API Reference

Hand-crafted docs for integrators building on the GreenFlow multi-brand car rental platform.

Demo API key — rotate yours

Base URL: https://greenflow.live/api/v1/

Authorization: Bearer gfc_7s2wprmy_DWTZRBGBEV6La4dTOoFdMkEhWmWCsXdwc3zVMnqP

Quick start

Three calls will take you from zero to a confirmed booking: list fleet, get a token, create the booking. Everything else (webhooks, coupons, tenant configuration) layers on top of this core flow.

1. Smoke-test your key

Hit GET /me to confirm the key resolves to your tenant. If this returns 401 the rest of the API will too.

bash

curl -s https://greenflow.live/api/v1/me \
  -H "Authorization: Bearer gfc_7s2wprmy_DWTZRBGBEV6La4dTOoFdMkEhWmWCsXdwc3zVMnqP"

2. List fleet for a date range

POST to POST /fleet/list with pickup/dropoff dates plus an office code, coordinates, or place UUID. Response contains one entry per bookable vehicle across all your enabled brands.

bash

curl -X POST https://greenflow.live/api/v1/fleet/list \
  -H "Authorization: Bearer gfc_7s2wprmy_DWTZRBGBEV6La4dTOoFdMkEhWmWCsXdwc3zVMnqP" \
  -H "Content-Type: application/json" \
  -d '{
    "pickup_location": "AACGH",
    "pickup_date": "2026-05-15", "pickup_time": "10:00",
    "dropoff_date": "2026-05-18", "dropoff_time": "10:00",
    "passenger_country_code": "BR", "passenger_age": 30,
    "brands": [11]
  }'

3. Reserve a car

Call POST /fleet/show with a vehicle from the previous step to mint a tokenc, then POST /bookings to confirm. The voucher PDF is emailed automatically.

Authentication

Pass your API key as Authorization: Bearer gfc_<prefix>_<secret> or equivalently X-API-Key: gfc_<prefix>_<secret>. Keys look like gfc_a3b1c2d4_... — the prefix is indexed, the secret is stored as sha256. Keys are scoped to a single tenant; cross-tenant access returns 404 (never 403).

HTTP	Body	Cause
401	{"message": "API key missing"}	No Authorization / X-API-Key header.
401	{"message": "Invalid API key"}	Hash mismatch, revoked or expired.

Versioning

All endpoints live under /api/v1/. Breaking changes ship under a new prefix (e.g. /api/v2/); v1 stays frozen except for bug fixes.

HTTP status codes

Standard REST semantics. Validation errors return 422 with a Laravel-shaped body. Authentication errors return 401. Cross-tenant or missing resources return 404. Upstream GDS errors surface as 422 with the provider message in error.message.

Rate limits

No explicit rate limit on the application layer today. Upstream proxies (Cloudflare, nginx) may rate-limit bursts. High-volume integrators should coordinate with the product team.

Locales

Pass X-Locale = en | es | pt to translate user-facing fields in the fleet payload. This also keys the cache: a pt request is cached separately from en.

bash

curl -X POST https://greenflow.live/api/v1/fleet/list \
  -H "Authorization: Bearer gfc_7s2wprmy_DWTZRBGBEV6La4dTOoFdMkEhWmWCsXdwc3zVMnqP" \
  -H "X-Locale: pt" \
  -H "Content-Type: application/json" \
  -d '{ "pickup_location": "AACGH", "pickup_date": "2026-05-15", "pickup_time": "10:00", "dropoff_date": "2026-05-18", "dropoff_time": "10:00", "passenger_country_code": "BR", "passenger_age": 30, "brands": [11] }'

Conventions

UTF-8 JSON only. ISO-8601 dates. ISO-3166-1 alpha-2 country codes. ISO-4217 currency codes. UUID v4 identifiers.

Accessory

Smaller endpoints that complement the core flow — typeahead, identity probes, brand catalog, locale switching. Some are real routes today; others are documented stubs for endpoints not yet exposed (each page calls out which is which).

Places — /places, /places/autocomplete, /places/search
Countries — reference data (no standalone endpoint yet)
Offices — surfaced via /places/search and /fleet/list internally
Brands — /tenancy/brands
Utility — /me, /ping, /sandbox/defaults, locale switching