v4/Mosler Direct

Mosler Direct — Overview

Mosler Direct is Mosler's first-party integration surface. If you own your booking flow — a custom app, a booking engine, or an in-house property system — Mosler Direct is how you wire it to the locks. You shape one simple payload and POST it to a single URL; Mosler handles guest resolution, room lookup, and credential provisioning from there.

Unlike a PMS integration — where your existing PMS dictates the payload and Mosler adapts to it — with Mosler Direct you control the request shape, so it stays small and predictable. Mosler Direct can also deliver the credential straight to your guest over Mosler's WhatsApp/email channel, so credential delivery is optional work for you.

The integration loop

1. Map locations        GET  /api/v4/location/all
   (once, then on change)   → learn your room references

2. Create a booking     POST /webhook/t/:token
                            → 202 { eventId }   access provisioned async

3a. Pull the credential GET  /api/v4/bookings/:referenceId/access
        — or —
3b. Receive it pushed   Mosler → your callback URL  (and/or → guest via WhatsApp/email)

Step 1 is covered in Mapping Locations, step 2 in Creating Bookings, step 3a in Retrieving Access, and step 3b in Delivering Access.

Base URLs

Environment	Webhook (ingest)	API (locations & access)
Production	`https://webhook.mosler.in`	`https://api.mosler.in`
Staging	`https://webhook.dev.k8.mosler.in`	`https://api.dev.k8.mosler.in`

Authentication

Mosler Direct uses two credentials depending on the surface you're calling.

Sending bookings — token URL (recommended)

Booking events are sent to a tokenized URL. The token encodes your company, site, and provider, so the request needs nothing else — paste the full URL into your system and you're done.

POST https://webhook.mosler.in/webhook/t/<your-token>

Tokens are issued from the Mosler Admin portal. Treat the URL as a secret — anyone with it can submit booking events for your site.

Sending bookings — header auth (alternative)

If you'd rather not put the credential in the URL, post to the provider endpoint and pass identifiers as headers:

POST https://webhook.mosler.in/webhook/generic
apikey:        YOUR_API_KEY
X-Company-Id:  <company id>
X-Site-Id:     <site id>

Reading locations & access — API key

The Location and Access APIs authenticate with your company-scoped API key in the apikey header. This key can only read data belonging to your company.

apikey: YOUR_MOSLER_API_KEY

Response envelope (API)

The Location and Access APIs return Mosler's standard envelope:

{
    "message": "Human-readable status message",
    "code": 7000,
    "error": false,
    "data": {}
}

The webhook ingest endpoint instead returns 202 Accepted with { success, eventId, status } — see Creating Bookings.

Pages in this section

Page	Purpose
Mapping Locations	Read your Site → Bed hierarchy and learn the room references to send
Creating Bookings	Send create / update / cancel events and track them
Retrieving Access	Pull a booking's credentials (passcode, mobile key, card, remote)
Delivering Access	Receive credentials pushed to your callback or sent to the guest