Organization API
Copy page
The key-authenticated /api/v1/org/* API for servers and SDKs acting as the whole organization: list/create/revoke any pass, and list facilities. Scopes org:passes:* and org:facilities:read.
Updated
The organization API is the server-to-server data plane: endpoints for a backend or SDK acting as the whole organization rather than a single signed-in user. Authenticate with an organization API key and org:* scopes.
Base: https://entrybit.net · Auth: Authorization: Bearer eb_sk_… (or X-API-Key) · see Authenticating requests.
It mirrors the user-delegated passes API, but organization-wide: it lists and revokes any pass in the company, and adds a facilities endpoint SDKs need to create passes. Everything stays tenant-scoped — a key only ever touches its own organization’s data.
List all passes
GET /api/v1/org/passes?limit&cursor&searchScope: org:passes:read. Every non-deleted pass in the organization, keyset-paginated newest first. Rows include created_by (the inviting user’s id) for attribution.
Parameters: limit (1–100, default 30), cursor, search — see pagination.
curl "https://entrybit.net/api/v1/org/passes?limit=50" \
-H "Authorization: Bearer $ENTRYBIT_API_KEY"{
"success": true,
"items": [
{ "public_id": "gst_9f1c…", "first_name": "Dana", "status": "checked_in", "arrival_date": "2026-07-12", "facility_name": "North Gate", "created_by": 90210 }
],
"total": 340,
"next_cursor": "eyJpZCI6…",
"has_more": true
}The Pass object is identical to the user-delegated API. (The usage allowance block is a user-delegated concept and does not appear here.)
Create pass(es)
POST /api/v1/org/passes
Content-Type: application/jsonScope: org:passes:write. Creates 1–10 passes with the same request body, validation, quota, QR and delivery as POST /api/v1/passes. Attribution and the invite quota go to the admin who minted the key.
curl -X POST https://entrybit.net/api/v1/org/passes \
-H "Authorization: Bearer $ENTRYBIT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"first_name": "Dana",
"email": "dana@example.com",
"arrival_date": "2026-07-12",
"facility_id": 42,
"quantity": 1
}'Returns 201 with the same PassCreateResponse shape (public_id, qr_values, pass_link, qr_sent, sms_sent, …). Errors: 400 validation, 402 quota, 404 facility not found, 409 facility deactivated or suspended.
Revoke any pass
DELETE /api/v1/org/passes/{public_id}Scope: org:passes:write. Cancels the pass and deactivates its QR credential — regardless of which user created it (still scoped to the key’s organization).
{ "success": true, "public_id": "gst_9f1c2ab34cd56ef7", "revoked": true }Returns 409 when the pass is no longer active, 404 when no such pass exists in the organization.
List facilities
GET /api/v1/org/facilitiesScope: org:facilities:read. The facility ids an SDK needs before it can create passes.
curl https://entrybit.net/api/v1/org/facilities \
-H "Authorization: Bearer $ENTRYBIT_API_KEY"{
"success": true,
"facilities": [
{ "id": 42, "name": "North Gate", "description": null, "is_active": true, "suspended": false }
]
}The Facility object
| Field | Type | Notes |
|---|---|---|
id | integer | Use as facility_id when creating passes. |
name | string | |
description | string | null | |
is_active | boolean | |
suspended | boolean | Suspended facilities pause new invites. |
Scope summary
| Endpoint | Scope |
|---|---|
GET /api/v1/org/passes | org:passes:read |
POST /api/v1/org/passes | org:passes:write |
DELETE /api/v1/org/passes/{public_id} | org:passes:write |
GET /api/v1/org/facilities | org:facilities:read |
Auth failures (401/403/429) follow the API-key challenge rules; business errors follow the error catalog.