shown once only. Copy it immediately and store it securely. If lost, you must rotate the secret to get a new one.

Getting a token

The API base URL is shown in the admin UI when you create or view a client. Use it to request a token:

curl -X POST {base_url}/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "m2m_a1b2c3d4e5f6...",
    "client_secret": "your-client-secret"
  }'

Response:

{
  "access_token": "your-access-token",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "customers:read profile:read bookings:read"
}

The token is valid for 1 hour (3,600 seconds). After it expires, request a new one with the same credentials — there is no refresh token mechanism.

Making your first API call

With your token, you can call any endpoint your scopes allow. For example, to list all customers:

curl {base_url}/customers \
  -H "Authorization: Bearer your-access-token"

Response:

{
  "data": [
    {
      "id": "cust_123",
      "type": "customer",
      "firstname": "Jane",
      "lastname": "Smith",
      "email": "jane@example.com",
      "mobile": "07700900123",
      "archive": 0
    }
  ]
}

If your token lacks the required scope, you’ll receive a 403 Forbidden response with a message identifying the missing scope.

URL conventions

The API uses plural paths for listing collections and singular paths for accessing a specific resource:

GET /customers — list all customers
GET /customer/{id}/bookings — list bookings for a specific customer

All IDs are prefixed strings that indicate the resource type (e.g. cust_123, txn_456, evt_42).

What’s next?

Authentication & Client Management — token expiry, secret rotation, client lifecycle
Customers — list customers, profiles, and all customer data endpoints
Scopes, Rate Limits, Caching & Errors — scopes reference, rate limits, caching, error codes, and audit logging