Public REST API

This document provides a global overview of the GuestXM Public API and how it operates. To view version-specific documentation regarding endpoints and models use the approriate version links in the section titled "API Versions".

Are you an GuestXM customer or integration partner who doesn't have access yet to the GuestXM public API? Please send us an e-mail at [email protected] explaining your use case and we'll get back to you asap.

API Versions

The GuestXM Public API is a versioned API that uses semver major/minor as its foundation. This means that all versions within the same minor number are always backwards compatible with each other (eg: 1.3 will be fully backwards compatible with 1.2, which in turn will be backwards compatible with 1.1).

Changes in a major version (eg: 2.0 vs 1.3) will mean a breaking change between versions that are not backwards compatible.

We make additions/improvements to the public API on a periodic basis, all changes will be noted down in the changelog for that version with the date of addition.

Authentication

Authentication is done by providing your api key in the header of the requests.

X-GXM-APIKEY
XXXXXXXXX
Content-Type
application/json

An api key is linked to a specific app and environment, it needs to be requested through [email protected]. When the api client has been approved and created we will send you your authentication key.

Environments

There are 2 environments of the GuestXM public api, a staging (for testing purposes) and a production environment (live). Each environment will have its own api key.

Staging
https://public-beta.guestxm.com/api/{version}
Production
https://public.guestxm.com/api/{version}

If you need access to a testing account on our staging environment, please contact [email protected] and we'll get back to you asap.

Response format

The response format is application/json and every response is wrapped in the following structure:

{
    "data" : {},
    "meta" : {},
    "warnings" : {}
}

This structure was chosen with a purpose to allow for more detailed data scenarios to be easily parsed on both front/backend.
Please find a description of these 3 categories below:

data
In case of a successful request, this will contain the data pertaining to your request. eg: If you requested a company entity with Id 3, this object will contain that company data. In case of an unsuccesful request this will contain an object containing status code and description of the status code.
meta
In case of an unsuccesful request, this will potentially contain any extra information such as a validation error code.
warnings
Contains other information not pertaining the request but the connection, eg: rate limitting/throttling

Example Success Response:

{
    "data" : {
        "id": 123456789,
        "name": "Acme Corp",
    },
    "meta" : {},
    "warnings" : {}
}

Example Failed Response:

{
    "data": {
        "status": 404,
        "detail": "The requested resource could not be found"
    },
    "meta": {},
    "warnings": {}
}

Example Failed Response with specific code:

{
    "data": {
        "status": 400,
        "detail": "Bad request"
    },
    "meta": {
        "code": "ERR:MSG:VALIDATION:START_FORMAT"
    },
    "warnings": {}
}

Rate Limiting

The GuestXM Public API applies rate limiting on almost every endpoint (endpoints that are excempt from this rule will have this mentioned in their documentation).

There are 3 forms of rate limitting to be aware of:

Read Limit
Every API client key is configured with a max amount of read calls that can be executed on a daily basis (default: 2500), this applies to all GET endpoints
Write Limit
Every API client key is configured with a max amount of write calls that can be executed on a daily basis (default: 500), this applies to all POST/PUT/PATCH/DELETE endpoints
Quota Limit
Certain endpoints have an additional quota limit (eg: bulk upload) on a daily basis. When such endpoints are executed this also impacts your daily write usage.

How do I know I've hit my rate limit?

When your daily rate limit has been used up, the GuestXM Public API will respond with a "429 Too Many Requests" response code

Read/Write Rate Limit response example:

{
    "data": {
        "status": 429,
        "detail": "Too many requests"
    },
    "meta" : {
        "code": "ERR:MSG:RATELIMITTED",
    },
    "warnings" : {
        "limits": {
            "reads": 2500,
            "writes": 500
        },
        "current": {
            "reads": 2501,
            "writes": 100
        }
    }
}

Quota Rate Limit response example:

{
    "data": {
        "status": 429,
        "detail": "Too many requests"
    },
    "meta" : {
        "code": "ERR:MSG:QUOTA_REACHED",
    },
    "warnings" : {
        "name": "bulk_upload",
        "used": 11,
        "quota": 10
    }
}

Webhooks

Each client api key can be configured for webhook requests. If configured, webhook requests will be sent as POST requests to the endpoint of your choice. Below you can find the list of all possible webhook events that we fire off:

COMPANY:UPDATED
Executed when a company's meta information was updated
COMPANY:INSIGHTS:UPDATED
Executed when a company's score was updated for a specific company
LOCATION:CREATED
Executed when a location was created for a specific company
LOCATION:UPDATED
Executed when a location's meta information was updated for a specific company
LOCATION:INSIGHTS:UPDATED
Executed when a location's score was updated for a specific company
LOCATION:DELETED
Executed when a location was deleted for a specific company
FEED:UPLOAD:STARTED
Executed when an upload job has started (job_id part of payload)
FEED:UPLOAD:FINISHED
Executed when an upload job has finished (job_id part of payload)
INTEGRATION:CONNECTED
Executed when an integration gets connection to a location

Example webhook payload

{
    "data" : {
        "sent_at": 1564662600,
        "action": "LOCATION:CREATED",
        "payload": {
            "company_id": 999999,
            ...
        }
    },
    "meta" : {},
    "warnings" : {}
}

Please use the below table to fully understand the structure of our webhook events:

sent_at
A unix timestamp (seconds) that contains the exact timestamp at which the webhook was fired
action
The action that this webhook represents
payload
Payload of the webhook request
payload.company_id
The id of the company that this request pertains to

Verifying webhook validity

If a webhook secret is configured, this secret will be sent along in the headers of the webhook request as the X-GXM-APISIGNATURE. The signature will be the configured secret hashed with SHA256

Example: Secret123456789 becomes:

X-GXM-APISIGNATURE
65F09EAD6E19C1644277AFA8DDF63C3A073032FCB1866A1CFD514AD9EFADEF2E

Configuration for webhooks needs to be requested through [email protected]