[#1514] getBookingDetails API always returns “Access denied” (-32600) despite valid token

system · January 23, 2026, 1:03pm

Migrated from Redmine #1514 | Author: Angela Fernandez
Status: Feedback | Priority: High, I’m very impatient | Created: 2026-01-23

Hi all,

We are integrating SimplyBook API with n8n using the JSON-RPC API and webhooks, and we are consistently encountering an issue when calling the getBookingDetails method.

Although authentication appears to work correctly, getBookingDetails always returns an “Access denied” error.

What is working correctly

We receive webhook notifications from SimplyBook with valid data:

booking_id

booking_hash

We successfully call getToken using:

getToken(company_login, api_key, sign_company)
sign_company = md5(company_login + api_key + secret_key)

The getToken call returns a valid token string.

The token is passed in subsequent requests.

The problem

When calling getBookingDetails, the API always returns:

{
“code”: -32600,
“message”: “Access denied”,
“data”:
}

This happens every time, even though:

The token is freshly generated

The company login is correct

The booking ID and booking hash come directly from the webhook

How we call getBookingDetails

Endpoint:

https://user-api.simplybook.it/

Headers:

Content-Type: application/json
X-Company-Login: greeneagle
X-Token:

Body (JSON-RPC):

{
“jsonrpc”: “2.0”,
“method”: “getBookingDetails”,
“params”: [
430,
“e307cbd8389f5f8ba61cfe5c2026fb8c”
],
“id”: 2
}

Where:

sign = md5(booking_id + booking_hash + secret_key)

Debug values from a failing request
booking_id = 430
booking_hash = 0247557e239df1ff094693c7be7907df
sign = e307cbd8389f5f8ba61cfe5c2026fb8c

Expected behavior

The API should return the booking details for the given booking ID.

Actual behavior

The API always responds with “Access denied” (-32600), even though:

Authentication succeeds

Token is valid

Booking data is correct

Questions

Are there additional permissions or API settings required for getBookingDetails?

Does getBookingDetails require a different type of token than getToken(company_login, api_key, sign_company)?

Is the sign calculation correct for this method?

Are there any account-level restrictions that could cause this behavior?

Thank you for your help.
We would appreciate any guidance, as this issue is currently blocking our integration.

system · January 23, 2026, 1:23pm

Dmytro Bondarev wrote:

Hi, could you please provide your company login?

system · January 26, 2026, 12:02pm

Angela Fernandez wrote:

Dmytro Bondarev wrote in #note-1:

Hi, could you please provide your company login?

Green Eagle Solutions | Sitio Web y Reservas Online it’s the portal url and company login greeneagle

system · January 26, 2026, 1:17pm

Dmytro Bondarev wrote:

Hi,
according to our logs:

booking hash and getBookingDetails call is correct, it seems that you are using wrong token in
X-Token:
header.