Home Developer Narrow casting
Instruction

Setting up authentication & CORS

Before a narrow-casting screen shows live data, you must create an API user and allow CORS in the admin panel.

1. How the connection works

Each example fetches data via a GET request to the REST API:

GET https://YOURENVIRONMENT.i-reserve.net/api/rest/booking/filter?columns=…&search=…
Authorization: Basic <base64(user:password)>

  • booking/filter — bookings (day schedule, room signs, slideshow).
  • event/filter — public events with availability (events grid).

2. Create an API user (read-only)

Note: the login details are readable in the HTML (the browser sends them along). So never use an administrator account, but a dedicated user with read-only rights on exactly the required products.

  1. Log in to the admin panel as an administrator.
  2. Under Users / Staff create a new user, for example API_signage.
  3. Grant read-only rights on bookings/events and, where possible, restrict to the relevant products.
  4. Choose a strong, unique password. You enter this in config.js.

3. Authentication in the page (Basic Auth)

Fill in the details in config.js; the SDK automatically builds the Authorization header from this (Basic base64(user:password)). If an endpoint needs no authentication (public), set auth: null.

4. Allow CORS in the admin panel

By default the browser blocks requests to a different domain than the page came from. A narrow-casting page usually runs as file:// or on a local box — a different origin than https://YOURENVIRONMENT.i-reserve.net. So add the correct origin to the CORS whitelist:

  • Loose file (file://): origin null.
  • Local web server: http://localhost or the IP address.
  • Hosted on a (sub)domain: https://signage.yourdomain.com.

In the admin panel under Settings > API / Integrations (the name may differ per version) you find the list of allowed origins. Avoid * in production; whitelist only what you actually use.

5. The filter (search)

The search field uses relative dates: "0d" = today, "7d" = in 7 days, "-1d" = yesterday. Example: startdatum >= "0d" AND startdatum <= "0d" AND product IN (101,102,103).

6. Testing

First test outside the browser with curl (no CORS restriction, purely the auth/filter check):

curl -u "API_signage:PASSWORD" "https://YOURENVIRONMENT.i-reserve.net/api/rest/booking/filter?columns=RES_CUSTOM02,RES_FROMTIME&search=startdatum%20%3E%3D%20%220d%22"

  • JSON returned → auth and filter are correct.
  • 401 Unauthorized → user/password or rights incorrect.
  • Empty in the browser but data via curl → almost certainly CORS.

Security checklist

  • Dedicated API user, read-only, limited to the right products.
  • Strong, unique password; change it periodically.
  • Only the needed origins in the CORS whitelist (no *).
  • No admin account in config.js.
Web service - API
Webhooks
Narrow casting
Integrations
General
i-Reserve User

User

Are you a user of I-Reserve and are you dealing with everyday matters concerning reservations? Then you will probably find the answers to your questions here.
i-Reserve Admin

Admin

Are you responsible for the configuration and implementation of i-Reserve? Then you will find the answers for your tasks in this category.
i-Reserve Developer

Developer

Are you a designer or programmer and are you dealing with the styling and/or development of the frontend? Then take a look around in this category.