BETAAuraPOS is in active development. Not intended for critical production use.Learn more
Back to documentation

Public REST API

AuraPOS exposes a public REST API at https://mon.aurapos.be/api/v1/* for external integrations (ERP, e-commerce, BI, analytics tools) to consume your data read-only.

Availability

Accessible from the AuraPOS web backend:

  • Included in Group and Restaurant Group editions
  • Optional €24/month for Express / Boutique / Studio / Restaurant single-site

Interactive Swagger documentation

Full OpenAPI 3.1 spec visually explorable:

https://mon.aurapos.be/api/docs (clickable Swagger UI)

You can test each endpoint directly from the browser by pasting your API key.

Authentication

All requests require a header X-API-Key: ak_xxx....

Generate an API key

  1. Log in to https://mon.aurapos.be
  2. Navigate to Settings → API (Owner only)
  3. Click + New key
  4. Give a name (e.g. "Make.com ETL prod") and description
  5. Select necessary scopes (multi-select):
    • read:catalogue — access to products + families
    • read:clients — access to global customers + loyalty
    • read:tickets — access to tickets + lines (B2B invoices included)
    • read:promotions — access to promotions
  6. Click Generate key
  7. Immediately copy the displayed key (format ak_<64 hex chars>) — never visible again

Secure server-side storage

The cleartext key is never stored in DB. Only its SHA-256 hash is kept.

Revocation

From Settings → API, each key has a Revoke button that immediately deactivates the key.

Audit

Each key shows last_used_at and last_used_ip.

Rate limiting

60 requests/minute per API key. Sliding window, atomic Postgres counter.

Response headers:

  • X-RateLimit-Limit: 60
  • X-RateLimit-Remaining: 42
  • X-RateLimit-Reset: 1716567780 (Unix epoch)
  • Retry-After: 23 (only on HTTP 429)

Versioning

All routes under /api/v1/. A future v2 will coexist without breaking existing integrations.

Available endpoints (v1)

GET /api/v1/produits

Scope: read:catalogue. Query: ?actif=true|false, ?limit=N (max 200), ?offset=M.

GET /api/v1/familles

Scope: read:catalogue. Identical pagination.

GET /api/v1/clients

Scope: read:clients.

⚠️ GDPR filter: email and telephone are masked (null / "") if the customer has NOT given marketing consent.

GET /api/v1/tickets

Scope: read:tickets. Query: ?debut=YYYY-MM-DD, ?fin=YYYY-MM-DD, ?facturesOnly=true, ?withLignes=true.

GET /api/v1/promotions

Scope: read:promotions. Filter ?actif=true|false.

curl examples

List active products

curl -H "X-API-Key: ak_xxx..." \
  "https://mon.aurapos.be/api/v1/produits?actif=true&limit=10"

Tickets from last week with lines

curl -H "X-API-Key: ak_xxx..." \
  "https://mon.aurapos.be/api/v1/tickets?debut=2026-05-10&fin=2026-05-16&withLignes=true"

Security best practices

  • One key per integration
  • Minimum scope: don't give read:tickets to a tool that only needs the catalog
  • Vault storage: in 1Password, AWS Secrets Manager, Doppler
  • Periodic rotation: rotate keys every 6 months
  • Monitor last_used_at: inactive key = revoke it

Typical use cases

  • ETL to data warehouse (Make, Zapier, Airbyte)
  • E-commerce sync: push catalog from AuraPOS to e-commerce platform
  • Custom BI dashboard (Power BI / Tableau / Metabase)
  • Email CRM: Mailchimp / Brevo for new customer campaigns
  • Automated accounting

Webhooks

For real-time notifications (instead of polling), see Webhooks.