Authentication
Important: Keep your API credentials secure. Never expose them in client-side code or public repositories.
Platform API Authentication
The VardaCal Platform API uses API Key and Secret authentication for secure server-to-server communication. All Platform API requests require both headers.
API Key + Secret Authentication
Every Platform API request must include both your API Key and API Secret in the request headers. These credentials authenticate your application and authorize access to your VardaCal data.
Required Headers:
X-API-Key: vca_live_sk_1234567890abcdef...
X-API-Secret: secret_xyz789abcdef...Example Request:
curl -X GET https://api.vardacal.com/api/v1/platform/usage \
-H "X-API-Key: vca_live_sk_1234567890abcdef" \
-H "X-API-Secret: secret_xyz789abcdef"Note: Both the API Key and API Secret are required for every request. Missing either header will result in a 401 Unauthorized response.
Platform Plans & Access
Your Platform account plan determines API rate limits and available features:
| Plan | Rate Limit | Webhooks | Support |
|---|---|---|---|
| Starter | 60 requests/min | Basic webhooks | Email support |
| Growth | 300 requests/min | Advanced webhooks + retries | Priority support |
| Scale | 1,000 requests/min | Full webhook suite + DLQ | Dedicated support |
| Enterprise | Custom limits | Enterprise webhooks + SLA | 24/7 support + CSM |
Rate Limit Headers: Every API response includes rate limit information in headers: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset.
Getting Your API Credentials
To use the Platform API, you need a Platform Account with API credentials. Here's how to get started:
-
1.
Sign up for a Platform Account (or upgrade your existing account)
-
2.
Navigate to Settings → Platform API in your dashboard
-
3.
Your API credentials will be displayed:
- API Key: Starts with
vca_live_sk_ - API Secret: Starts with
secret_
- API Key: Starts with
-
4.
Copy both credentials to your secure password manager or environment variables
-
5.
If you need to regenerate credentials, click Regenerate API Key (this will invalidate old credentials)
Security Warning: Your API Secret is sensitive. Never expose it in client-side code, commit it to version control, or share it publicly. If compromised, regenerate it immediately.
Developer Tip: Store credentials as environment variables:
export VARDACAL_API_KEY="vca_live_sk_..."
export VARDACAL_API_SECRET="secret_..."Security Best Practices
Use environment variables
Store API credentials in environment variables, not in code
Rotate keys regularly
Regenerate API keys periodically for enhanced security
Use HTTPS only
Always use HTTPS when making API requests
Limit scope access
Only grant the minimum required scopes for each integration
Monitor usage
Regularly review API usage logs for suspicious activity
Example Implementations
// Using Fetch API with Platform API
const apiKey = process.env.VARDACAL_API_KEY;
const apiSecret = process.env.VARDACAL_API_SECRET;
const response = await fetch('https://api.vardacal.com/api/v1/platform/usage', {
headers: {
'X-API-Key': apiKey,
'X-API-Secret': apiSecret,
'Content-Type': 'application/json'
}
});
const data = await response.json();
console.log('Usage:', data);
// Example: Create a booking
const booking = await fetch('https://api.vardacal.com/api/v1/platform/bookings', {
method: 'POST',
headers: {
'X-API-Key': apiKey,
'X-API-Secret': apiSecret,
'Content-Type': 'application/json'
},
body: JSON.stringify({
event_type_id: 123,
start_time: '2025-11-01T10:00:00Z',
attendee: {
name: 'John Doe',
email: 'john@example.com'
}
})
});
console.log('Booking:', await booking.json());