What is AtlasGuard?
AtlasGuard is a comprehensive API platform that connects businesses with professional executive protection and secure transport services worldwide. The Partner API lets you embed personal security services directly into your application with minimal development work.
The API is RESTful, uses JSON for all requests and responses, communicates over HTTPS, and authenticates every request with HMAC-SHA256 request signing.
Security Integration
Embed protection services with a few API calls.
Global Coverage
Access vetted professionals across dozens of countries.
Instant Booking
Rapid session creation with redirect-based checkout.
Real-Time Management
Status polling and webhook notifications.
Getting Started
Getting access to the AtlasGuard API involves four steps:
- 1
Request API Access
Submit an API Partnership Inquiry via the Get Started portal. Our technical team will review and provision a partner account.
- 2
Review Documentation
Read through the authentication guide and endpoint reference below. The demo environment at booking-api.atlasguard.net is publicly available for exploration.
- 3
Implement Integration
Use your provisioned API key and secret to sign requests. Start with the create-session endpoints in the demo environment.
- 4
Test and Go Live
Validate your integration end-to-end against the demo environment, then request production credentials from the AtlasGuard team.
Authentication
Every API request must include three headers: X-Api-Key, X-Timestamp, and X-Signature.
The signature is computed as HMAC-SHA256(api_secret, timestamp) where timestamp is a Unix epoch integer (seconds). Requests with a timestamp more than 5 minutes from the server clock are rejected to prevent replay attacks.
| Field | Type | Description |
|---|---|---|
| X-Api-Key* | string | Your partner API key. |
| X-Timestamp* | integer | Current Unix timestamp (seconds). Must be within ±5 minutes of server time. |
| X-Signature* | string | HMAC-SHA256 of the timestamp string, keyed by your API secret, hex-encoded. |
Partner Flow
The Partner Flow covers account provisioning. An admin creates a partner account via POST /api/admin/partner/create, receiving a partnerCode, apiKey, and apiSecret. These credentials are then used to sign all subsequent Booking API requests.
Webhooks are configured at the partner level. AtlasGuard sends signed POST notifications to your webhookUrl when booking status changes.
Booking Flow
The Booking Flow uses a redirect-based checkout model. Your backend creates a booking session, receives a redirectUrl, and sends your user there to complete the AtlasGuard booking form. Once complete, AtlasGuard redirects back to your returnUrl with the session ID.
Two session types exist: EP (Executive Protection) and ST (Secure Transport). Both use identical request schemas.
- Your server calls
POST /create-session/epor/st - AtlasGuard returns
bookingSessionIdandredirectUrl - You redirect the user to
redirectUrl - AtlasGuard redirects to your
returnUrlwhen done - Poll
GET /booking/status/{bookingSessionId}for confirmation - When payment is captured, call
POST /update-payment
Partner Integration
Partner accounts are provisioned by AtlasGuard admins. To create a partner programmatically (admin context only), use POST /api/admin/partner/create with admin credentials. Store the returned apiKey and apiSecret in your secret vault — they are shown once.
Configure your webhookUrl to receive status updates. AtlasGuard signs every webhook payload with your webhookSecret using HMAC-SHA256 and includes the result in the X-AtlasGuard-Signature header.
Webhook Verification
To verify an incoming webhook, compute HMAC-SHA256(webhookSecret, rawRequestBody) and compare it to the X-AtlasGuard-Signature header using a constant-time comparison. Always respond with HTTP 200 — AtlasGuard retries on non-200. See the code examples panel for Node.js and Python implementations.
Booking Integration
On each booking event in your platform, call POST /create-session/ep or /st from your server (never client-side, since this uses your API secret).
Pass a referenceId that maps to your internal booking record. This is echoed back in status and payment responses so you can reconcile without storing AtlasGuard session IDs in your primary keys.
Set up your webhook handler to process status transitions. Confirm receipt with HTTP 200; AtlasGuard retries on non-200 responses.
Partner API
/api/admin/partner/createCreate a new partner account
Creates a partner account and returns API credentials. Admin-only endpoint.
Request Body
| Field | Type | Description |
|---|---|---|
| partnerName* | string | Display name of the partner organization. |
| contactEmail* | string | Primary contact email for the partner account. |
| contactPhone | string | Contact phone number. |
| webhookUrl | string | URL to receive booking status webhook events. |
| webhookSecret | string | Secret used to sign webhook payloads (HMAC-SHA256). |
| allowedIpAddresses | string | CIDR notation of allowed source IPs, comma-separated. |
| rateLimitPerMinute | integer | Max API requests per minute. Defaults to 60. |
| expiresAt | string | ISO 8601 datetime when credentials expire. |
| notes | string | Internal notes for this partner. |
Response (200)
| Field | Type | Description |
|---|---|---|
| partnerId | string | Unique partner identifier (UUID). |
| partnerCode | string | Short partner code used in booking requests. |
| apiKey | string | API key — include in X-Api-Key header. |
| apiSecret | string | API secret — used to compute HMAC signatures. Store securely. |
| partnerName | string | Partner display name. |
| isActive | boolean | Whether the partner account is active. |
| webhookUrl | string | Configured webhook URL. |
| createdAt | string | ISO 8601 creation timestamp. |
| warning | string | Optional warning message (e.g., secret near expiry). |
/api/admin/partner/listList all partner accounts
Returns an array of all partner accounts. Admin-only endpoint.
Response (200) — PartnerInfoResponse[]
| Field | Type | Description |
|---|---|---|
| partnerId | string | Unique partner identifier. |
| apiKey | string | Partner's API key (not the secret). |
| partnerName | string | Display name. |
| contactEmail | string | Primary contact email. |
| isActive | boolean | Account active status. |
| webhookUrl | string | Webhook endpoint. |
| createdAt | string | Creation timestamp. |
| expiresAt | string | Credential expiry timestamp. |
| lastUsedAt | string | Last API call timestamp. |
Booking API
/api/partner/booking/create-session/epCreate Executive Protection booking session
Initiates an Executive Protection booking session. Returns a redirect URL to send your user to the AtlasGuard booking form.
Request Body
| Field | Type | Description |
|---|---|---|
| partnerCode* | string | Your partner code, received on account creation. |
| countryCode* | string | ISO 3166-1 alpha-2 country code for the mission location. |
| startDate* | string | Mission start date/time in ISO 8601 format (UTC). |
| endDate* | string | Mission end date/time in ISO 8601 format (UTC). |
| referenceId* | string | Your internal booking reference, echoed in all responses. |
| returnUrl* | string | URL to redirect the user to after booking completion. |
Response (200)
| Field | Type | Description |
|---|---|---|
| status | string | Initial booking status (typically "pending"). |
| bookingSessionId | string | Session ID for status polling and payment updates. |
| redirectUrl | string | URL to redirect your user to complete the booking. |
/api/partner/booking/create-session/stCreate Secure Transport booking session
Creates a Secure Transport (ST) session. Use for armored vehicle and chauffeur service bookings. Identical request and response schema to the EP endpoint.
Request Body
| Field | Type | Description |
|---|---|---|
| partnerCode* | string | Your partner code, received on account creation. |
| countryCode* | string | ISO 3166-1 alpha-2 country code for the mission location. |
| startDate* | string | Mission start date/time in ISO 8601 format (UTC). |
| endDate* | string | Mission end date/time in ISO 8601 format (UTC). |
| referenceId* | string | Your internal booking reference, echoed in all responses. |
| returnUrl* | string | URL to redirect the user to after booking completion. |
Response (200)
| Field | Type | Description |
|---|---|---|
| status | string | Initial booking status (typically "pending"). |
| bookingSessionId | string | Session ID for status polling and payment updates. |
| redirectUrl | string | URL to redirect your user to complete the booking. |
/api/partner/booking/status/{bookingSessionId}Get booking session status
Returns the current status and customer details for a booking session.
Path Parameters
| Field | Type | Description |
|---|---|---|
| bookingSessionId* | string | The booking session ID from the create-session response. |
Response (200)
| Field | Type | Description |
|---|---|---|
| bookingSessionId | string | The session ID. |
| status | string | Current status: pending | confirmed | completed | cancelled. |
| customer.name | string | Customer full name. |
| customer.email | string | Customer email. |
| customer.phone | string | Customer phone. |
/api/partner/booking/listList bookings
Returns all booking sessions associated with the authenticated partner account.
Response (200)
| Field | Type | Description |
|---|---|---|
| totalCount | integer | Total number of bookings. |
| bookings[].bookingSessionId | string | Session ID. |
| bookings[].status | string | Booking status. |
| bookings[].referenceId | string | Your reference ID. |
| bookings[].countryCode | string | Mission country. |
| bookings[].startDate | string | Mission start. |
| bookings[].endDate | string | Mission end. |
| bookings[].bookingNumber | string | Human-readable booking number. |
| bookings[].createdAt | string | Session creation timestamp. |
/api/partner/booking/update-paymentUpdate booking payment status
Notifies AtlasGuard of a payment status change for a booking session. Call this after capturing payment on your side.
Request Body
| Field | Type | Description |
|---|---|---|
| bookingSessionId* | string | The session ID to update. |
| partnerCode* | string | Your partner code. |
| status* | string | New payment status: paid | refunded | failed. |
| reason | string | Optional reason or reference for the status change. |
Response (200)
| Field | Type | Description |
|---|---|---|
| message | string | Confirmation message. |
| bookingId | string | AtlasGuard internal booking ID. |
| bookingNumber | string | Human-readable booking number. |
| status | string | Updated status. |
Errors
All errors return a standard JSON body. The status field mirrors the HTTP status code as a string, code is a machine-readable error key, and message is a human-readable description.
| Field | Type | Description |
|---|---|---|
| status | string | HTTP status code as string (e.g. "400"). |
| code | string | Machine-readable error key (e.g. "invalid_request", "unauthorized"). |
| message | string | Human-readable error description. |
| Status | Meaning | Common cause |
|---|---|---|
| 400 | Bad Request | Missing or invalid fields in the request body. |
| 401 | Unauthorized | Invalid API key, expired timestamp, or wrong signature. |
| 403 | Forbidden | Your account does not have access to this endpoint. |
| 404 | Not Found | The resource (session ID, partner ID) does not exist. |
| 429 | Too Many Requests | Rate limit exceeded. See rate limit headers. |
| 500 | Server Error | Unexpected error on the AtlasGuard side. Retry with exponential back-off. |
Live API Playground
Explore all endpoints interactively below, or open the full reference in a dedicated window. The raw OpenAPI 3.1 spec is available at /openapi.json.
Open Interactive API Reference