Skip to content

Authentication

API keys

The Business API authenticates server-to-server with a scoped API key — a Bearer credential bound to a single business, accepted only over HTTPS.

Auth
Bearer
Binding
One business
Transport
HTTPS

The key model

Send your key in the Authorization header as a Bearer token. There's no user session — the key authenticates the request on its own.

A key only works on its own business's handle endpoint; presenting it elsewhere is refused.

Create and manage keys in the business admin under Settings → API keys: name a key, grant it scopes, and copy its secret once at creation. Treat the secret like a password — store it server-side and rotate it if it leaks.

bash
curl https://business.sessions.website/@<handle>/api/graphql \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer sk_live_…' \
  --data '{"query":"{ activeBusiness { id name } }"}'

Scopes

A key is granted one or more scopes. A request that touches a field outside its scopes is refused. Scopes available today:

participants:readread
Read participants — name, email, and marketing-consent state.
registrations:readread
Read activity registrations and their status.
products:readread
Read the products a business sells.
purchases:readread
Read product purchases — passes, memberships, gift cards, and physical goods.
webhooks:readread
Read the business’s webhook endpoints and their delivery history.
webhooks:writewrite
Create, update, and remove webhook endpoints.
Effective access is the intersection of a key’s scopes and the business’s own grants — a scope a key holds but the business doesn’t have still resolves to nothing.

Using a key

The Business GraphQL API is the surface these keys unlock. Business GraphQL guide