Skip to main content

Public vs internal API surface

Use this page to stay honest about what third-party integrations may call.

Public (integration-friendly)

Contract source of truth in code:
  • Routes: app/api/public/v1/**
  • Zod + OpenAPI: lib/openapi/public-v1-schemas.ts, lib/openapi/public-v1-registry.ts

Internal (not for third-party docs)

Do not build partner integrations on these without an explicit product contract:

Not shipped as public v1 (yet)

These product areas exist in the dashboard but have no public API key endpoints in v1:
  • Services / service categories
  • Staff / team
  • Availability
  • Gift cards
  • Webhooks outbound configuration via public API
  • Create / update / delete of any resource via public API
If you need a resource that is not listed, contact product — do not invent paths.

Data isolation

  • Every public request is scoped by the organization on the API key.
  • Soft-deleted / inactive rows are excluded (isActive: true filters on customers and appointments).
  • PHI and sensitive fields: treat customer PII and notes as confidential; do not log full payloads in multi-tenant systems.