API Reference
GoConverso exposes a REST API built on Supabase , giving you programmatic access to your bookings, services, clients, products, and more. Every action you can perform in the dashboard is also available through the API.
The GoConverso API follows RESTful conventions and returns JSON responses. All requests must be authenticated using either a JWT token or your project API key.
Base URL
All API requests are made to your Supabase project endpoint:
https://<project-id>.supabase.co/rest/v1/For edge functions (webhooks, custom logic):
https://<project-id>.supabase.co/functions/v1/Authentication
Every request must include authentication headers. GoConverso supports two methods:
| Method | Use case | Header |
|---|---|---|
| API Key | Server-to-server integrations | apikey: <your-anon-key> |
| JWT Token | User-scoped requests | Authorization: Bearer <jwt-token> |
Both headers should be included for most requests. The API key identifies your project, and the JWT token identifies the authenticated user.
curl -X GET "https://<project-id>.supabase.co/rest/v1/services" \
-H "apikey: <your-anon-key>" \
-H "Authorization: Bearer <jwt-token>" \
-H "Content-Type: application/json"Learn more in the Authentication guide.
Rate limits
GoConverso enforces rate limits to ensure platform stability:
| Tier | Requests per minute | Concurrent connections |
|---|---|---|
| Free | 60 | 5 |
| Plus | 300 | 20 |
| Pro | 1,000 | 50 |
| Max | 5,000 | 100 |
| Ultra | 10,000 | 200 |
When you exceed the rate limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating how many seconds to wait.
Response format
All successful responses return JSON with standard HTTP status codes:
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"created_at": "2026-01-15T10:30:00.000Z",
"name": "Haircut",
"price": 35.00,
"duration": 30
}Error responses follow a consistent structure:
{
"code": "PGRST301",
"message": "Row not found",
"details": null,
"hint": null
}Row Level Security
GoConverso uses Supabase Row Level Security (RLS) on all tables. This means:
- Authenticated users can only access their own data
- Public endpoints (like booking pages) use the anon key with restricted policies
- Service role key bypasses RLS entirely — never expose this key in client-side code
Never expose your service_role key in frontend code or public repositories. This key bypasses all Row Level Security policies and grants full access to your database.
API sections
JWT tokens, API keys, OAuth providers, and session management.
AuthenticationCreate, read, update, and cancel appointments programmatically.
BookingsManage your service catalog, pricing, durations, and categories.
ServicesAccess your client database, booking history, and CRM data.
ClientsManage your product catalog, variants, inventory, and pricing.
ProductsTrack e-commerce orders, service orders, and payment status.
OrdersReceive real-time notifications for payments, bookings, and events.
WebhooksCustom server-side logic for emails, payments, and integrations.
Edge FunctionsQuick example
Here is a complete example that fetches all services for the authenticated user:
import { createClient } from '@supabase/supabase-js'
const supabase = createClient(
'https://<project-id>.supabase.co',
'<your-anon-key>'
)
// Sign in
const { data: auth } = await supabase.auth.signInWithPassword({
email: 'you@example.com',
password: 'your-password'
})
// Fetch services
const { data: services, error } = await supabase
.from('services')
.select('*')
.eq('professional_id', auth.user.id)
.order('created_at', { ascending: false })
if (error) {
console.error('Error fetching services:', error.message)
} else {
console.log('Services:', services)
}Need help getting started? See the Authentication guide to obtain your API credentials.