All endpoints are Next.js Route Handlers under
src/app/api/. Base URL:http://localhost:3000/api(dev) or your deployed domain.
- Authentication
- Bookings
- Customers
- Products & Orders
- Payments & Billing
- Invoicing
- Loyalty
- Queue Management
- Staff
- Notifications
- AI Features
- Media
- Automation
- Marketplace & Partnerships
- Associations
- Accountant
- GDPR & Privacy
- Developer API
- Platform Admin
- Infrastructure
Register a new user and create their business.
Request Body:
{
"email": "marco@barberia.it",
"password": "securepassword",
"name": "Marco Rossi",
"businessName": "Barberia Da Marco",
"businessCategory": "barbiere",
"businessCity": "Forlì",
"businessAddress": "Via Roma 42",
"businessPhone": "+39 0543 12345"
}Response: 201 Created
{
"user": { "id": "...", "email": "marco@barberia.it", "name": "Marco Rossi" },
"business": { "id": "...", "name": "Barberia Da Marco", "slug": "barberia-da-marco" },
"token": "session_token_hex"
}Authenticate and receive a session cookie.
Request Body:
{
"email": "marco@barberia.it",
"password": "securepassword"
}Response: 200 OK
{
"token": "session_token_hex",
"user": { "id": "...", "email": "marco@barberia.it", "name": "Marco Rossi" }
}Clear the session cookie.
Response: 200 OK
Get the current authenticated user and business context.
Response: 200 OK
{
"user": { "id": "...", "email": "...", "name": "..." },
"business": { "id": "...", "name": "...", "slug": "..." }
}List bookings for the authenticated business.
Query Parameters:
| Param | Type | Description |
|---|---|---|
page |
number | Page number (default: 1) |
limit |
number | Items per page (default: 20) |
Response: 200 OK — Paginated list of BookingResponse
Create a new booking (authenticated business owners).
Request Body:
{
"customerName": "Luca Bianchi",
"customerPhone": "+39 333 1234567",
"service": "Taglio uomo",
"serviceId": "svc_...",
"staffId": "staff_...",
"startsAt": "2025-01-15T10:00:00Z",
"durationMinutes": 30,
"notes": "Preferisce il taglio corto",
"channel": "dashboard"
}Response: 201 Created — BookingResponse
Public booking endpoint (no authentication required, rate-limited).
Request Body: Same as POST /api/bookings plus businessId.
Get available time slots for a business.
Query Parameters:
| Param | Type | Description |
|---|---|---|
businessId |
string | Business ID |
daysAhead |
number | Number of days to check (default: 7) |
serviceDuration |
number | Service duration in minutes |
Response: 200 OK
[
{
"date": "2025-01-15",
"dayName": "Mercoledì",
"slots": [
{ "start": "09:00", "end": "09:30", "available": true },
{ "start": "09:30", "end": "10:00", "available": false }
]
}
]List customers for the authenticated business.
Response: 200 OK — List of CustomerResponse
Create a new customer.
Request Body:
{
"name": "Maria Verdi",
"phone": "+39 333 9876543",
"email": "maria@example.com",
"birthday": "1990-05-15"
}Request OTP for customer self-service.
Request Body:
{
"businessId": "biz_...",
"phone": "+39 333 1234567",
"action": "request_otp"
}Verify OTP and get customer session token.
List products for the authenticated business.
Response: 200 OK — List of ProductResponse
Create a product.
Request Body:
{
"name": "Olio Extra Vergine 500ml",
"description": "Olio biologico delle colline romagnole",
"priceEuro": 12.50,
"categoryId": "cat_...",
"stock": 50
}List orders for the authenticated business.
Response: 200 OK — Paginated list of OrderResponse
Create a new order.
Request Body:
{
"customerName": "Paolo Neri",
"customerPhone": "+39 333 1111222",
"items": [
{ "productId": "prod_...", "quantity": 2 }
],
"notes": "Consegna pomeriggio"
}Get payment transactions and stats for the authenticated business.
Create a payment (deposit or gift card).
Request Body:
{
"type": "deposit",
"businessId": "biz_...",
"bookingId": "book_...",
"amountEuro": 25.00,
"customerName": "Luca Bianchi"
}Purchase a gift card.
Request Body:
{
"amountEuro": 50,
"purchaserName": "Anna",
"recipientName": "Marco",
"message": "Buon compleanno!"
}Create a Stripe Checkout session for subscription billing.
Request Body:
{
"tier": "professionale",
"successUrl": "https://...",
"cancelUrl": "https://..."
}Stripe webhook handler (signature-verified).
List invoices and stats for the authenticated business.
Generate an invoice from a booking.
Request Body:
{
"bookingId": "book_..."
}Response: 201 Created — Invoice ID and FatturaPA XML
Get loyalty cards and stats for the authenticated business.
Award loyalty points to a customer.
Request Body:
{
"customerId": "cust_...",
"points": 10
}Get active queue for a business.
Add a customer to the queue.
Request Body:
{
"businessId": "biz_...",
"customerName": "Paolo",
"customerId": "cust_..."
}List staff profiles for the authenticated business.
Create a staff profile.
Update a staff profile (working hours, services, active status).
Get notification feed for the authenticated business (grouped by day).
Mark notifications as read.
Request Body:
{
"action": "markAllRead"
}Register a push notification subscription (VAPID/Web Push).
Unregister a push subscription.
Send a WhatsApp message via the Business API.
Request Body:
{
"phone": "+39 333 1234567",
"message": "La tua prenotazione è confermata!",
"templateName": "booking_confirmation",
"params": ["Luca", "15 Gennaio", "10:00"]
}WhatsApp webhook verification (challenge response).
Inbound WhatsApp message handler.
Get AI conversation stats.
Process an inbound message through AI (intent detection, tool use, fallback).
Generate social media content using OpenAI.
Request Body:
{
"businessCategory": "barbiere",
"businessName": "Barberia Da Marco",
"tone": "friendly",
"topic": "promozione estate"
}Get AI-generated business insights.
Trigger insight generation for a business.
Get experimental "moonshot" features (Artisan Twin, District Graph, etc.).
List media assets for the authenticated business.
Upload a media asset (with storage quota check).
Delete a media asset.
List automation flows for the authenticated business.
Create a new automation flow.
Request Body:
{
"name": "Conferma prenotazione",
"triggerEvent": "booking.created",
"actions": [
{ "type": "whatsapp.send_template", "params": { "templateId": "booking_confirmation" } },
{ "type": "loyalty.award_points", "params": { "points": 10 } }
]
}Toggle or update an automation flow.
Search marketplace listings with filters.
Query Parameters:
| Param | Type | Description |
|---|---|---|
category |
string | Filter by category |
city |
string | Filter by city |
query |
string | Search query |
List partnerships for the authenticated business.
Create a partnership between two businesses.
List trade associations.
Create an association or bulk-onboard businesses.
Get accountant dashboard and client data.
Register an accountant or claim an invite code.
Export customer data (Article 20 — Data Portability).
Query Parameters:
| Param | Type | Description |
|---|---|---|
customerId |
string | Customer ID |
format |
json | csv |
Export format (default: json) |
Erase customer data (Article 17 — Right to Erasure).
Query Parameters:
| Param | Type | Description |
|---|---|---|
customerId |
string | Customer to erase |
List API keys for the authenticated business.
Create a new API key.
Request Body:
{
"name": "POS Integration",
"scopes": "bookings:read,customers:read,orders:write",
"rateLimit": 1000
}Response: 201 Created
{
"id": "key_...",
"key": "bd_live_abc123...",
"prefix": "bd_live_abc",
"name": "POS Integration"
}
⚠️ The full key is only returned once at creation time.
Revoke an API key.
List webhook endpoints.
Register a webhook endpoint.
Request Body:
{
"url": "https://your-server.com/webhook",
"events": "booking.created,payment.received"
}Get the full OpenAPI specification (auto-generated).
Platform-wide analytics (MRR, churn, health scores).
Public business directory with search.
Get available regions and their configuration.
Health check endpoint.
Query Parameters:
| Param | Type | Description |
|---|---|---|
verbose |
boolean | Include memory and uptime info |
Response: 200 OK / 503 Degraded
{
"status": "healthy",
"timestamp": "2025-01-15T10:00:00Z",
"responseTimeMs": 12,
"version": "0.1.0",
"environment": "production",
"checks": {
"database": { "ok": true, "latencyMs": 5 },
"environment": { "ok": true, "missing": [] },
"integrations": {
"stripe": true,
"whatsapp": true,
"openai": false,
"email": true
}
}
}Get job scheduler stats.
Trigger job processing (called by Vercel cron every 15 minutes).
Server-Sent Events (SSE) stream for real-time updates.
Dynamic sitemap.xml generation.
Dynamic robots.txt generation.
Sync business data with Google Business Profile.
All errors follow a consistent format:
{
"error": "error_code",
"message": "Human-readable description in Italian",
"statusCode": 400,
"requestId": "req_..."
}Paginated endpoints return:
{
"data": [],
"pagination": {
"page": 1,
"limit": 20,
"total": 150,
"totalPages": 8
}
}| Category | Limit | Window |
|---|---|---|
| Login | 5 attempts | 15 minutes |
| Register | 3 attempts | 1 hour |
| OTP | 5 attempts | 10 minutes |
| General API | 100 requests | 1 minute |
| Booking (public) | 10 requests | 1 hour |
| API Key-based | Configurable per key | Sliding window |
Rate limit headers are included in API responses:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 2025-01-15T10:01:00Z
When registered, webhooks deliver signed payloads for these events:
| Event | Description |
|---|---|
booking.created |
New booking created |
booking.updated |
Booking status changed |
booking.cancelled |
Booking cancelled |
payment.received |
Payment completed |
customer.created |
New customer added |
order.created |
New order placed |
review.received |
New review posted |
Webhook Payload:
{
"event": "booking.created",
"data": { "bookingId": "...", "customerName": "..." },
"timestamp": "2025-01-15T10:00:00Z",
"businessId": "biz_..."
}Verification: Verify the X-Webhook-Signature header using HMAC-SHA256 with your webhook secret.