API Authentication and Permissions


Guesty's platform API allows you to query the Guesty's API according to your token permissions.
The API enables integrator to create, update and delete data in various objects such as Users, Listings, Calendars, Reservations, Automated messages, Guests and many more.
Integrator access is limited by permissions provided during the initial set up (between Guesty and the integrator).
This page covers the initial setup phase, API authentication process and available permissions in high level.

API Technical Documentation

In order to view the API technical documentation please visit Guesty's technical API documentation.

Initial Setup

Guesty provides two types of integrations:

  1. Internal integration

    Available to all of Guesty's users via the dashboard. Allows users to create internal API tokens. To read more about internal integrations visit the API tool kit help page
    Internal integration tokens have complete access to the Guesty API in the scope of the data of that user, and therefore should never be shared with any external services.

  2. 3rd party services and partners

    Any service provider that is interested in integrating their service into Guesty's marketplace and by that offer their service to Guesty users, is welcome to contact us at product@guesty.com. Following a validation of the business value for Guesty users, the service provider will be granted with the required permissions for the integration implementation.


Guesty's API uses basic auth which requires the integrator to authenticate requests using a token composed of an API key ID and an API key secret.

Guesty generates the token for each integrator when a user chooses to connect to a services available on the integration marketplace.

The flow for generating a token is simple:

  1. The user access the Guesty integration marketplace: Account > Integration > Marketplace
  2. A unique token is generated for the user and the chosen service.
  3. At this point it's the integrator responsibility to get the token from the user.
  4. The integrator uses the token in all API requests.
  5. As long as the token is valid (the user didn't disconnect from the service or created a new token) - Guesty will respond to API requests with the requested data.


Guesty provides each integrator with a specific permission type. Each permission type defines which requests the integrator will be able to use in the Guesty API.

The permission type is provided to the integrator during the initial setup phase.

Internal integrations are provided with complete access to the API and therefore should only be used internally and should never be shared with external services.

Guesty API Permissions Matrix defines which parts of the API are available to each partner category.