Overview
The Org API v1 is the enterprise API for the orchestra operating layer. It is scoped to one organization and uses your workspace slug in the path.
Base path:
/api/org/v1/{slug}{slug} is your organization's workspace slug. Responses are JSON and return Cache-Control: no-store.
Authentication
Create an org API key in Settings -> API & webhooks. The secret is shown once, so store it securely.
Send it as a bearer token:
Authorization: Bearer abo_org_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxA key is bound to one organization. Requesting another organization's slug with your key returns 404.
Response envelope
Success:
{ "success": true, "data": { "id": "..." } }Error:
{
"success": false,
"error": {
"message": "...",
"code": "API_SCOPE_MISSING",
"details": {}
}
}List endpoints wrap items in a page object:
{
"success": true,
"data": {
"items": [],
"page": 1,
"limit": 50,
"total": 120,
"totalPages": 3
}
}Status codes
| Status | Meaning |
|---|---|
401 | Missing, malformed, invalid, or revoked key |
403 | Key lacks the endpoint's scope |
404 | Slug is not this key's org, or the resource is not in this org |
409 | Resource-booking time conflict |
422 | Validation error |
429 | Rate limit exceeded per key |
Scopes
| Scope | Grants |
|---|---|
org:read:operations | Productions, services, works, performance history, tours, reports metadata, org info |
org:read:personnel | Personnel roster names, role, and section. Emails are not exposed. |
org:read:resources | Resources, rooms, and instrument inventory. Serials and insured values are not exposed. |
org:write:contacts | Create and update address-book contacts |
org:write:bookings | Create and cancel resource bookings |
org:write:checklist | Create and complete production checklist items |
org:write:requests | Create member requests |
Read endpoints
| Method | Path | Scope | Notes |
|---|---|---|---|
| GET | / | org:read:operations | Organization info |
| GET | /productions | org:read:operations | Supports status, q, page, and limit |
| GET | /productions/{id} | org:read:operations | Includes its services |
| GET | /services | org:read:operations | Supports productionId, from, to, page, and limit |
| GET | /works | org:read:operations | Repertoire |
| GET | /members | org:read:personnel | Supports q, page, and limit; no emails |
| GET | /resources | org:read:resources | Rooms and resources |
| GET | /instruments | org:read:resources | No serials or insured values |
| GET | /tours | org:read:operations | Tours |
| GET | /reports | org:read:operations | Report metadata only; no row data |
| GET | /performance-history | org:read:operations | Supports search, composer, conductor, from, and to |
Write endpoints
| Method | Path | Scope | Body |
|---|---|---|---|
| POST | /contacts | org:write:contacts | { name, type, company?, email?, phone?, city?, country?, role?, notes?, tags? } |
| PATCH | /contacts/{id} | org:write:contacts | Full contact representation |
| POST | /resource-bookings | org:write:bookings | { resourceId, title, startAt, endAt, notes? } |
| PATCH | /resource-bookings/{id}/cancel | org:write:bookings | No body required |
| POST | /productions/{id}/checklist | org:write:checklist | { label } |
| PATCH | /productions/{id}/checklist/{itemId} | org:write:checklist | { done?: boolean } |
| POST | /member-requests | org:write:requests | { membershipId, type, subject, body?, startDate?, endDate? } |
The organization is always taken from your key. A foreign id in any write returns 404.
Webhooks
Register endpoints in Settings -> API & webhooks. Choose event types. A per-endpoint signing secret is shown once.
Payloads carry this signature header:
X-Kalinklo-Signature: sha256=<hex HMAC-SHA256 of the raw body using your signing secret>Payload shape:
{
"id": "evt_...",
"type": "production.created",
"createdAt": "2026-...",
"data": {}
}Event types:
production.createdproduction.updatedservice.updatedmember_request.createdmember_request.updatedresource_booking.createdresource_booking.cancelledtour.updatedreport.generatedchecklist_item.completedengagement.updated
Delivery status in v1
v1 records and signs webhook deliveries. It does not make live outbound HTTP calls to your URL yet.
Each emitted event creates a signed delivery with status PENDING that you can inspect in the delivery log. The Send test button records a SIMULATED delivery. Live outbound delivery with retries and egress controls is a future step, so do not depend on receiving live HTTP callbacks in v1.
Currently emitted events:
production.createdproduction.updatedresource_booking.createdresource_booking.cancelledmember_request.createdchecklist_item.completed
Reserved event types can be subscribed to, but their emit points are not all wired yet. The settings UI marks reserved events.
Not included in v1
Org API v1 does not include dangerous writes such as deleting organizations or members, payroll mutation, contract signing, payments, real email sends, permission changes, API-key management through the API, live webhook delivery, OAuth2 app authorization, GraphQL, or engagement and financial data.