Authentication

How to authenticate requests to the Slatis API using secret and public API keys.

API key types

Create API keys from Settings → API Keys.

Type	Prefix	Use case
Secret key	`sk_live_` / `sk_test_`	Server-to-server integrations. Full scope access.
Public key	`pk_live_` / `pk_test_`	Client-side (browser, mobile). Read-only + booking creation.

Never expose a secret key (sk_*) in client-side code, frontend bundles, or public repositories. Public keys (pk_*) are designed to be safely embedded in browser applications.

Using a secret key

curl https://api.slatis.com/v1/bookings \
  -H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxx"

The Slatis-Api-Key header is also accepted (preferred over the legacy X-API-Key):

curl https://api.slatis.com/v1/bookings \
  -H "Slatis-Api-Key: sk_live_xxxxxxxxxxxxxxxxxxxx"

The legacy X-API-Key header continues to work for backward compatibility.

Using a public key

Public keys are accepted on endpoints marked Public key in the scope table. They are safe to embed in JavaScript:

const slatis = new Slatis({ apiKey: 'pk_live_xxxxxxxxxxxxxxxxxxxx' })

Live public keys (pk_live_*) require at least one allowed origin to be configured in the dashboard — the API checks the Origin header against this list. Test keys (pk_test_*) are permissive for local development.

Scopes

When creating a key you select which scopes it can access. Restricting scopes limits the blast radius if a key is compromised.

Scope	Description	Public key
`bookings:create`	Create new bookings	✓
`bookings:read-own`	Read bookings created with this key	✓
`bookings:read`	Read any booking in the organization	—
`bookings:update`	Update booking attendee details	—
`bookings:cancel`	Cancel bookings	—
`bookings:reschedule`	Reschedule bookings to a new time	—
`bookings:transition`	Confirm, complete, or mark no-show	—
`availability:read`	Check availability and free/busy	✓
`event-types:read`	Read event types and their custom fields	✓
`event-types:write`	Create, update, and soft-delete event types	—
`team:read`	Read team members and capacity	✓
`calendars:read`	Read calendar integration metadata (no tokens)	—
`webhooks:read`	Read webhooks, delivery history, and stats	—
`webhooks:manage`	Create, update, and delete webhooks	—
`analytics:read`	Read analytics and reporting data	—
`*`	Full access — all scopes (secret keys only)	—

Scope groups

bookings:write is a convenience scope that grants all booking write operations at once. Assigning it to a key is equivalent to assigning bookings:create, bookings:update, bookings:cancel, bookings:reschedule, and bookings:transition individually.

bookings:write  →  bookings:create
                   bookings:update
                   bookings:cancel
                   bookings:reschedule
                   bookings:transition

Use individual scopes when you want fine-grained control. Use bookings:write for integrations that need the full booking lifecycle.

Rate limits

Environment	Limit
Live (`_live_`)	1,000 requests / minute
Test (`_test_`)	100 requests / minute

Every authenticated response includes:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 987
X-RateLimit-Reset: 1746100860

When the limit is exceeded (429), the response also includes Retry-After (seconds until the window resets).

Errors

All error responses include a type field that classifies the error category:

{
  "success": false,
  "error": {
    "type": "authentication_error",
    "code": "unauthorized",
    "message": "Missing or invalid API key"
  }
}

Status	Code	Type	Meaning
401	`unauthorized`	`authentication_error`	Missing or invalid API key
403	`forbidden`	`permission_error`	Key lacks the required scope, or request origin not allowed
429	`rate_limit_exceeded`	`rate_limit_error`	Rate limit exceeded — check `Retry-After` header