Skip to content

Getting your API keys

Your website or booking widget needs one or two keys to talk to your booking system. You don’t generate these yourself yet — ask us, and we issue them for you.

  • A secret key. Goes only on your website’s own server — hand it to your developer or agency, never anywhere public. It can do everything we’ve allowed for your account: read guest details, create and cancel bookings, change your rates.
  • A publishable key. Safe to be visible on your website — it’s what our booking widget uses. It can only check availability, get a price, and start a hold. It can’t read a guest’s name or email, and it can’t take payment or move money, even if someone finds it by viewing your page’s source code.

If you’re not sure which one your developer is asking for, see Secret keys vs. publishable keys.

  • Which kind: secret, publishable, or both (most integrations need both — one for your server, one for the widget).
  • If it’s a publishable key: which website domain(s) it will run on. We lock a publishable key to specific domains, so it only works where you told us it should.
  • Whether you’re testing or going live. Test keys work the exact same way as live keys, against a practice version of your account — build and test with those first.

We show you the key’s full value exactly once, at the moment we create it. After that, we can’t show it to you again — only you (or your developer) can see it, and only if you saved it. Save it somewhere safe right away: a password manager, not a chat message or a note you might lose. If you lose it, we can’t recover it — the only option is a new key (see Rotating a leaked key).

Test keys let you and your developer try the whole booking flow safely, without touching real guest bookings or real money. Once everything works, ask us for the live pair — nothing about how your website talks to the API changes, only the key itself.