Home Documentation REST API Reference

REST API Reference

The BnBFlows REST API v1 lets you build custom integrations, mobile apps and channel manager connections. All endpoints return JSON.

Base URL: https://yourdomain.com/api/v1  ·  Authentication via Bearer token (Laravel Sanctum).

Authentication

Login

POST /api/v1/auth/login
Content-Type: application/json

{
  "email": "admin@example.com",
  "password": "your-password"
}

Response 200:

{
  "user": { "id": "uuid", "name": "Demo Admin", "email": "admin@example.com" },
  "token": "3|41ozZNaQ7mx...",
  "token_type": "Bearer"
}

Store the token and send it as a header on all subsequent requests:

Authorization: Bearer 3|41ozZNaQ7mx...
Accept: application/json

Get current user

GET /api/v1/auth/me

Logout

POST /api/v1/auth/logout

Properties

List properties

GET /api/v1/properties?page=1&per_page=15

Get a property

GET /api/v1/properties/{id}

Check availability

GET /api/v1/properties/{id}/availability?check_in=2026-07-01&check_out=2026-07-05&guests=2

Bookings

List bookings

GET /api/v1/bookings?status=confirmed&page=1

Filter parameters: status, property_id, check_in_from, check_in_to, guest_id

Create a booking

POST /api/v1/bookings
Content-Type: application/json

{
  "property_id": "uuid",
  "room_type_id": "uuid",
  "guest_id": "uuid",
  "check_in": "2026-07-01",
  "check_out": "2026-07-05",
  "adults": 2,
  "children": 0,
  "notes": "Late check-in requested"
}

Update a booking

PATCH /api/v1/bookings/{id}
Content-Type: application/json

{
  "status": "confirmed",
  "notes": "Updated note"
}

Cancel a booking

DELETE /api/v1/bookings/{id}

Guests

List guests

GET /api/v1/guests?search=jane&page=1

Create a guest

POST /api/v1/guests
{
  "first_name": "Jane",
  "last_name": "Doe",
  "email": "jane@example.com",
  "phone": "+254700000000",
  "nationality": "KE"
}

Get / Update / Delete guest

GET    /api/v1/guests/{id}
PUT    /api/v1/guests/{id}
DELETE /api/v1/guests/{id}

Error responses

All errors return a JSON body:

{
  "message": "Unauthenticated."        // 401
  "message": "This action is unauthorized."  // 403
  "message": "Route not found."        // 404
  "errors": { "email": ["..."] }       // 422 validation
}

Rate limiting

API endpoints are rate-limited to 60 requests per minute per token. The response headers include X-RateLimit-Limit and X-RateLimit-Remaining. A 429 Too Many Requests response is returned when exceeded.

API tokens can be created in Settings → API Tokens. Each token can be given a name and scoped to specific actions (read-only vs. full access).
Previous
Smart Locks & Access Codes