API

API authentication

Bearer API keys, scoped per restaurant, with rotation and revocation.

The API uses Bearer authentication. Issue a key from Settings → API keys, store it securely, and include it on every request as the Authorization header.

Keys

Keys are prefixed by environment: dineos_live_ for production traffic against your real data, and dineos_test_ for a sandbox restaurant that ships with every Enterprise workspace. The full key is shown once on creation; if it is lost, rotate it.

Scopes

Each key is scoped to a single restaurant. Multi-restaurant groups need one key per restaurant. Scopes within a restaurant are coarse (read, write, admin) and follow the same role-based-access rules as the dashboard.

Example request

curlbash

curl https://api.dineos.com/v1/reservations \
  -H "Authorization: Bearer dineos_live_8fGJ2qY9vZk1mN0pQ4r" \
  -H "Accept: application/json"

Rotation

Rotate keys from the dashboard. Rotation issues a new key immediately and gives the old key a 30-day overlap window so you can deploy the new key without downtime. After 30 days the old key is hard-revoked.

Never embed keys in client-side code

API keys grant access to your full restaurant's data. They must only live on servers, in CI secret stores, or in a secrets manager — never in JavaScript bundles, mobile binaries, or public repos. Use the embeddable widget for client-side integrations.