CrewIO Developer Portal

API Integration für Veranstalter und externe Apps

Verbinde deine Systeme sicher mit CrewIO: scoped API-Keys, Verein-Isolation und signierte Webhooks.

Integration im Dashboard starten Zur API-Referenz

Authentifizierung

API-Key per Bearer-Token oder x-crewio-api-key.

crw_live_<keyId>_<secret>

Keys sind pro Integration an genau einen Verein gebunden.

Rate Limit

Globales API-Limit pro Client-IP.

100 / Minute

Bei Limit-Fehler: HTTP 429 mit X-RateLimit-Headern.

Webhook Security

HMAC-SHA256 Signaturen auf jeder Zustellung.

X-Crewio-Signature: sha256=<hex>

Nur HTTPS-Ziele werden akzeptiert.

Quickstart

Beispiel: Events abrufen

curl -X GET 'https://crewio.co/api/developer/v1/events?limit=20' \
  -H 'Authorization: Bearer crw_live_...'

Scopes

events:readevents:writeevents:createevents:deleteroles:readroles:writeshifts:readshifts:writehelpers:readhelpers:writemessages:readmessages:writeassignments:readassignments:writeavailability:readavailability:write

Developer API Endpunkte

Method	Pfad	Erforderlicher Scope
GET	/api/developer/v1/events	events:read
POST	/api/developer/v1/events	events:create
GET	/api/developer/v1/events/{eventId}	events:read
PATCH	/api/developer/v1/events/{eventId}	events:write
DELETE	/api/developer/v1/events/{eventId}	events:delete
GET	/api/developer/v1/events/{eventId}/roles	roles:read
POST	/api/developer/v1/events/{eventId}/roles	roles:write
PATCH	/api/developer/v1/events/{eventId}/roles/{roleId}	roles:write
DELETE	/api/developer/v1/events/{eventId}/roles/{roleId}	roles:write
GET	/api/developer/v1/events/{eventId}/shifts	shifts:read
POST	/api/developer/v1/events/{eventId}/shifts	shifts:write
PATCH	/api/developer/v1/events/{eventId}/shifts/{shiftId}	shifts:write
DELETE	/api/developer/v1/events/{eventId}/shifts/{shiftId}	shifts:write
GET	/api/developer/v1/events/{eventId}/helpers	helpers:read
POST	/api/developer/v1/events/{eventId}/helpers	helpers:write
DELETE	/api/developer/v1/events/{eventId}/helpers?userId={userId}	helpers:write
GET	/api/developer/v1/events/{eventId}/messages	messages:read
POST	/api/developer/v1/events/{eventId}/messages	messages:write
PATCH	/api/developer/v1/events/{eventId}/messages/{messageId}	messages:write
DELETE	/api/developer/v1/events/{eventId}/messages/{messageId}	messages:write
GET	/api/developer/v1/events/{eventId}/assignments	assignments:read
POST	/api/developer/v1/events/{eventId}/assignments	assignments:write
GET	/api/developer/v1/events/{eventId}/availability/requests	availability:read
POST	/api/developer/v1/events/{eventId}/availability/requests	availability:write
GET	/api/developer/v1/events/{eventId}/availability/responses	availability:read
POST	/api/developer/v1/events/{eventId}/availability/responses	availability:write

Webhook Events

event.created

event.updated

event.deleted

role.created

role.updated

role.deleted

shift.created

shift.updated

shift.deleted

helper.granted

helper.revoked

message.created

message.updated

message.deleted

assignment.updated

availability.request.created

availability.response.upserted

Signatur verifizieren (Node.js)

import crypto from 'crypto'

export function verifyCrewioSignature(rawBody, signatureHeader, signingSecret) {
  const provided = (signatureHeader || '').trim().replace(/^sha256=/i, '')
  if (!/^[0-9a-f]{64}$/i.test(provided)) return false

  const expected = crypto
    .createHmac('sha256', signingSecret)
    .update(rawBody, 'utf8')
    .digest('hex')

  const a = Buffer.from(provided, 'hex')
  const b = Buffer.from(expected, 'hex')
  if (a.length !== b.length) return false

  return crypto.timingSafeEqual(a, b)
}