Authentication

Most integrations only need a Tenant ID. Authenticated access is only required when you need to manage events, process orders, or access admin features.

Public Access

All public endpoints require the x-tenant-id header. No other credentials are needed.

curl https://api.session.services/events \
  -H "x-tenant-id: tnt_01jqpj2t2kfvmstt6f6tzkbaf2"

Public endpoints let you:

• List and fetch events
• View admissions and sections
• Get order quotes
• Browse venues and tenant config
• Create checkout orders from public storefronts

Combined with the Ticketing Element, this is everything you need to display events and sell tickets on your site.

Authenticated Access

Endpoints that create, update, or delete resources require a Bearer token in the Authorization header alongside your Tenant ID.

curl https://api.session.services/events \
  -H "x-tenant-id: tnt_01jqpj2t2kfvmstt6f6tzkbaf2" \
  -H "Authorization: Bearer <your-token>"

Authenticated endpoints let you:

• Create and manage events
• Process orders and refunds
• Scan tickets at entry
• Manage teams and members
• View payouts and financials

Obtaining a Token

API tokens are issued by Session Services OpenAuth. Contact the Session Services team to request credentials for your integration.

Using Tokens with the SDK

Pass the token in the headers option when creating a client:

import { createClient } from '@session-services/sdk';

const client = createClient({
  environment: 'prod',
  tenantId: 'tnt_01jqpj2t2kfvmstt6f6tzkbaf2',
  headers: {
    Authorization: `Bearer ${process.env.SESSION_SERVICES_TOKEN}`,
  },
});

Permissions

Authenticated tokens are scoped to specific capabilities. The available permission scopes are:

If your token is missing a required scope for an endpoint, the API returns a 403 Forbidden response.

Error Responses