Overview
/API/auth/V1/login.json, then call admin* controllers with the session cookie.
Writes and DELETE require super_admin;
svc_rep is staff read-only;
landlord (adminRole=1, non-superuser) has read-only access scoped to owned properties.
The REST gateway uses a two-tier model — public controllers on an allowlist for marketing and guest flows, and admin* controllers that require an authenticated admin session. Role checks are enforced per action.
Capabilities
| Area | What you can do |
|---|---|
| Admin authentication | Login, logout, and session user via auth controller (adminAPIKey + adminAPISecret) |
| Session protection | Authenticated requests use the session established at login for all admin* controllers |
| Public allowlist | Marketing site, catalog, booking, and tenant portal controllers stay public — see below |
| Admin reads | Properties, invoices, tenants, reservations, expenses, housekeeping, and reports (role-dependent) |
| Admin writes | POST/PUT for properties, invoices, tenants, reservations, expenses, and housekeeping (super_admin) |
| Admin DELETE | Soft-delete / cancel actions where supported by business rules (super_admin) |
| Role-scoped access | Staff roles and landlord read scope applied per controller and action |
In practice: website and guest integrations use public endpoints (for example /API/vrProperties/V1/vrProperties.json). Server-to-server admin tools call login first, then admin* endpoints with the session cookie. Landlords may read their own data via API but cannot POST, PUT, or DELETE. Housekeepers do not use the admin data API.
Landlord read scope (adminRole=1)
| Controller | Landlord access | Scope rule |
|---|---|---|
adminProperties | GET only | LTR: assigned properties; VR: landlord-owned inventory |
adminInvoices | GET only | Invoices on landlord-owned properties |
adminReservations | GET only | VR bookings on landlord-owned properties |
adminExpenses | GET only | Expenses on landlord-owned properties |
adminTenants | GET only | Tenants on landlord LTR assignments |
Auth flow
- POST
/API/auth/V1/login.jsonwith API key and secret. - Store the session cookie returned by the gateway.
- Call
admin*endpoints with that cookie. - POST
/API/auth/V1/logout.jsonwhen finished (optional).
curl -c cookies.txt -X POST "https://your-host/API/auth/V1/login.json" \
-H "Content-Type: application/json" \
-d '{"adminAPIKey":"YOUR_KEY","adminAPISecret":"YOUR_SECRET"}'
curl -b cookies.txt "https://your-host/API/adminProperties/V1/properties.json"
Credentials
Each admin user may have API credentials configured for REST access. Use a dedicated integration admin where possible, rotate secrets regularly, and never expose credentials in client-side code or public repositories.
| Field | Description |
|---|---|
adminAPIKey | Public identifier for the admin API principal |
adminAPISecret | Secret used with the key at login — treat like a password |
Auth endpoints
POST /API/auth/V1/login.json
Authenticates adminAPIKey and adminAPISecret and establishes the admin REST session.
Errors: 401 Invalid credentials
POST /API/auth/V1/logout.json
Ends the admin REST session.
GET /API/auth/V1/user.json
Returns the authenticated admin session. Optional path segment returns a single field.
Errors: 401 if not logged in
Admin data endpoints
Protected controllers — require login and appropriate role. Full field lists are in the API reference.
| Controller | Actions (representative) | Roles |
|---|---|---|
adminProperties |
List/get properties; create/update (super_admin) | read: super_admin, svc_rep, landlord · write: super_admin |
adminInvoices |
List/get invoices; create/update (super_admin) | read: super_admin, svc_rep, landlord · write: super_admin |
adminTenants |
List/get tenants; create/update (super_admin) | read: super_admin, svc_rep, landlord · write: super_admin |
adminReservations |
List/get reservations; create/update (super_admin) | read: super_admin, svc_rep, landlord · write: super_admin |
adminExpenses |
List/get expenses; create/update (super_admin) | read: super_admin, svc_rep, landlord · write: super_admin |
adminHousekeeping |
Housekeeping requests and updates | role-checked per action |
adminReports |
Income and occupancy reports (read-only) | staff read roles |
Successful write actions are recorded in the activity log for auditability.
Public allowlist
These controllers support public marketing and guest experiences and do not require admin auth.
| Controller | Purpose |
|---|---|
siteSettings | Public site configuration |
siteContent | CMS content blocks |
sitePages | Static pages |
siteReviews | Property reviews |
siteSliders | Homepage sliders |
siteNavigation | Navigation menus |
siteFaq | FAQs |
siteEvents | Events |
siteAttractions | Attractions and categories |
siteContact | Contact form and newsletter |
vrProperties | VR property catalog |
ltrProperties | LTR property catalog |
networkBlog | Blog posts and categories |
publicAuth | Tenant login / register / activate |
publicBooking | Availability, quotes, booking |
leaseApplications | Lease applications (session rules apply per action) |
auth | Admin login / logout / user (entry point for admin session) |
Security practices
- Least privilege: use a dedicated integration admin; prefer read-only staff roles where writes are not required.
- Protect secrets: store API secrets in a secure secret store; never ship them in front-end apps or public repos.
- Separate domains: tenant portal sessions, admin portal sessions, and REST admin sessions are independent — do not assume one cookie grants another.
- Integrations: Stripe, QuickBooks, and BookingPal use their own authentication models. See Integration scripts in the API reference.
- Server-to-server preferred: call admin endpoints from a trusted backend. Browser-based admin API use is not recommended.