Authentication

Public API — No Authentication Required

All public API endpoints documented here require no authentication. There are no API keys, tokens, or headers needed. You can call these endpoints directly from any client — browser, server, or mobile app.

Public endpoints are identified by their URL path prefix:

/api/public/*     — Scheduling & routing endpoints
/api/embed/*      — Embed widget configuration

How User Identification Works

Instead of authentication tokens, public endpoints use URL-based identification via the user’s slug:

GET /api/public/scheduling/{userSlug}/{eventSlug}/slots
                            ^^^^^^^^   ^^^^^^^^^
                            identifies the scheduler and event type

The userSlug is a unique URL-safe identifier chosen by each Proximity user (e.g., jane-doe, acme-sales). The eventSlug identifies a specific event type (e.g., 30min-call, demo).

Abuse Prevention

Since public endpoints don’t require authentication, Proximity includes built-in abuse prevention mechanisms that hosts can configure per event type:

Before showing a booking form, you can check which abuse prevention measures are active:

curl https://app.proximity.io/api/public/scheduling/jane-doe/30min-call/abuse-config

{
  "enableHoneypot": true,
  "enableCaptcha": true,
  "captchaProvider": "recaptcha",
  "captchaSiteKey": "6Le..."
}

If CAPTCHA is enabled, you must include a valid captchaToken in the booking request. If honeypot is enabled, include the honeypotValue field (it should be empty for legitimate submissions).

Authenticated API (Internal)

The Proximity dashboard uses a separate authenticated API with JWT bearer tokens obtained via a magic-link email flow. This API is used for managing event types, teams, settings, and other administrative tasks. It is not documented here as it is intended for internal use only.