For developers · REST API
App API
A REST API for building kailenty into your own apps and integrations — invites, meetings, labels, and users — secured by the same Microsoft 365 identity and roles your team already signs in with.
Overview
The App API is the external integration surface for kailenty. Every endpoint is prefixed /api/v1/app on your workspace host. It is separate from the dashboard’s internal API but serves the same data and honours the same roles.
Responses are JSON wrapped in a { success, data } envelope. The full contract is published as an OpenAPI 3.1 document, with an interactive Swagger explorer at /api/docs.
Building for an AI agent instead of an app? The MCP server exposes the same workspace as self-describing tools over the Model Context Protocol.
# Fetch the machine-readable OpenAPI 3.1 document
curl https://<workspace>.kailenty.com/api/v1/app/openapi.jsonAuthentication
Authenticate with an API key (recommended for external apps) or a bearer token — a kailenty JWT, a Microsoft access token, or an API key passed as a bearer. API keys inherit the role and permissions of the admin who created them, and are created and revoked under Settings → API Keys in the dashboard.
# API key — recommended for server-to-server integrations
curl https://<workspace>.kailenty.com/api/v1/app/invites \
-H "X-API-Key: <api-key>"# Or a bearer token: a kailenty JWT, a Microsoft access token, or an API key
curl https://<workspace>.kailenty.com/api/v1/app/invites \
-H "Authorization: Bearer <token>"API keys
Send X-API-Key with each request. Keys are scoped to the workspace and inherit their creator’s role.
Bearer tokens
Pass Authorization: Bearer for a kailenty JWT, a Microsoft token, or an API key.
Role-scoped
Regular users act on their own data; some endpoints are reserved for managers and admins.
Conventions
The same envelope, pagination, sorting, and filtering rules apply across every list and write endpoint.
Response envelope
Every response is JSON wrapped in { success, data }. Errors set success:false with error, message, and requestId.
Pagination
List endpoints accept page (0-based) and pageSize (1–100). List payloads include a total count.
Sorting
Rank multiple keys with sort=field:asc,field:desc. The legacy sortBy + sortDir pair still works.
Filtering
Pass comma-separated IDs to filters like recruiterUserIds, attendeeUserIds, and labelIds.
{
"success": true,
"data": { /* endpoint-specific payload */ }
}Invites
Create and manage scheduling invites — direct invites, multi-use mother invites, and the sub-invites issued from them.
- GET
/api/v1/app/invitesList invites visible to you. Returns root invites by default; filter, sort, and paginate with query parameters.
- POST
/api/v1/app/invitesCreate a direct invite or a multi-use mother invite.
- GET
/api/v1/app/invites/{inviteId}Fetch one invite's configuration and its booking, if any.
- PATCH
/api/v1/app/invites/{inviteId}Update an active mother or direct invite. Sub-invites inherit from the mother and cannot be edited.
- GET
/api/v1/app/invites/{inviteId}/sub-invitesList the sub-invites issued from one mother invite.
- POST
/api/v1/app/invites/{inviteId}/sub-invitesIssue a candidate sub-invite from an active multi-use mother invite.
# Create a multi-use mother invite
curl -X POST https://<workspace>.kailenty.com/api/v1/app/invites \
-H "X-API-Key: <api-key>" \
-H "Content-Type: application/json" \
-d '{
"allowMultipleBookings": true,
"publicLinkValue": "product/demo",
"requiredAttendees": [{ "type": "users", "userIds": ["<user-id>"] }],
"candidates": [],
"voteDeadlineAt": "2026-07-01T00:00:00.000Z",
"meeting": { "meetingDurationMinutes": 30, "title": "Product demo" }
}'Meetings
List bookings, create meetings directly in Outlook and Teams, reschedule them, and check attendee availability.
- GET
/api/v1/app/meetingsList calendar bookings visible to you within a date range, with per-recruiter stats.
- POST
/api/v1/app/meetingsCreate a meeting directly in Outlook and Teams without sending an invite. Up to 20 participants.
- PATCH
/api/v1/app/meetings/{bookingId}Reschedule or edit a booked meeting. Changing the host is manager/admin only and recreates the event.
- PATCH
/api/v1/app/meetings/{bookingId}/attendeesUpdate a meeting’s optional attendees; required attendees stay unchanged.
- POST
/api/v1/app/meetings/{bookingId}/availabilityCheck whether the given users are free for a proposed time window.
Labels
List, create, and delete the attendee-group labels used to route invites and meetings.
- GET
/api/v1/app/labelsManagers & adminsList all labels in the workspace.
- POST
/api/v1/app/labelsAdminsCreate a label with a name, color, and description.
- DELETE
/api/v1/app/labels/{id}AdminsDelete a label. Returns 409 if it is still assigned to users or used in invites.
Users
Read the workspace user directory and manage the labels assigned to each account.
- GET
/api/v1/app/usersAdminsList users in the workspace with their assigned labels.
- PUT
/api/v1/app/users/{id}/labelsAdminsReplace a user's labels with the supplied list of label IDs.
Errors
Failed requests return a non-2xx status with a success: false envelope. The requestId is safe to quote in a support request.
400Validation error — the request body or query failed a schema check.401Unauthorized — the API key or bearer token is missing or invalid.403Forbidden — your role is not allowed to perform this action.404Not found — the invite, meeting, user, or label does not exist.409Conflict — e.g. deleting a label that is still in use.
{
"success": false,
"error": "Validation failed",
"message": "voteDeadlineAt must be in the future",
"requestId": "req_..."
}Security
Requests are workspace-scoped by the API key or token, and each tenant is isolated — credentials issued for one workspace are rejected everywhere else. Within a workspace, what a request can see and do follows the role behind the credential: regular users act only on their own invites and meetings, while listing users, managing labels, and reassigning meeting hosts are reserved for managers and admins.
API keys inherit the role and permissions of the admin who created them, so treat them like passwords: store them as secrets, scope integrations narrowly, and rotate or revoke a key from Settings → API Keys the moment it is no longer needed. Requests share the dashboard’s rate limits.