For the complete documentation index, see llms.txt.

Authentication

All Vennio API requests require authentication using a Bearer token in the Authorization header.

API keys

Vennio API keys are the recommended authentication method for server-side integrations and AI agents. Keys start with vennio_sk_live_ (secret) or vennio_pk_live_ (publishable).

Keep secret keys private

Secret keys (vennio_sk_live_*) should never be exposed in client-side code, browser JavaScript, or mobile apps. Use publishable keys for client-side access.

Key types

Key type	Prefix	Use case	Scopes
Secret key	`vennio_sk_live_`	Server-side, AI agents	Full access
Publishable key	`vennio_pk_live_`	Client-side / browser	`read:availability`, `create:booking`

Creating a key

First API key? Use the dashboard

Create your first API key at vennio.app/api-keys. No API call required. Once you have a secret key, you can create additional keys programmatically using POST /v1/api-keys — pass your existing secret key as the Bearer token.

curl -X POST https://api.vennio.app/v1/api-keys \
  -H "Authorization: Bearer vennio_sk_live_YOUR_EXISTING_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production key",
    "description": "For my scheduling integration",
    "rate_limit_per_hour": 1000
  }'

{
  "api_key": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "name": "Production key",
    "key": "vennio_sk_live_xxxxxxxxxxxxxxxxxxxx",
    "scopes": ["read", "write"],
    "rate_limit_per_hour": 1000,
    "created_at": "2026-01-20T10:00:00Z"
  }
}

Save your key immediately

The full key value is only shown once at creation. Store it securely — you won't be able to retrieve it again.

Using your key

Pass your API key as a Bearer token in every request:

curl https://api.vennio.app/v1/availability/slots \
  -H "Authorization: Bearer vennio_sk_live_YOUR_KEY_HERE" \
  -G \
  -d business_id=YOUR_BUSINESS_ID \
  -d duration_minutes=30 \
  -d from=2026-05-01T09:00:00Z \
  -d to=2026-05-01T17:00:00Z

Scopes

Secret keys include all scopes. Publishable keys are limited to:

read:availability — Query available time slots
create:booking — Create bookings

Attempting to use a publishable key for a restricted endpoint returns:

{
  "error": "forbidden",
  "message": "This API key doesn't have permission for this action",
  "key_type": "publishable",
  "available_scopes": ["read:availability", "create:booking"]
}

Security best practices

Store API keys in environment variables, never in source code
Rotate keys immediately if compromised — DELETE /v1/api-keys/{id}
Use separate keys per environment (dev, staging, production)
Prefer publishable keys for any client-facing code
Monitor usage via GET /v1/api-keys/{id}/stats