Docs & API

Preview · API not yet live. These docs describe the EntryRate API as it will ship in v3.0 (target Q3 2026). Endpoints under api.entryrate.co.uk currently return 404. SDKs are not yet published. Use this page to evaluate the shape of the integration; production access opens with v3.0.

Everything you can build on top of EntryRate — REST API, webhooks, an embeddable widget, and JavaScript SDK. Stable from v3.0; semver from there on.

Quickstart

Every promoter account gets an API key in the dashboard at Settings → API keys. Authenticate every request with a Bearer token. Production base URL:

// Base URL
https://api.entryrate.co.uk/v1

// First request
curl https://api.entryrate.co.uk/v1/events \
  -H "Authorization: Bearer er_live_••••••••"

Sandbox: use a key prefixed er_test_ from the dashboard's "Test mode" toggle. Sandbox events never hit Stripe live and never appear on the storefront.

Authentication

All endpoints require a Bearer token. Keys are scoped per-promoter; admin scopes available for multi-promoter agencies on the Network tier.

Header	Value	Required
`Authorization`	`Bearer er_live_…`	Yes
`Idempotency-Key`	any UUID v4	For `POST`
`EntryRate-Version`	`2026-04-25`	Recommended

Errors & rate limits

Standard HTTP status codes. Errors return JSON with a stable code and a human message.

{
  "error": {
    "code":    "event.tier_oversold",
    "message": "Tier 'Early bird' has 0 left.",
    "docs":    "https://entryrate.co.uk/docs#errors"
  }
}

Rate limits: 200 req / 15 min globally, 20 req / hour on auth-adjacent paths. 429 includes Retry-After in seconds. Webhooks bypass rate limits.

Events

Create, read, update and publish events. Publishing toggles cross-listing to the consumer storefront in the same call.

GET/v1/events

Paginated list of your events. Filters: status, cityId, from, to, q.

POST/v1/events

Create a new event. Returns the created object with a generated slug.

GET/v1/events/:id

Fetch an event by id or slug. Includes nested tiers[] and scans count.

POST/v1/events/:id/publish

Publishes the event. Pass { network: false } to opt out of storefront cross-listing.

Example · create & publish

curl -X POST https://api.entryrate.co.uk/v1/events \
  -H "Authorization: Bearer er_live_••" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: 8f0e5a2c-…" \
  -d '{
    "title":  "Mura Masa · UK tour",
    "venueId":"vn_strange_brew",
    "doors":  "2026-05-02T19:00:00Z",
    "tiers": [
      { "name":"Early bird", "price":1200, "stock":200 },
      { "name":"Standard",   "price":1800, "stock":200 }
    ]
  }'

Orders

GET/v1/orders

All orders across your events. Filters: eventId, status, buyerEmail, paginated.

GET/v1/orders/:id

Single order with nested tickets, payment status, refund history.

POST/v1/orders/:id/refund

Refund whole or partial. Pass { amount?: cents }; defaults to full.

Tickets & scans

POST/v1/scans

Validate a QR payload. Returns { valid, ticket, scannedAt }. Use sub-200ms.

GET/v1/tickets/:id

Single ticket — useful for door-staff "look up by name" mode.

QR rotation: when an event has rotatingQr: true, payloads encode an HMAC over (ticketId, windowStart). Validation is timing-safe.

Payouts

GET/v1/payouts

Stripe Connect payouts. Filters: status, arrivalFrom, arrivalTo.

GET/v1/payouts/:id

Single payout with itemised ledger (gross, platform fee, processing fee, refunds, net).

Payouts are read-only via API. Stripe owns the schedule — initiate any non-routine adjustment from the dashboard or contact support.

Webhooks

Subscribe to events at Settings → Webhooks. We sign every payload with HMAC-SHA256 in the EntryRate-Signature header.

Event	Fires when
`order.completed`	Buyer's payment intent succeeds, tickets issued.
`order.refunded`	Refund processed (full or partial).
`scan.recorded`	Door scan accepted (deduplicated server-side).
`payout.paid`	Stripe Connect payout cleared into your bank.
`event.published`	Event went live (across EntryRate and/or the consumer storefront).

// Verifying a webhook (Node)
const sig = req.headers['entryrate-signature'];
const expected = crypto
  .createHmac('sha256', process.env.WEBHOOK_SECRET)
  .update(req.rawBody)
  .digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) {
  return res.status(400).end();
}

Embed widget

Drop a checkout into your existing site with three lines. The widget inherits your event's tier list and posts back to Stripe directly — no servers between you and the buyer.

<!-- On your site -->
<script src="https://entryrate.co.uk/widget.js" async></script>
<div data-entryrate-event="evt_mura_masa_bristol"></div>

Works in iframe, modal or inline modes. Customise via data attributes: data-mode="modal", data-theme="light", data-tier="early-bird" for direct-to-tier links.

SDKs

Official clients with typed responses, retries, and pagination helpers. All open-source.

Language	Package	Status
JavaScript / TypeScript	`@entryrate/sdk`	Stable · v1.4
Python	`entryrate`	Stable · v0.9
PHP	`entryrate/entryrate-php`	Beta
Ruby	`entryrate`	Planned

// JavaScript
import { EntryRate } from '@entryrate/sdk';

const er = new EntryRate(process.env.ER_KEY);

const events = await er.events.list({ status: 'live' });
for (const evt of events.data) {
  console.log(evt.title, evt.lowestPrice);
}