Skip to content

Organization API

The key-authenticated /api/v1/org/* API for servers and SDKs acting as the whole organization: list/create/revoke any pass, and list facilities. Scopes org:passes:* and org:facilities:read.

Updated

The organization API is the server-to-server data plane: endpoints for a backend or SDK acting as the whole organization rather than a single signed-in user. Authenticate with an organization API key and org:* scopes.

Base: https://entrybit.net · Auth: Authorization: Bearer eb_sk_… (or X-API-Key) · see Authenticating requests.

It mirrors the user-delegated passes API, but organization-wide: it lists and revokes any pass in the company, and adds a facilities endpoint SDKs need to create passes. Everything stays tenant-scoped — a key only ever touches its own organization’s data.

List all passes

GET /api/v1/org/passes?limit&cursor&search

Scope: org:passes:read. Every non-deleted pass in the organization, keyset-paginated newest first. Rows include created_by (the inviting user’s id) for attribution.

Parameters: limit (1–100, default 30), cursor, search — see pagination.

curl "https://entrybit.net/api/v1/org/passes?limit=50" \
  -H "Authorization: Bearer $ENTRYBIT_API_KEY"
{
  "success": true,
  "items": [
    { "public_id": "gst_9f1c…", "first_name": "Dana", "status": "checked_in", "arrival_date": "2026-07-12", "facility_name": "North Gate", "created_by": 90210 }
  ],
  "total": 340,
  "next_cursor": "eyJpZCI6…",
  "has_more": true
}

The Pass object is identical to the user-delegated API. (The usage allowance block is a user-delegated concept and does not appear here.)

Create pass(es)

POST /api/v1/org/passes
Content-Type: application/json

Scope: org:passes:write. Creates 1–10 passes with the same request body, validation, quota, QR and delivery as POST /api/v1/passes. Attribution and the invite quota go to the admin who minted the key.

curl -X POST https://entrybit.net/api/v1/org/passes \
  -H "Authorization: Bearer $ENTRYBIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "first_name": "Dana",
    "email": "dana@example.com",
    "arrival_date": "2026-07-12",
    "facility_id": 42,
    "quantity": 1
  }'

Returns 201 with the same PassCreateResponse shape (public_id, qr_values, pass_link, qr_sent, sms_sent, …). Errors: 400 validation, 402 quota, 404 facility not found, 409 facility deactivated or suspended.

Revoke any pass

DELETE /api/v1/org/passes/{public_id}

Scope: org:passes:write. Cancels the pass and deactivates its QR credential — regardless of which user created it (still scoped to the key’s organization).

{ "success": true, "public_id": "gst_9f1c2ab34cd56ef7", "revoked": true }

Returns 409 when the pass is no longer active, 404 when no such pass exists in the organization.

List facilities

GET /api/v1/org/facilities

Scope: org:facilities:read. The facility ids an SDK needs before it can create passes.

curl https://entrybit.net/api/v1/org/facilities \
  -H "Authorization: Bearer $ENTRYBIT_API_KEY"
{
  "success": true,
  "facilities": [
    { "id": 42, "name": "North Gate", "description": null, "is_active": true, "suspended": false }
  ]
}

The Facility object

FieldTypeNotes
idintegerUse as facility_id when creating passes.
namestring
descriptionstring | null
is_activeboolean
suspendedbooleanSuspended facilities pause new invites.

Scope summary

EndpointScope
GET /api/v1/org/passesorg:passes:read
POST /api/v1/org/passesorg:passes:write
DELETE /api/v1/org/passes/{public_id}org:passes:write
GET /api/v1/org/facilitiesorg:facilities:read

Auth failures (401/403/429) follow the API-key challenge rules; business errors follow the error catalog.