APIPDF
Public API v1

Booklix API documentation

Read services, categories, prices, promotions, staff, variants, and add-ons. Subscribe to signed webhooks so external websites can update when Booklix catalog data changes.

Base URL

https://api.booklix.ch/v1

Onsen slug

onsen-head-spa-beauty

Rate limit

60/min, 1000/hour

Read services
curl -X GET "https://api.booklix.ch/v1/businesses/onsen-head-spa-beauty/services?includeVariants=true&includeAddons=true" \
  -H "Authorization: Bearer sk_bx_live_12345678.full-secret-value"

Quick start

Use a secret or restricted API key

Partner endpoints require Bearer authentication. The API key is bound to one Booklix business, and the business slug in the URL must match that key.

Create an API key

Generate a secret or restricted key with services.read for catalog reads and webhooks.write for webhook setup.

Fetch catalog data

Use the services endpoint with includeVariants and includeAddons to build a full website catalog.

Subscribe to webhooks

Use catalog.changed for full sync or granular events for targeted cache invalidation.

Endpoints

Catalog and integration surface

Amounts are integer cents, times use the business timezone, and JSON is returned for every endpoint except binary downloads.

GET/businesses/{businessSlug}/servicesservices.readServices, prices, variants, and add-ons.
GET/businesses/{businessSlug}/service-categoriesservices.readActive service categories and sort order.
GET/businesses/{businessSlug}/staffservices.readPublic staff profiles and assigned services.
GET/businesses/{businessSlug}/promotionsservices.readActive promotions, pricing benefits, and schedules.
GET/businesses/{businessSlug}/availabilitypublicPublic booking availability for selected services.
POST/businesses/{businessSlug}/webhookswebhooks.writeCreate a signed webhook endpoint.

Webhooks

Signed events for website sync

Booklix sends POST requests with an HMAC signature. Use catalog.changed for Onsen website sync, then refetch the relevant public API endpoint if the website needs a full refresh.

Delivery headers

X-Booklix-Event
X-Booklix-Delivery
X-Booklix-Signature

Signature method

Verify `X-Booklix-Signature` with HMAC-SHA256 over the raw request body and timestamp.

X-Booklix-Signature: t=1778407500,v1=8f5a...

signed_payload = "{unixTimestamp}.{rawRequestBody}"
signature = HMAC_SHA256(signingSecret, signed_payload)

Create webhook endpoint

curl -X POST "https://api.booklix.ch/v1/businesses/onsen-head-spa-beauty/webhooks" \
  -H "Authorization: Bearer sk_bx_live_12345678.full-secret-value" \
  -H "Content-Type: application/json" \
  -d '{"name":"Onsen website sync","url":"https://onsen-headspa.ch/booklix/webhooks","events":["catalog.changed","booking.created"]}'

Supported events

catalog.changedservice.createdservice.updatedservice.deletedservice.reorderedservice_price.updatedservice_variant.changedservice_category.createdservice_category.updatedservice_category.deletedservice_category.reorderedpromotion.createdpromotion.updatedpromotion.deletedstaff.createdstaff.updatedstaff.deletedstaff.reorderedaddon.createdaddon.updatedaddon.deletedbooking.createdreservation.created
Catalog event payload
{
  "id": "evt_456",
  "type": "service.updated",
  "createdAt": "2026-05-10T10:05:00.000Z",
  "business": {
    "id": "biz_123",
    "slug": "onsen-head-spa-beauty",
    "name": "Onsen Head Spa & Beauty",
    "timezone": "Europe/Zurich"
  },
  "data": {
    "resource": {
      "type": "service",
      "id": "srv_123",
      "ids": ["srv_123"]
    },
    "action": "updated",
    "changed": {
      "price": true,
      "variants": true,
      "addons": false
    },
    "object": {
      "id": "srv_123",
      "name": "Japanese Head Spa",
      "durationMin": 60,
      "priceCents": 12000,
      "currency": "CHF",
      "status": "ACTIVE",
      "variants": [],
      "addonLinks": []
    }
  }
}

Security

Production integration checklist

Use a server-side secret key, verify every webhook signature, and rotate credentials from the Booklix developer settings when needed.

Keep secret keys on the server only.
Verify timestamp and HMAC before processing webhooks.
Treat webhook delivery as at-least-once and deduplicate by event id.