Bouw mee met onze API

Heb je een eigen boekingssysteem, kassa of website? Koppel die aan Privé Wellness en werk rechtstreeks met je units en boekingen vanuit je eigen software. Je haalt beschikbaarheid op, maakt reserveringen aan, start betalingen en krijgt automatisch een seintje zodra er iets verandert. Maak een API-sleutel aan op je account en je kunt beginnen.

Een sleutel werkt alleen voor jouw eigen bedrijf: je ziet en wijzigt nooit de gegevens van een ander. De rest van deze pagina is de technische referentie (Engels).

Getting started

  1. Log in as an owner and open API under your dashboard settings (/rental/api-keys).
  2. Create a key, choose its scopes, and copy the secret — it's shown only once.
  3. Send it as a Bearer token on every request.

Base URL

https://privewellness.nl/api/public/v1
curl https://privewellness.nl/api/public/v1/me \
  -H "Authorization: Bearer pw_live_xxxxxxxxxxxx"

Authentication & scopes

Every request needs Authorization: Bearer <your key>. A key is granted a subset of scopes; an endpoint returns 403 if your key lacks the scope it needs.

ScopeAllows
units:readUnits uitlezen
bookings:readBoekingen uitlezen
bookings:writeBoekingen aanmaken en wijzigen
payments:writeBetalingen starten

Conventions

  • JSON in and out; money is integer cents with a currency field.
  • Timestamps are RFC-3339; dates are YYYY-MM-DD.
  • List endpoints return { "data": [...], "pagination": { page, per_page, total, total_pages } } and accept ?page and ?per_page (max 100).
  • Errors are { "error": { "code": "...", "message": "..." } } with the matching HTTP status.
Rate limiting

600 requests per minute per key. Every response carries X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset; exceeding it returns 429 with Retry-After.

Idempotency

Send a unique Idempotency-Key header on POST requests. If a network retry replays it, you get the original response back instead of a duplicate booking or charge. Reusing a key with a different body returns 409. Keys are remembered for 24 hours.

Endpoints

MethodPathScope
GET/meYour company & scopes
GET/unitsunits:readList your units
GET/units/{uuid}units:readUnit detail
GET/units/{uuid}/availabilityunits:readBookable slots per day (?from=&to=, max 31 days)
GET/bookingsbookings:readList bookings (?unit=&status=&from=&to=)
GET/bookings/{reference}bookings:readBooking detail
POST/bookingsbookings:writeCreate a booking
POST/bookings/{reference}/paymentspayments:writeStart a payment, returns a checkout URL
POST/bookings/{reference}/cancelbookings:writeCancel a booking
Example: create a booking
curl -X POST https://privewellness.nl/api/public/v1/bookings \
  -H "Authorization: Bearer pw_live_xxxx" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: 0c3b1d8e-..." \
  -d '{
    "unit_uuid": "1f16...",
    "date": "2026-07-15",
    "timeslot_id": 1362,
    "customer": { "first_name": "Sam", "email": "sam@example.com", "phone": "0612345678" }
  }'

Webhooks

Instead of polling, register one or more receiver URLs under API in your dashboard and subscribe them to events. We POST a signed JSON body to your URL when:

EventFires when
booking.createda booking is made on one of your units
booking.cancelleda booking is cancelled
payment.paida booking is paid in full

The body is an event envelope:

{ "id": "<delivery-uuid>", "type": "booking.created",
  "created": "2026-07-01T10:00:00+00:00",
  "data": { "booking": { ...same shape as GET /bookings/{reference}... } } }
Verifying the signature

Each delivery includes X-PriveWellness-Signature: t=<timestamp>,v1=<hmac>. Compute HMAC-SHA256 of "<timestamp>.<raw-body>" with your endpoint's signing secret and compare it to v1 (use a constant-time compare). Reject deliveries whose timestamp is too old to prevent replays. We retry failed deliveries automatically. 

# PHP
$expected = hash_hmac('sha256', $timestamp . '.' . $rawBody, $secret);
if (hash_equals($expected, $v1)) { /* trusted */ }

Vragen of een feature die je mist? Neem contact op via de contactpagina.