Skip to main content

Base URL

Your base URL is provisioned during partner onboarding and is specific to your environment. 
https://{base_url}
Replace {base_url} with the URL provided by your NowBookIt partner manager. All endpoint paths in this documentation are relative to this base URL.

Authentication methods

NowBookIt IPOS supports two authentication methods depending on the integration pattern you are using.
All standard REST API endpoints authenticate using an X-API-KEY header.
curl https://{base_url}/Bookings \
  -H "X-API-KEY: your_api_key" \
  -H "Content-Type: application/json"
How to obtain your API key:Contact your NowBookIt partner manager at partners@nowbookit.com. API keys are issued per partner per environment and are scoped to the venues linked to your app.
Keep your API key secure. Do not expose it in client-side code, public repositories, or logs. If a key is compromised, contact partners@nowbookit.com immediately for rotation.

Rate limiting

The API enforces rate limits per endpoint. When you exceed the limit, you will receive a 429 Too Many Requests response. Response body (429): 
{
  "message": "You may only perform this action 10 times every 1000 milliseconds"
}
The message indicates the exact limit and window for that endpoint. Implement exponential backoff when you receive a 429: 
async function fetchWithRetry(url, options, maxRetries = 3) {
  for (let attempt = 0; attempt < maxRetries; attempt++) {
    const response = await fetch(url, options);
    if (response.status !== 429) return response;

    const delay = Math.pow(2, attempt) * 500; // 500ms, 1s, 2s
    await new Promise((r) => setTimeout(r, delay));
  }
  throw new Error("Rate limit exceeded after retries");
}

Error responses

All endpoints use standard HTTP status codes. Error responses follow a consistent JSON structure.

Status codes

CodeMeaningCommon causes
200OKRequest succeeded
201CreatedResource created successfully
400Bad RequestMissing required fields, invalid date format, venue not linked to your app
401UnauthorizedMissing or invalid X-API-KEY
404Not FoundResource with the given ID does not exist
409ConflictDuplicate ID within the deduplication window (e.g., sale already submitted)
429Too Many RequestsRate limit exceeded
500Internal Server ErrorUnexpected server error

400 Bad Request — common messages

{ "message": "No Venue Subscribed to your App." }
Your API key is valid, but the venue you are trying to access has not been linked to your partner app. Contact your NowBookIt partner manager to confirm the location mapping.
{ "message": "loggedInAppId is required" }
The API key provided does not resolve to a known partner app. Verify you are sending the correct key in the X-API-KEY header.
{ "message": "numOfPeople is required" }
A required request field is missing or null. Check the endpoint documentation for required fields.
When filtering bookings by date, you must provide either StartDate + EndDate or UpdatedFromDate + UpdatedToDate. Mixing date types or omitting both will return no results without an error — check the GET /Bookings docs for details.

401 Unauthorized

{
  "message": "Unauthorized"
}
Returned when the X-API-KEY header is missing or the key is invalid. Ensure the header is present on every request.

Content type

For all POST, PUT, and PATCH requests, include the Content-Type header: 
Content-Type: application/json

Environments

NowBookIt IPOS operates in separate environments. Your partner manager will confirm which base URL to use for development vs. production.
EnvironmentNotes
DevelopmentSafe for testing — use the .dev. subdomain URL provided during onboarding
ProductionLive venue data — use with care
The Swagger specification for the development environment is available at: https://ipos.dev.nowbookit.com/swagger/v1/swagger.json