Versioned base path
/api/v1
Public integrations use stable, versioned resource routes.
A cleaner developer portal for the Passinstance REST API: versioned routes, secure auth, webhooks, and an OpenAPI-powered reference for production wallet pass workflows.
OpenAPI
1.0.0
Endpoints
17
Response format
JSON
PRODUCTION_BASE_URL=https://api.passinstance.com/api/v1
STAGING_BASE_URL=https://staging-api.passinstance.com/api/v1curl --request POST \
--url https://api.passinstance.com/api/v1/passes \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '{
"templateId": "tpl_abcdef1234567890",
"serialNumber": "ORDER-1001",
"fields": {
"memberName": { "label": "Member", "value": "Jane Doe" },
"tier": { "label": "Tier", "value": "Gold" }
},
"barcodeFormat": "qr",
"barcodeMessage": "ORDER-1001-GOLD"
}'Versioned base path
Public integrations use stable, versioned resource routes.
Auth modes
Send credentials only from trusted server-side environments.
Abuse protection
Clients should back off when retry guidance is returned.
Availability
Use dashboard and support channels for operational status.
API surface
The reference is generated from the bundled OpenAPI spec and grouped by the same resources exposed by the API project.
Create, update, void, delete, and download wallet passes.
Keep wallet structure, branding, pass type, and colors reusable.
Subscribe downstream systems to pass and template events.
Trigger wallet updates and customer-facing pass notifications.
Group related passes for campaign, order, or event workflows.
Run high-volume pass operations and poll job state.
Quickstart
Use the dashboard for credentials and certificates, then automate pass issuance and updates through the API.
POST /templatesDefine the pass type, organization fields, colors, and wallet identity once.
POST /passesSend customer-specific fields, barcode payloads, relevant dates, and expiry.
PUT /passes/{id}Update pass fields, void stale passes, and rely on wallet update delivery.
POST /webhooksRegister HTTPS receivers and handle duplicate deliveries idempotently.
const response = await fetch("https://api.passinstance.com/api/v1/passes", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.PASSINSTANCE_TOKEN}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
templateId: "tpl_abcdef1234567890",
serialNumber: "ORDER-1001",
fields: {
memberName: { label: "Member", value: "Jane Doe" },
tier: { label: "Tier", value: "Gold" },
},
barcodeFormat: "qr",
barcodeMessage: "ORDER-1001-GOLD",
}),
});
if (!response.ok) {
throw new Error(`Pass creation failed: ${response.status}`);
}
const pass = await response.json();import os
import requests
response = requests.post(
"https://api.passinstance.com/api/v1/passes",
headers={
"Authorization": f"Bearer {os.environ['PASSINSTANCE_TOKEN']}",
"Content-Type": "application/json",
},
json={
"templateId": "tpl_abcdef1234567890",
"serialNumber": "ORDER-1001",
"fields": {
"memberName": {"label": "Member", "value": "Jane Doe"},
"tier": {"label": "Tier", "value": "Gold"},
},
"barcodeFormat": "qr",
"barcodeMessage": "ORDER-1001-GOLD",
},
timeout=15,
)
response.raise_for_status()
pass_object = response.json()Keep tokens and API keys in your server environment. Browser clients should call your backend, not the Passinstance API directly.
Authentication
The API supports bearer authentication and API-key authentication. Keep secrets in your backend, send JSON bodies, and expose only wallet download links or PassFlow URLs to client devices.
Use for user-context operations from trusted backend services.
Authorization: Bearer <access_token>Use for service-to-service connectors where a stable integration identity is needed.
X-API-Key: <api_key>Webhooks
Configure a receiver URL, subscribe to pass and template events, verify signatures, and return a successful response only after the event is safely queued or processed.
pass.createdpass.updatedpass.voidedtemplate.createdcurl --request POST \
--url https://api.passinstance.com/api/v1/webhooks \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '{
"url": "https://your-app.example/webhooks/passinstance",
"events": ["pass.created", "pass.updated", "pass.voided"],
"secret": "<webhook_secret>"
}'Production readiness
Design clients that keep credentials private, handle validation errors cleanly, retry conservatively, and process duplicate webhook deliveries safely.
Use HTTPS endpoints and keep API keys server-side only.
Handle 401, 403, 404, 422, 429, and 5xx responses explicitly.
Respect documented retry guidance before sending follow-up requests.
Generate stable serial numbers and keep idempotency keys in your own system.
Store webhook event ids and process duplicate deliveries safely.
Use staging before switching clients to the production base URL.
HTTP/1.1 429 Too Many Requests
Retry-After: <seconds>
{
"error": "Too Many Requests",
"message": "Retry after the indicated delay"
}if (response.status === 429 || response.status >= 500) {
wait(response.headers.get("Retry-After") ?? nextBackoffDelay())
retryRequest()
}Reference
Passinstance API exposes 17 documented operations. Copy the base URL once, then append the resource path shown below.
Production
https://api.passinstance.com/api/v1Staging
https://staging-api.passinstance.com/api/v117 of 17 operations shown
/batchCreate batch operation
Auth/batch/{id}Get batch operation status
Auth/bundlesGet all bundles
Auth/bundlesCreate a bundle
Auth/passesGet all passes
Auth/passesCreate a new pass
Auth/passes/{id}Delete a pass
Auth/passes/{id}Get a specific pass
Auth/passes/{id}Update a pass
Auth/passes/{id}/voidVoid a pass
Auth/push-notificationsGet all notifications
Auth/push-notificationsSend a push notification
Auth/templatesGet all templates
Auth/templatesCreate a new template
Auth/templates/{id}Get a specific template
Auth/webhooksGet all webhooks
Auth/webhooksCreate a webhook
AuthStart with staging credentials, validate one pass end to end, then enable production credentials and webhook receivers for your rollout.
We use analytics cookies to understand how visitors use this site and improve it. No personal data is sold. Cookie settings