Order Push API
Push transfer bookings into TaoRide straight from your own site or platform. One HTTP request creates one order.
Overview
A REST endpoint that lets an external site push a transfer booking into TaoRide. The order lands in the operator's desk exactly like a hand-typed one, and can optionally auto-list on the driver exchange.
The flow is inbound only: your platform calls us. We never call back — so there's nothing to configure on your end beyond the token.
Endpoint
POST https://taoride.com/api/v1/sources/orders Content-Type: application/json Accept: application/json
The URL is constant — sources are told apart by their token, not the URL.
Authentication
Each source gets its own secret token, generated by the operator in the admin panel (Settings → Dictionaries → Order Sources → Generate token). It's shown once — only its hash is stored — so keep it safe. Send it on every request as either header:
Authorization: Bearer <token> # or X-API-Key: <token>
⚠ The token is a server secret. Never ship it in browser JavaScript — anyone viewing the page could read it. Route your form through your own backend (see below).
Request fields
Send JSON. By default the keys are our field names — use field mapping if your form uses different names.
Required
| Field | Type | Notes |
|---|---|---|
pickup_address |
string (≤255) | Where the transfer starts |
dropoff_address |
string (≤255) | Where it ends |
transfer_date |
date | e.g. 2026-08-15 |
transfer_time |
string H:i | 24h, e.g. 14:30 |
first_name |
string (≤255) | |
last_name |
string (≤255) | |
phone |
string (≤50) | |
email |
valid email (≤255) | Groups orders under a client account |
external_id |
string (≤255) | Idempotency key — your booking reference. Key name is configurable (external_ref), defaults to external_id |
Optional
| Field | Type | Default if omitted |
|---|---|---|
price |
number ≥ 0 | unset |
currency |
supported currency | source's default currency |
number_of_passengers |
integer 1–255 | 1 |
number_of_luggage |
integer 0–255 | 0 |
child_seats |
integer 0–255 | 0 |
child_seat_details |
string (≤255) | null |
meet_and_greet |
boolean | false |
Fields we set ourselves and ignore from the payload: site, source, order status
(always starts as new) and transfer class.
Field mapping — when your names differ
If your form calls the pickup from and the reference booking_id,
you don't rename anything. On the source's admin form, set Field mapping (JSON)
as our field → your payload key:
{
"pickup_address": "from",
"dropoff_address": "to",
"external_ref": "booking_id"
}
- Omit a field to use its own name as the key.
- Values may be dotted paths for nested payloads, e.g.
"first_name": "customer.first_name". external_refis the special mapping key for the idempotency reference.
Example request
curl -X POST https://taoride.com/api/v1/sources/orders \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ -d '{ "external_id": "BK-100245", "pickup_address": "Prague Airport (PRG), Terminal 1", "dropoff_address": "Wenceslas Square, Prague", "transfer_date": "2026-08-15", "transfer_time": "14:30", "first_name": "John", "last_name": "Doe", "phone": "+420777123456", "email": "[email protected]", "price": 1200, "currency": "CZK", "number_of_passengers": 3, "number_of_luggage": 2 }'
Browser form → your backend → us
Don't call this endpoint straight from the browser — it would leak the token and hit CORS. Post your form to your own server, and let the server forward it.
Front-end — no token here:
async function submitBooking(form) {
const res = await fetch('/api/forward-to-taoride', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(Object.fromEntries(new FormData(form))),
});
return res.json();
}
Your backend — token stays in the environment:
$payload = json_decode(file_get_contents('php://input'), true);
$ch = curl_init('https://taoride.com/api/v1/sources/orders');
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Authorization: Bearer ' . getenv('TAORIDE_TOKEN'),
'Content-Type: application/json',
'Accept: application/json',
],
CURLOPT_POSTFIELDS => json_encode($payload),
]);
$response = curl_exec($ch);
http_response_code(curl_getinfo($ch, CURLINFO_HTTP_CODE));
echo $response;
Responses
| Status | Meaning |
|---|---|
201 Created |
Order created |
200 OK |
Idempotent repeat — same external_id already exists; the original order is returned, nothing is duplicated |
422 Unprocessable Entity |
Validation failed; body has Laravel's per-field errors object |
401 Unauthorized |
Missing / unknown / disabled token, or source not of type api. Opaque on purpose |
429 Too Many Requests |
Rate limit hit; may include a Retry-After header |
503 Service Unavailable |
No active site configured on our side |
Success body (both 201 and 200):
{
"id": 8123,
"external_ref": "BK-100245",
"status": "new",
"posted_to_exchange": false
}
posted_to_exchange is true only when the source may auto-list
on the exchange and the listing succeeded. A failed listing never fails order creation.
Idempotency & retries
The pair (source, external_id) is unique. If a network hiccup makes you retry
with the same external_id, you get the original order back with
200 — never a duplicate. Always send a stable, unique external_id
per booking, and retrying is safe.
Rate limits
- 120 requests/minute per source — steady throughput ceiling.
- Failed auth attempts are separately capped per IP (10 per 60s) to brake token guessing; a valid, active source is never touched by that brake.
Back off on 429 and honour Retry-After when present.
Getting set up
- Ask the TaoRide operator to create an
api-type source for you and generate a token. - If your field names differ from ours, agree on the field mapping.
- Send a test
POST, confirm you get a201and the order appears in the desk. - Go live — retry safely using a stable
external_id.