Complete reference for all Ospite Facile API endpoints. All routes are under /api/.
- Authentication
- Dashboard
- Bookings & Calendar
- Properties
- Compliance
- Billing
- Communication
- Cleaning & Operations
- Pricing & Revenue
- Smart Locks & IoT
- Documents & OCR
- Notifications & Jobs
- Guest Portal & Concierge
- Co-Host Marketplace
- GDPR
- Admin & Monitoring
- Public API (v1)
- Import & Seeding
Register a new user account.
Body:
{
"email": "host@example.com",
"password": "securePassword123",
"name": "Mario Rossi",
"role": "owner"
}Response: 201 Created
{
"success": true,
"user": { "id": "...", "email": "...", "role": "owner", "planTier": "starter" }
}Cookie set: ospite_session (30-day HttpOnly cookie with base64-encoded session)
Authenticate and create a session.
Body:
{
"email": "host@example.com",
"password": "securePassword123"
}Response: 200 OK — Sets ospite_session cookie
Destroy the current session.
Response: 200 OK — Clears ospite_session cookie
Get a CSRF token for form submissions.
Response: 200 OK
{
"token": "csrf_..."
}Main dashboard data with aggregated stats.
Auth: Required (owner, manager)
Response: 200 OK
{
"properties": [...],
"bookings": [...],
"stats": {
"totalProperties": 5,
"activeBookings": 12,
"monthlyRevenue": 8540.00,
"occupancyRate": 0.78
}
}Dashboard overview with operational data.
Auth: Required
Response: 200 OK — Properties, upcoming check-ins/outs, pending tasks, alerts
List all bookings for the authenticated user's properties.
Auth: Required
Query params:
| Param | Type | Description |
|---|---|---|
status |
string | Filter by status (confirmed, pending, canceled) |
propertyId |
string | Filter by property |
from |
string | Start date (ISO) |
to |
string | End date (ISO) |
Response: 200 OK — Array of booking objects
Calendar data with bookings and blocks.
Auth: Required
Query params: propertyId, month (YYYY-MM)
Response: 200 OK
Create calendar blocks or manage availability.
Auth: Required
Body:
{
"propertyId": "prop_123",
"startDate": "2025-08-01",
"endDate": "2025-08-05",
"reason": "Personal use"
}Public iCal feed for a property. Used for channel sync with Airbnb/Booking.com.
Auth: None (public feed URL)
Response: 200 OK — text/calendar iCal format
Get booking lifecycle state for active bookings.
Auth: Required
Create a new lifecycle for a booking.
Auth: Required
Body:
{
"bookingId": "book_123",
"automationMode": "auto"
}Advance the lifecycle state machine (manual trigger or retry).
Body:
{
"lifecycleId": "lc_123",
"trigger": "manual"
}List all properties for the authenticated user.
Auth: Required
Response: 200 OK
[
{
"id": "prop_123",
"name": "Appartamento Centro Forlì",
"address": "Via Garibaldi 42",
"city": "Forlì",
"province": "FC",
"status": "active",
"nightlyRate": 85.00
}
]List Alloggiati filings for the user's properties.
Auth: Required
Response: 200 OK — Array of filing records with status
Submit guest data to the Questura via Alloggiati Web.
Auth: Required
Body:
{
"bookingId": "book_123",
"guests": [
{
"surname": "Smith",
"name": "John",
"sex": "M",
"dateOfBirth": "1990-05-15",
"citizenship": "US",
"documentType": "passport",
"documentNumber": "AB1234567"
}
]
}Response: 200 OK
{
"success": true,
"status": "accepted",
"receiptId": "RCP-2025-0042"
}List ISTAT reports for the user's properties.
Auth: Required
Submit ISTAT C/59 tourism statistics report.
Auth: Required
Run compliance checks across all properties.
Auth: Required
Response: 200 OK
{
"score": 85,
"checks": [
{ "name": "CIN Registration", "status": "pass", "severity": "critical" },
{ "name": "Fire Extinguisher", "status": "warning", "severity": "warning" }
],
"recommendations": [...]
}Trigger a compliance check for a specific property.
Get tourist tax calculations and rules.
Auth: Required
Calculate tourist tax for a booking.
Body:
{
"municipality": "Forlì",
"guests": 4,
"childrenUnder14": 1,
"nights": 5
}Response: 200 OK
{
"municipality": "Forlì",
"ratePerPerson": 2.00,
"taxableGuests": 3,
"taxableNights": 5,
"totalTax": 30.00,
"breakdown": "3 ospiti × 5 notti × €2.00 = €30.00"
}List ISTAT reporting data.
Submit ISTAT report data.
Get current billing/subscription status.
Auth: Required
Response: 200 OK
{
"planTier": "host",
"status": "active",
"plan": {
"name": "Host",
"priceMonthly": 39,
"propertyLimit": 10,
"features": ["unlimited_channels", "cleaning_tasks", "dashboard_analytics"]
}
}Create or update a subscription.
Quick subscription status check.
Create a Stripe Checkout session.
Body:
{
"planTier": "professional",
"interval": "monthly"
}Response: 200 OK
{
"sessionId": "cs_...",
"url": "https://checkout.stripe.com/..."
}Create a Stripe Customer Portal session for self-service billing management.
Response: 200 OK
{
"url": "https://billing.stripe.com/..."
}Stripe webhook receiver. Handles checkout.session.completed, customer.subscription.updated, customer.subscription.deleted, invoice.paid, invoice.payment_failed.
Auth: Stripe webhook signature verification
List communication templates and rules.
Auth: Required
Send a message or create a communication rule.
Body:
{
"trigger": "pre_arrival_48h",
"channel": "email",
"bookingId": "book_123",
"language": "en"
}Triggers: booking_confirmed, pre_arrival_48h, check_in_day, mid_stay, checkout_reminder, review_request
Channels: email, whatsapp, in_app
List cleaning tasks with status.
Auth: Required
Create or update a cleaning task.
List maintenance tickets.
Create a maintenance ticket.
List inventory items and levels.
Update inventory or log supply usage.
Get pricing rules and suggestions for properties.
Auth: Required
Create or update a pricing rule.
Body:
{
"propertyId": "prop_123",
"type": "weekend_uplift",
"name": "Weekend +20%",
"adjustment": 20,
"isPercent": true,
"conditions": { "daysOfWeek": [5, 6] },
"priority": 10
}Rule types: weekend_uplift, seasonal, event, last_minute, min_stay, high_demand, low_demand
Revenue analytics and occupancy metrics.
Cross-property revenue intelligence: P&L, RevPAR, ADR, channel ROI, what-if scenarios.
Run a what-if revenue scenario.
List owner reports and payout summaries.
Generate an owner report for a period.
List smart locks and their status (battery, online, lock state).
Auth: Required
Create access codes, lock/unlock, or register a new lock.
Body (create access code):
{
"action": "create_code",
"lockId": "lock_123",
"bookingId": "book_123",
"guestName": "John Smith",
"validFrom": "2025-08-01T14:00:00Z",
"validUntil": "2025-08-05T10:00:00Z"
}Supported providers: Nuki, Yale, August, TTLock, Generic
Upload a guest document (passport, ID card).
Body: Multipart form data with document file.
Run OCR extraction on an uploaded document.
Response: 200 OK
{
"extracted": {
"surname": "SMITH",
"name": "JOHN",
"documentNumber": "AB1234567",
"dateOfBirth": "1990-05-15",
"expiryDate": "2030-05-15"
},
"confidence": 0.92
}List notifications for the authenticated user.
Auth: Required
Mark notifications as read or dismissed.
List background jobs with status.
Create a background job.
Job types: ical_sync, lifecycle_advance, istat_report, alloggiati_submit, cleaning_auto, review_request, etc.
Authenticate a guest portal token.
Get AI concierge conversations.
Send a message to the AI concierge.
Body:
{
"conversationId": "conv_123",
"message": "Qual è la password del WiFi?",
"language": "it"
}Response: 200 OK
{
"content": "La password del WiFi è...",
"confidence": 0.95,
"shouldEscalate": false,
"matchedFaq": "wifi",
"sources": ["knowledge_base"]
}Browse co-host profiles and matches.
Create a co-host profile or request a match.
List direct booking site configurations.
Create or update a direct booking site.
Export all personal data for the authenticated user (GDPR Art. 20 — data portability).
Auth: Required
Response: 200 OK — JSON with all user data, properties, bookings, communications, and subscription history.
Delete all personal data and anonymize records (GDPR Art. 17 — right to erasure).
Auth: Required
Response: 200 OK
{
"deleted": true,
"anonymized": ["bookings", "communications", "documents"]
}Retention policy:
| Data Type | Retention | Reason |
|---|---|---|
| Guest documents | 365 days | Operational compliance |
| Communication logs | 90 days | Operational necessity |
| Job executions | 90 days | Debug audit trail |
| Notifications | 180 days | Support traceability |
| Billing/subscriptions | 10 years | Italian fiscal obligations |
List configured integration statuses (Stripe, Resend, Twilio, Alloggiati).
Update integration configuration.
Health check endpoint. Used by Docker, Vercel, and load balancers.
Response: 200 OK
{
"status": "healthy",
"database": { "provider": "turso", "region": "fra" },
"version": "0.1.0",
"uptime": 86400
}Extended health check with deeper diagnostics.
Aggregated application metrics (request volume, error rate, p95 latency).
Auth: Required (admin)
List recent alerts.
Create or acknowledge an alert.
Moonshot feature status and roadmap data (dev/internal).
OpenAPI 3.0 specification document for the public API.
List API keys for the authenticated user.
Create a new API key.
Body:
{
"name": "My Integration",
"permissions": ["properties:read", "bookings:read", "availability:read"],
"rateLimit": 60
}Permissions: properties:read, properties:write, bookings:read, bookings:write, availability:read, pricing:read, pricing:write, compliance:read, guests:read, webhooks:manage
Revoke an API key.
List webhook subscriptions.
Create a webhook subscription.
Body:
{
"url": "https://example.com/webhook",
"events": ["booking.created", "guest.checked_in", "cleaning.completed"],
"secret": "whsec_..."
}Events: booking.created, booking.updated, booking.canceled, guest.checked_in, guest.checked_out, property.updated, cleaning.completed, review.received
Delete a webhook subscription.
Import properties or bookings from CSV (Airbnb export format supported).
Update existing records from CSV import.
Seed the database with demo data (development only).
Get onboarding state for the current user.
Create or advance onboarding flow.
Update onboarding step data.
List guest reviews with sentiment analysis.
Create or respond to a review.
All endpoints return consistent error shapes:
{
"error": "Descrizione dell'errore",
"code": "VALIDATION_ERROR",
"details": [...]
}| Status | Meaning |
|---|---|
400 |
Validation error — invalid request body or params |
401 |
Unauthorized — missing or expired session |
403 |
Forbidden — insufficient role or plan tier |
404 |
Not found |
429 |
Rate limited |
500 |
Internal server error |
- Default: configurable via
RATE_LIMIT_WINDOW_MSandRATE_LIMIT_MAX_REQUESTS - Auth endpoints: separate limit via
AUTH_RATE_LIMIT_MAX - API keys: per-key rate limits (default 60 req/min)
| Method | Endpoints | Mechanism |
|---|---|---|
| Session cookie | All /api/* except public |
ospite_session HttpOnly cookie |
| API key | /api/v1/* |
Authorization: Bearer <key> header |
| Webhook signature | /api/billing/webhook |
Stripe stripe-signature header |
| Portal token | /api/portal |
One-time guest token in URL |