API Reference
Build on
GlowScript
A RESTful API designed for developers who need to integrate with med spa workflows. Manage clients, appointments, services, and analytics programmatically — all with HIPAA-grade security built in.
REST
Architecture
OAuth 2.0
Authentication
JSON
Response Format
TLS 1.2+
Transport Security
Authentication
Secure by default
Every API request is authenticated via OAuth 2.0 bearer tokens. API keys are scoped to a single practice and respect the same role-based access controls as the application UI. All traffic is encrypted with TLS 1.2 or higher.
OAuth 2.0 Bearer Tokens
Authenticate with short-lived access tokens issued via the client credentials flow. Tokens are scoped to a specific practice and expire after one hour.
Role-Based Scoping
API keys inherit the permissions of the role they are assigned to. A key with "staff" scope cannot access admin-level endpoints like team management or billing.
Audit Logging
Every API call is logged with the requesting key, timestamp, endpoint, and response status. Logs are retained for six years per HIPAA requirements.
Endpoints
Everything your integration needs
Clients
Create, read, update, and search client records. Retrieve contact details, treatment history, membership status, and health scores.
GET · POST · PATCH · DELETE
Appointments
Schedule, reschedule, and cancel appointments. Query by date range, provider, service, or status. Trigger automated reminders.
GET · POST · PATCH · DELETE
Services
List available treatments with pricing, durations, and categories. Manage service catalog and provider assignments.
GET · POST · PATCH
Products & Inventory
Manage retail products, track stock levels, and receive low-stock alerts. Update quantities and pricing in real time.
GET · POST · PATCH
Analytics & Reports
Pull revenue reports, provider performance metrics, client retention data, and service popularity breakdowns for any date range.
GET
Webhooks
Subscribe to real-time events: appointment booked, client created, payment received, consent signed. Deliver to any HTTPS endpoint.
GET · POST · DELETE
Developer Experience
Predictable and reliable
Rate Limits
Professional plans include 1,000 requests per minute with burst capacity to 2,000. Enterprise plans offer custom limits. Rate limit headers are included in every response so your integration can adapt in real time.
Pagination
All list endpoints support cursor-based pagination with configurable page sizes. Response headers include total count and next/previous cursor values for efficient traversal of large datasets.
Error Handling
Consistent error responses with machine-readable error codes, human-readable messages, and field-level validation details. Standard HTTP status codes with no surprises.
Versioning
API versioning via URL path (v1, v2). Breaking changes are introduced in new major versions only. Previous versions remain supported for a minimum of 12 months after deprecation.
Quick Start
Up and running
in minutes
Authenticate, make your first request, and start building. The API follows RESTful conventions with JSON request and response bodies, standard HTTP verbs, and predictable resource URLs.
Generate API credentials from Settings → Integrations
Exchange credentials for a bearer token
Include the token in the Authorization header
Make requests to any endpoint your role permits
Example Request
# Authenticate
curl -X POST https://api.glowscript.ai/v1/auth/token \
-H "Content-Type: application/json" \
-d '{"client_id": "...", "client_secret": "..."}'
# List upcoming appointments
curl https://api.glowscript.ai/v1/appointments \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"from": "2026-03-13", "to": "2026-03-20"}'
# Response
{
"data": [
{
"id": "apt_abc123",
"client": "...",
"service": "Hydrafacial",
"provider": "...",
"scheduled_at": "2026-03-14T10:00:00Z",
"status": "confirmed"
}
],
"pagination": {
"total": 24,
"next_cursor": "..."
}
}HIPAA-compliant by design
The API enforces the same encryption, access controls, and audit logging as the application UI. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). PHI is never cached, logged in plaintext, or exposed in error messages. Your BAA covers API access.
Ready to integrate?
Join the waitlist for early API access. We will work with you to ensure your integration is production-ready before launch.