Skip to content

Public booking API

The anonymous booking API is /book/api.php. It resolves active calendars through active booking-link slugs and uses the same availability/double-booking engine as Dial Dozer.

Terminal window
curl --fail-with-body \
"https://app.dialdozer.com/book/api.php?action=slots&s=solar-consult"
{
"ok":true,
"slots":[{"epoch":1784300400,"label":"Fri Jul 17, 10:00 AM – 10:30 AM","dayKey":"2026-07-17","day":"Fri 7/17","time":"10:00 AM","remaining":1}],
"tz":"America/Phoenix",
"name":"Solar consultations"
}

s may be supplied as s or slug in query/body. Slot listing is not booking-rate-limited. Unknown links currently return HTTP 200 with ok:false, error:"unknown_link", and an empty slots array.

Terminal window
curl --fail-with-body -X POST \
"https://app.dialdozer.com/book/api.php?action=book" \
-H "Content-Type: application/json" \
-d '{"slug":"solar-consult","epoch":1784300400,"name":"Maya Chen","phone":"+1 602 555 0142","email":"maya@example.com"}'
{"ok":true,"appt_id":731,"label":"Fri Jul 17, 10:00 AM – 10:30 AM"}

epoch must be a future Unix timestamp, and name/phone must be non-empty. Phone lookup uses last 10 digits across the installation. If no lead matches, the endpoint creates one only when COMMS_INBOUND_LIST_ID is configured. Invalid email is silently emptied. Calendar availability and concurrency checks can return engine errors such as slot_unavailable.

Terminal window
curl --fail-with-body -X POST \
"https://app.dialdozer.com/book/api.php?action=reschedule" \
-H "Content-Type: application/json" \
-d '{"token":"customer-reschedule-token","epoch":1784386800}'
{"ok":true,"appt_id":731,"epoch":1784386800}

The token is an appointment-specific capability and should be treated as a secret. It may also be supplied as r. Only pending appointments with a valid token can move to a validated slot.

Booking and rescheduling share a fixed 10 writes/hour limit per raw client IP; over-limit responses use JSON rate_limited but currently remain HTTP 200. Most validation failures also return HTTP 200. Unknown actions are the exception: HTTP 400 unknown_action. The endpoint does not require API keys, CAPTCHA, or an Origin allowlist, and lead matching is installation-global rather than organization-scoped. Avoid exposing arbitrary slugs/tokens and add edge abuse controls for high-traffic deployments.