How Blastnes connects to Lodgify
Every Blastnes module reaches Lodgify through the official Lodgify Public API v2. There is no scraping, no browser automation, no reverse-engineered endpoint. Below is a plain-language description of what we touch, how, and why. If you're an IT person auditing us before rolling this out to a portfolio, you should find everything you need here — and can email lucas@blastnes.org for anything you don't.
Authentication
Standard OAuth 2.0 authorisation code flow. When you sign in with your Lodgify Login, you're redirected to lodgify.com, you authenticate, you approve a consent screen listing scopes, and Lodgify issues Blastnes a scoped Public API token. The token expires every 30 days and rotates on refresh; revoking it from Lodgify (Settings → Integrations) immediately kills every Blastnes module without touching your Lodgify site.
The five endpoints we use
Every module touches one or more of these Lodgify Public API endpoints. The module's product page tells you exactly which ones it uses and whether it reads only or reads and writes.
Properties (/v2/properties, /v2/properties/{id})
Read-only for every module. Lists your units, their metadata (address, capacity, currency, tourist tax rules), and their rate plans. Used by Autopricer to know what the "unit" it prices is, by Cleaning Coordinator to know the property address, by every reporting module for grouping.
Bookings (/v2/bookings, /v2/bookings/{id})
Read for most modules, write only for Corporate Traveller Portal (which creates bookings directly). Used by Cleaning Coordinator (window between check-out and next check-in), Guest ID Verification (guest email + check-in date), Damage Deposit Manager (dates + Stripe customer), OTA Reconciliation (matching to statements), Nightly Revenue Report (yesterday's arrivals), Data Warehouse Bridge (delta ingest).
Availability (/v2/availability, /v2/availability/{unitId})
Read for Sync Sentinel and Nightly Revenue Report, read/write for Autopricer (writes prices per night) and Group Enquiry Router (writes tentative-status blocks). Migrated to the new /v2 endpoint in Q2 2026 — the "reason" field on blocked nights (booked, closed, cleaning, tentative) is now exposed.
Guests (/v2/guests, /v2/guests/{id})
Read-only. Used by Guest Message Templates (name + language preference), Guest ID Verification (email), Cleaning Coordinator (occasionally, for arrival notes). Never sent outside the EU without explicit setup by you.
Channels (/v2/channels, /v2/sync-status/{channel})
Read-only. Used exclusively by Sync Sentinel to watch the health of your channel connections. Post the Q2 2026 deprecation of the inventory-sync-completed webhook, Sync Sentinel now polls /v2/sync-status/{channel} every 60 seconds.
Rate limiting
Lodgify's Public API allows 600 requests/minute per authorised app per account. Blastnes uses an internal token pool with exponential back-off; if we hit a rate-limit response, the affected module falls back to a longer polling window and logs the delay in your account's Change Log. Sync Sentinel is deliberately shaped to never contribute to a rate-limit event — it can only surface one.
Security posture
All traffic uses TLS 1.3. Tokens are stored encrypted with AES-256 in a HashiCorp Vault instance in Scaleway Paris. Access to the vault is restricted to two named engineers (Lucas Bernard and Rafael Costa) with 2FA plus hardware-key required. Every token access is logged and reviewed monthly. Full DPA on the DPA page.