Skip to main content
Boseat uses OAuth2 with bearer tokens. All requests must include an Authorization: Bearer <token> header. Find your client credentials and token URL in the Boseat dashboard under API credentials.

OAuth2 flow

  1. Obtain client credentials from your Boseat workspace admin.
  2. Exchange credentials for an access token using the token endpoint provided during onboarding.
  3. Include the token in every request.

Scopes

  • booking:read — read availability, bookings, and related resources
  • booking:write — create or update bookings
  • org_read — read organization configuration
  • org_write — update organization configuration
Request only the scopes you need. Some endpoints require both booking and organization scopes when actions span resources.

Example: token request (Client Credentials)

curl -X POST "$TOKEN_URL" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=$CLIENT_ID" \
  -d "client_secret=$CLIENT_SECRET" \
  -d "scope=booking:read booking:write"
Example token response: 
{
  "access_token": "<jwt>",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "booking:read booking:write"
}

Send authenticated requests

curl -H "Authorization: Bearer $ACCESS_TOKEN" \
  https://api.boseat.com/v1/venues

Token lifetime and refresh

  • Access tokens are short lived. Refresh before expiry using the same client credentials flow.
  • Rotate client secrets regularly and revoke compromised credentials immediately.
  • Record token expiry and scope in your app to avoid failing requests.