For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.
 You are using an out of date browser, we suggest you upgrade. You may continue if you wish, but aspects of the site may not function correctly.

Working with the role-based permissions system.

The BookingBug API has three levels of role-based permissions available. These role-based permissions allow you to access different levels of the booking journey depending on your needs.

These user roles share multiple methods such as create booking and view services


The admin API enables you to create or amend people, resources or clients, and view bookings.

To authenticate, you will require an auth token. This can be obtained by a POST request with an administrator's email and password to the login endpoint.

curl -X POST -H "App-Key: <app-key>" -H "App-Id: <app-id>" -H "Cache-Control: no-cache" -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" -F "email=<admin-email>" -F "password=<admin-password>" "https://<host>"
var request = require("request");

var options = { method: 'POST',
  url: 'https://<host>',
   { 'cache-control': 'no-cache',
     'app-id': '<app-key>',
     'app-key': '<app-id>',
     'content-type': 'multipart/form-data; boundary=---011000010111000001101001' },
  formData: { email: '<admin-email>', password: '<admin-password>' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

require 'uri'
require 'net/http'

url = URI("https://<host>")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["content-type"] = 'multipart/form-data; boundary=---011000010111000001101001'
request["app-key"] = '<app-key>'
request["app-id"] = '<app-id>'
request["cache-control"] = 'no-cache'
request.body = "-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\n<admin-email>\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n<admin-password>\r\n-----011000010111000001101001--"

response = http.request(request)
puts response.read_body

$request = new HttpRequest();

  'cache-control' => 'no-cache',
  'app-id' => '<app-id>',
  'app-key' => '<app-key>',
  'content-type' => 'multipart/form-data; boundary=---011000010111000001101001'

Content-Disposition: form-data; name="email"

Content-Disposition: form-data; name="password"


try {
  $response = $request->send();

  echo $response->getBody();
} catch (HttpException $ex) {
  echo $ex;
package main

import (

func main() {

  url := "https://<host>"

  payload := strings.NewReader("-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\n<admin-email>\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n<admin-password>\r\n-----011000010111000001101001--")

  req, _ := http.NewRequest("POST", url, payload)

  req.Header.Add("content-type", "multipart/form-data; boundary=---011000010111000001101001")
  req.Header.Add("app-key", "<app-key>")
  req.Header.Add("app-id", "<app-id>")
  req.Header.Add("cache-control", "no-cache")

  res, _ := http.DefaultClient.Do(req)

  defer res.Body.Close()
  body, _ := ioutil.ReadAll(res.Body)


import Foundation

let headers = [
  "content-type": "multipart/form-data; boundary=---011000010111000001101001",
  "app-key": "<app-key>",
  "app-id": "<app-id>",
  "cache-control": "no-cache"
let parameters = [
    "name": "email",
    "value": "<admin-email>"
    "name": "password",
    "value": "<admin-password>"

let boundary = "---011000010111000001101001"

var body = ""
var error: NSError? = nil
for param in parameters {
  let paramName = param["name"]!
  body += "--\(boundary)\r\n"
  body += "Content-Disposition:form-data; name=\"\(paramName)\""
  if let filename = param["fileName"] {
    let contentType = param["content-type"]!
    let fileContent = String(contentsOfFile: filename, encoding: NSUTF8StringEncoding, error: &error)
    if (error != nil) {
    body += "; filename=\"\(filename)\"\r\n"
    body += "Content-Type: \(contentType)\r\n\r\n"
    body += fileContent!
  } else if let paramValue = param["value"] {
    body += "\r\n\r\n\(paramValue)"

var request = NSMutableURLRequest(URL: NSURL(string: "https://<host>")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "POST"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? NSHTTPURLResponse

HttpResponse<String> response ="https://<host>")
  .header("content-type", "multipart/form-data; boundary=---011000010111000001101001")
  .header("app-key", "<app-key>")
  .header("app-id", "<app-id>")
  .header("cache-control", "no-cache")
  .body("-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\n<admin-email>\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n<admin-password>\r\n-----011000010111000001101001--")
  "email": "<admin-email>",
  "auth_token": "<auth-token>",
  "company_id": <company-id>,
  "path": "https://<host>",
  "_embedded": {
    "members": [],
    "administrators": [
        "name": "<name>",
        "email": "<admin-email>",
        "role": "owner",
        "company_id": <company-id>,
        "company_name": "<company-name>",
        "_links": {
          "self": {
            "href": "https://<host><company-id>/administrators/<user-id>"
          "edit": {
            "href": "https://<host><company-id>/administrators/<user-id>/edit"
          "company": {
            "href": "https://<host><company-id>/company"
          "login": {
            "href": "https://<host><company-id>"
          "base_login": {
            "href": "https://<host>"
  "_links": {
    "self": {
      "href": "https://<host><company-id>"
    "administrator": {
      "href": "https://<host><company-id>/administrators/<user-id>",
      "templated": true

Run in Postman


The public API allows anyone to make a booking without authentication. If you do not require users to create an account before making a booking then you can use the public API to make the necessary calls without the need for authentication


The member API enables you to log in as a member, make bookings and amend or cancel their previously made bookings.

To authenticate, you will require an auth token. This can be obtained by a POST request with the member's email and password to the login endpoint.

curl "" -H App-Id:{app_id} -H
App-Key:{app_key} -X POST -d ""

The response will include the auth token and a link to the member which can be used as follows:

curl "{id}" -H App-Id:{app_id} -H
App-Key:{app_key} -H Auth-Token:{auth_token}

If your login is associated with a single company and the credentials provided are correct the returned status code will be 201 and the auth token will be included in the body of the response.

If your login is associated with multiple companies and you have not specified which company you want to log in as the returned status code will 400 and the auth token will not be present in the response. Instead there will be a list of administrators in the response each with a login link that can be used to create an auth token for that particular administrator.