API Overview
Introduction to the Basefloor REST API — authentication, versioning, and conventions.
API Overview
The Basefloor API is a RESTful JSON API served by hms-core (Ruby on Rails). All frontend applications communicate exclusively through this API.
Base URL
| Environment | URL |
|---|---|
| Production | https://hms-api.kaisersakhi.com/api/v1 |
| Development | http://localhost:4000/api/v1 |
Authentication
The API uses token-based authentication. After logging in, every subsequent request must include the token in the Authorization header:
Authorization: Bearer <your_token>Login
POST /api/v1/users/sessions
Content-Type: application/json
{
"email": "[email protected]",
"password": "your_password"
}Response:
{
"token": "eyJhbGciOiJIUzI1NiJ9...",
"user": {
"id": 1,
"email": "[email protected]",
"role": "manager",
"hotel_chain_id": 5
}
}Logout
DELETE /api/v1/users/sessions
Authorization: Bearer <token>Multi-Tenancy Headers
Every API request is automatically scoped to a hotel chain. The chain is resolved from the subdomain of the request origin. When calling from a frontend on khyber.hms.com, the API automatically scopes all queries to the Khyber chain.
For direct API testing (e.g., with Bruno or curl), pass the chain slug via the X-Hotel-Chain header:
X-Hotel-Chain: khyberRequest Format
- All request bodies must be
application/json - Dates use ISO 8601 format:
2025-06-15 - Times use UTC:
2025-06-15T14:00:00Z
Response Format
Successful responses return a JSON object with a data key:
{
"data": {
"id": 42,
"type": "booking",
"attributes": { ... }
}
}List responses include pagination metadata:
{
"data": [ ... ],
"meta": {
"total": 120,
"page": 1,
"per_page": 25
}
}Error Format
Errors return an errors array:
{
"errors": [
{
"status": "422",
"title": "Unprocessable Entity",
"detail": "Check-out date must be after check-in date"
}
]
}HTTP Status Codes
| Code | Meaning |
|---|---|
200 | OK — request succeeded |
201 | Created — resource was created |
204 | No Content — successful delete |
400 | Bad Request — malformed request |
401 | Unauthorized — missing or invalid token |
403 | Forbidden — insufficient permissions |
404 | Not Found — resource does not exist |
422 | Unprocessable Entity — validation failed |
500 | Internal Server Error |
Key Endpoints Reference
Properties
| Method | Path | Description |
|---|---|---|
GET | /properties | List all properties for the chain |
POST | /properties | Create a property |
GET | /properties/:id | Get a property |
PATCH | /properties/:id | Update a property |
DELETE | /properties/:id | Delete a property |
Bookings
| Method | Path | Description |
|---|---|---|
GET | /bookings | List bookings (filterable by date, property, status) |
POST | /bookings | Create a booking |
GET | /bookings/:id | Get booking details |
PATCH | /bookings/:id | Update a booking |
POST | /bookings/:id/check_in | Check in a guest |
POST | /bookings/:id/check_out | Check out a guest |
POST | /bookings/:id/cancel | Cancel a booking |
Guests
| Method | Path | Description |
|---|---|---|
GET | /guests | List guests |
POST | /guests | Create a guest |
GET | /guests/:id | Get guest profile and stay history |
PATCH | /guests/:id | Update guest |
Users
| Method | Path | Description |
|---|---|---|
GET | /users | List staff users |
POST | /users/invitations | Send invite to a new user |
PATCH | /users/:id | Update user role or property assignment |
DELETE | /users/:id | Deactivate user |
API Collection
A full Bruno API collection is available in the bruno/ directory of the hms-core repository. Import it into Bruno to explore and test all endpoints interactively.