PRIMA
Security & reliability

A closed platform, audited at the token level.

Every key is scoped to its account, every booking is partitioned, and we audit-log access at the token level. We protect venues, guests, and platform economics by limiting what any partner can see.

What we deliberately don't expose

The boundary is the product.

  • Other partners' bookings, guests, or keys
  • Concierge or venue-side admin endpoints (commission configuration, payouts, etc.)
  • Aggregate platform analytics or competitor performance
  • Bulk export of the venue database for republication outside the integration

Documentation, OpenAPI specs, and interactive playgrounds are not published outside of approved partner accounts.

Reliability, security & compliance

The boring fundamentals, done correctly.

  • Authentication

    Bearer tokens over HTTPS only. Each key is scoped to a single partner account with partner-only permissions.

  • Revocable keys

    Tokens are revocable at any time from the partner dashboard or by PRIMA admins. Last-used timestamps make it easy to spot unused or compromised keys.

  • Rate limits

    Account endpoints: 60 requests / minute / user. Booking and read endpoints follow our standard API tier. Higher limits available for enterprise partners.

  • Payments

    All card data flows through Stripe — PRIMA never sees raw PANs. Stripe-managed PCI scope.

  • Webhooks

    Booking status change webhooks are available for enterprise partners — talk to us if your integration depends on push notifications.

  • Versioned API

    All endpoints are v1-stable. Breaking changes ship behind new versions with a deprecation window.

Trust posture

Want the security memo for your team?

We can share a tailored security overview ahead of your discovery call.

Request partner access

Replies within two business days