Admin API

Authenticate with admin API credentials, then call protected admin* endpoints for properties, invoices, tenants, reservations, expenses, housekeeping, and reports.

Overview

Admin API v5.9.3.3: Authentication plus admin-protected read, write, and DELETE endpoints for properties, invoices, tenants, reservations, expenses, housekeeping, and read-only reports. Login via /API/auth/V1/login.json, then call admin* controllers with the session cookie. Writes and DELETE require super_admin; svc_rep is staff read-only; landlord (adminRole=1, non-superuser) has read-only access scoped to owned properties.

The REST gateway uses a two-tier model — public controllers on an allowlist for marketing and guest flows, and admin* controllers that require an authenticated admin session. Role checks are enforced per action.

Capabilities

AreaWhat you can do
Admin authentication Login, logout, and session user via auth controller (adminAPIKey + adminAPISecret)
Session protection Authenticated requests use the session established at login for all admin* controllers
Public allowlist Marketing site, catalog, booking, and tenant portal controllers stay public — see below
Admin reads Properties, invoices, tenants, reservations, expenses, housekeeping, and reports (role-dependent)
Admin writes POST/PUT for properties, invoices, tenants, reservations, expenses, and housekeeping (super_admin)
Admin DELETE Soft-delete / cancel actions where supported by business rules (super_admin)
Role-scoped access Staff roles and landlord read scope applied per controller and action

In practice: website and guest integrations use public endpoints (for example /API/vrProperties/V1/vrProperties.json). Server-to-server admin tools call login first, then admin* endpoints with the session cookie. Landlords may read their own data via API but cannot POST, PUT, or DELETE. Housekeepers do not use the admin data API.

Landlord read scope (adminRole=1)

ControllerLandlord accessScope rule
adminPropertiesGET onlyLTR: assigned properties; VR: landlord-owned inventory
adminInvoicesGET onlyInvoices on landlord-owned properties
adminReservationsGET onlyVR bookings on landlord-owned properties
adminExpensesGET onlyExpenses on landlord-owned properties
adminTenantsGET onlyTenants on landlord LTR assignments

Auth flow

  1. POST /API/auth/V1/login.json with API key and secret.
  2. Store the session cookie returned by the gateway.
  3. Call admin* endpoints with that cookie.
  4. POST /API/auth/V1/logout.json when finished (optional).
curl -c cookies.txt -X POST "https://your-host/API/auth/V1/login.json" \
  -H "Content-Type: application/json" \
  -d '{"adminAPIKey":"YOUR_KEY","adminAPISecret":"YOUR_SECRET"}'

curl -b cookies.txt "https://your-host/API/adminProperties/V1/properties.json"

Credentials

Each admin user may have API credentials configured for REST access. Use a dedicated integration admin where possible, rotate secrets regularly, and never expose credentials in client-side code or public repositories.

FieldDescription
adminAPIKeyPublic identifier for the admin API principal
adminAPISecretSecret used with the key at login — treat like a password

Auth endpoints

POST /API/auth/V1/login.json

Authenticates adminAPIKey and adminAPISecret and establishes the admin REST session.

Errors: 401 Invalid credentials

POST /API/auth/V1/logout.json

Ends the admin REST session.

GET /API/auth/V1/user.json

Returns the authenticated admin session. Optional path segment returns a single field.

Errors: 401 if not logged in

Admin data endpoints

Protected controllers — require login and appropriate role. Full field lists are in the API reference.

ControllerActions (representative)Roles
adminProperties List/get properties; create/update (super_admin) read: super_admin, svc_rep, landlord · write: super_admin
adminInvoices List/get invoices; create/update (super_admin) read: super_admin, svc_rep, landlord · write: super_admin
adminTenants List/get tenants; create/update (super_admin) read: super_admin, svc_rep, landlord · write: super_admin
adminReservations List/get reservations; create/update (super_admin) read: super_admin, svc_rep, landlord · write: super_admin
adminExpenses List/get expenses; create/update (super_admin) read: super_admin, svc_rep, landlord · write: super_admin
adminHousekeeping Housekeeping requests and updates role-checked per action
adminReports Income and occupancy reports (read-only) staff read roles

Successful write actions are recorded in the activity log for auditability.

Public allowlist

These controllers support public marketing and guest experiences and do not require admin auth.

ControllerPurpose
siteSettingsPublic site configuration
siteContentCMS content blocks
sitePagesStatic pages
siteReviewsProperty reviews
siteSlidersHomepage sliders
siteNavigationNavigation menus
siteFaqFAQs
siteEventsEvents
siteAttractionsAttractions and categories
siteContactContact form and newsletter
vrPropertiesVR property catalog
ltrPropertiesLTR property catalog
networkBlogBlog posts and categories
publicAuthTenant login / register / activate
publicBookingAvailability, quotes, booking
leaseApplicationsLease applications (session rules apply per action)
authAdmin login / logout / user (entry point for admin session)

Security practices

  • Least privilege: use a dedicated integration admin; prefer read-only staff roles where writes are not required.
  • Protect secrets: store API secrets in a secure secret store; never ship them in front-end apps or public repos.
  • Separate domains: tenant portal sessions, admin portal sessions, and REST admin sessions are independent — do not assume one cookie grants another.
  • Integrations: Stripe, QuickBooks, and BookingPal use their own authentication models. See Integration scripts in the API reference.
  • Server-to-server preferred: call admin endpoints from a trusted backend. Browser-based admin API use is not recommended.
Cookieless clients: the default admin REST model is session-cookie based after login. For mobile or other clients that cannot hold cookies, proxy admin calls through your own secure backend rather than embedding API secrets in the client.