OtesseOtesseDocs

API Keys

API keys are the simplest way to authenticate with the Otesse API. They are suitable for server-to-server integrations where your application makes requests on its own behalf.

Creating an API Key

  1. Navigate to Settings > Integrations > API Keys in the admin dashboard
  2. Click Generate New Key
  3. Provide a descriptive label (e.g., "Production Backend", "Staging Server", "Zapier Integration")
  4. Select the permissions scope (see below)
  5. Click Create

The API key is displayed once. Copy it immediately and store it securely. You will not be able to see the full key again.

Key Format

API keys follow this format:

otesse_live_sk_a1b2c3d4e5f6g7h8i9j0...
otesse_test_sk_a1b2c3d4e5f6g7h8i9j0...
  • otesselive — Production environment keys
  • otessetest — Sandbox/testing environment keys
  • sk_ — Secret key (server-side only, never expose to frontend)

Using API Keys

Include the API key in the Authorization header of every request:

curl -X GET https://api.otesse.com/v1/bookings \
  -H "Authorization: Bearer otesse_live_sk_a1b2c3d4e5f6..."

Or using the X-API-Key header:

curl -X GET https://api.otesse.com/v1/bookings \
  -H "X-API-Key: otesse_live_sk_a1b2c3d4e5f6..."

Permission Scopes

When creating a key, select which resources it can access:

ScopeAccess
bookings:readRead bookings
bookings:writeCreate and update bookings
customers:readRead customer data
customers:writeCreate and update customers
invoices:readRead invoices
invoices:writeCreate invoices
services:readRead service configurations
webhooks:manageCreate and manage webhooks

Select only the scopes your integration needs. This follows the principle of least privilege.

Key Management

Rotating Keys

We recommend rotating API keys every 90 days:

  1. Generate a new key
  2. Update your integration to use the new key
  3. Verify the integration works with the new key
  4. Revoke the old key

Revoking Keys

If a key is compromised:

  1. Go to Settings > Integrations > API Keys
  2. Find the key and click Revoke
  3. The key stops working immediately
  4. Generate a new key and update your integration

Security Best Practices

  • Never commit API keys to version control — Use environment variables
  • Never expose keys in client-side code — API keys are server-side only
  • Use separate keys per environment — Different keys for development, staging, production
  • Monitor usage — Check the API key activity log for unusual patterns
  • Restrict by IP — Optionally limit keys to specific IP addresses
Bookings API