Skip to content
BusyBook Docs

Search is only available in production builds. Try building and previewing the site to test it out locally.

Authentication

Overview

Section titled “Overview”

BusyBook uses Supabase for authentication and API access. All API requests go through the Supabase REST API at https://api.busybook.co/rest/v1/.

Authentication Methods

Section titled “Authentication Methods”

Session-Based (Platform UI)

Section titled “Session-Based (Platform UI)”

When you log in to the BusyBook platform, authentication is handled automatically via Supabase Auth. Your session token is managed by the application — no manual configuration needed.

API Key (Programmatic Access)

Section titled “API Key (Programmatic Access)”

For programmatic access (e.g., integrations, scripts, or the assistant), API requests use the Supabase apikey header:

Terminal window
curl -s "https://api.busybook.co/rest/v1/appointments" \
  -H "apikey: YOUR_SUPABASE_ANON_KEY" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json"

Required Headers

Section titled “Required Headers”

Every API request must include:

HeaderValuePurpose
apikeyYour Supabase anon keyIdentifies the project
AuthorizationBearer <jwt_token>Authenticates the user
Content-Typeapplication/jsonFor POST/PATCH requests

Row-Level Security (RLS)

Section titled “Row-Level Security (RLS)”

All tables are protected by Row-Level Security. This means:

  • You can only access data belonging to your practice (therapist_id = auth.uid())
  • Cross-tenant data access is impossible at the database level
  • Even if you construct a query without a therapist_id filter, RLS enforces the scope

Rate Limits

Section titled “Rate Limits”

The API enforces rate limits to prevent abuse:

Endpoint TypeLimit
Read (GET)100 requests/minute
Write (POST/PATCH/DELETE)30 requests/minute
Auth (login/signup)10 requests/minute

If you hit a rate limit, the API returns 429 Too Many Requests. Wait and retry after the indicated period.

Error Responses

Section titled “Error Responses”

All errors follow a standard format:

{
  "message": "Description of what went wrong",
  "code": "ERROR_CODE",
  "hint": "Optional suggestion for how to fix it"
}

Common error codes:

StatusMeaning
400Bad request — check your request body
401Unauthorized — invalid or expired token
403Forbidden — RLS denied access to this resource
404Not found — the resource doesn’t exist
409Conflict — duplicate entry or constraint violation
429Rate limited — slow down
500Server error — contact support