For the complete documentation index, see llms.txt.

Authentication

All Vennio API requests require authentication using a Bearer token in the Authorization header.

API keys

Vennio API keys are the recommended authentication method for server-side integrations and AI agents. Keys start with vennio_sk_live_ (secret) or vennio_pk_live_ (publishable).

Keep secret keys private

Secret keys (vennio_sk_live_*) should never be exposed in client-side code, browser JavaScript, or mobile apps. Use publishable keys for client-side access.

Key types

Key type	Prefix	Use case	Scopes
Secret key	`vennio_sk_live_`	Server-side, AI agents	Full access
Publishable key	`vennio_pk_live_`	Client-side / browser	`read:availability`, `create:booking`

Creating a key

First API key? Use the dashboard

Create your first API key at vennio.app/api-keys. No API call required. Once you have a secret key, you can create additional keys programmatically using POST /v1/api-keys — pass your existing secret key as the Bearer token.

curl -X POST https://api.vennio.app/v1/api-keys \
  -H "Authorization: Bearer vennio_sk_live_YOUR_EXISTING_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production key",
    "description": "For my scheduling integration",
    "rate_limit_per_hour": 1000
  }'

{
  "id": "key_abc123",
  "name": "Production key",
  "key": "vennio_sk_live_xxxxxxxxxxxxxxxxxxxx",
  "key_preview": "vennio_sk_live_xxxx...xxxx",
  "created_at": "2026-01-20T10:00:00Z"
}

Save your key immediately

The full key value is only shown once at creation. Store it securely — you won't be able to retrieve it again.

Using your key

Pass your API key as a Bearer token in every request:

curl https://api.vennio.app/v1/availability/slots \
  -H "Authorization: Bearer vennio_sk_live_YOUR_KEY_HERE" \
  -G \
  -d business_id=YOUR_BUSINESS_ID \
  -d duration_minutes=30

Scopes

Secret keys include all scopes. Publishable keys are limited to:

read:availability — Query available time slots
create:booking — Create bookings

Attempting to use a publishable key for a restricted endpoint returns:

{
  "error": "forbidden",
  "message": "This API key doesn't have permission for this action",
  "key_type": "publishable",
  "available_scopes": ["read:availability", "create:booking"]
}

Security best practices

Store API keys in environment variables, never in source code
Rotate keys immediately if compromised — DELETE /v1/api-keys/{id}
Use separate keys per environment (dev, staging, production)
Prefer publishable keys for any client-facing code
Monitor usage via GET /v1/api-keys/{id}/stats