Public API · v1

Order Push API

Push transfer bookings into TaoRide straight from your own site or platform. One HTTP request creates one order.

Overview

A REST endpoint that lets an external site push a transfer booking into TaoRide. The order lands in the operator's desk exactly like a hand-typed one, and can optionally auto-list on the driver exchange.

The flow is inbound only: your platform calls us. We never call back — so there's nothing to configure on your end beyond the token.

Endpoint

POST https://taoride.com/api/v1/sources/orders
Content-Type: application/json
Accept: application/json

The URL is constant — sources are told apart by their token, not the URL.

Authentication

Each source gets its own secret token, generated by the operator in the admin panel (Settings → Dictionaries → Order Sources → Generate token). It's shown once — only its hash is stored — so keep it safe. Send it on every request as either header:

Authorization: Bearer <token>
# or
X-API-Key: <token>

⚠ The token is a server secret. Never ship it in browser JavaScript — anyone viewing the page could read it. Route your form through your own backend (see below).

Request fields

Send JSON. By default the keys are our field names — use field mapping if your form uses different names.

Required

Field Type Notes
pickup_address string (≤255) Where the transfer starts
dropoff_address string (≤255) Where it ends
transfer_date date e.g. 2026-08-15
transfer_time string H:i 24h, e.g. 14:30
first_name string (≤255)
last_name string (≤255)
phone string (≤50)
email valid email (≤255) Groups orders under a client account
external_id string (≤255) Idempotency key — your booking reference. Key name is configurable (external_ref), defaults to external_id

Optional

Field Type Default if omitted
price number ≥ 0 unset
currency supported currency source's default currency
number_of_passengers integer 1–255 1
number_of_luggage integer 0–255 0
child_seats integer 0–255 0
child_seat_details string (≤255) null
meet_and_greet boolean false

Fields we set ourselves and ignore from the payload: site, source, order status (always starts as new) and transfer class.

Field mapping — when your names differ

If your form calls the pickup from and the reference booking_id, you don't rename anything. On the source's admin form, set Field mapping (JSON) as our field → your payload key:

{
  "pickup_address": "from",
  "dropoff_address": "to",
  "external_ref": "booking_id"
}
  • Omit a field to use its own name as the key.
  • Values may be dotted paths for nested payloads, e.g. "first_name": "customer.first_name".
  • external_ref is the special mapping key for the idempotency reference.

Example request

curl -X POST https://taoride.com/api/v1/sources/orders \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{
    "external_id": "BK-100245",
    "pickup_address": "Prague Airport (PRG), Terminal 1",
    "dropoff_address": "Wenceslas Square, Prague",
    "transfer_date": "2026-08-15",
    "transfer_time": "14:30",
    "first_name": "John",
    "last_name": "Doe",
    "phone": "+420777123456",
    "email": "[email protected]",
    "price": 1200,
    "currency": "CZK",
    "number_of_passengers": 3,
    "number_of_luggage": 2
  }'

Browser form → your backend → us

Don't call this endpoint straight from the browser — it would leak the token and hit CORS. Post your form to your own server, and let the server forward it.

Front-end — no token here:

async function submitBooking(form) {
  const res = await fetch('/api/forward-to-taoride', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify(Object.fromEntries(new FormData(form))),
  });
  return res.json();
}

Your backend — token stays in the environment:

$payload = json_decode(file_get_contents('php://input'), true);

$ch = curl_init('https://taoride.com/api/v1/sources/orders');
curl_setopt_array($ch, [
    CURLOPT_POST => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        'Authorization: Bearer ' . getenv('TAORIDE_TOKEN'),
        'Content-Type: application/json',
        'Accept: application/json',
    ],
    CURLOPT_POSTFIELDS => json_encode($payload),
]);
$response = curl_exec($ch);
http_response_code(curl_getinfo($ch, CURLINFO_HTTP_CODE));
echo $response;

Responses

Status Meaning
201 Created Order created
200 OK Idempotent repeat — same external_id already exists; the original order is returned, nothing is duplicated
422 Unprocessable Entity Validation failed; body has Laravel's per-field errors object
401 Unauthorized Missing / unknown / disabled token, or source not of type api. Opaque on purpose
429 Too Many Requests Rate limit hit; may include a Retry-After header
503 Service Unavailable No active site configured on our side

Success body (both 201 and 200):

{
  "id": 8123,
  "external_ref": "BK-100245",
  "status": "new",
  "posted_to_exchange": false
}

posted_to_exchange is true only when the source may auto-list on the exchange and the listing succeeded. A failed listing never fails order creation.

Idempotency & retries

The pair (source, external_id) is unique. If a network hiccup makes you retry with the same external_id, you get the original order back with 200 — never a duplicate. Always send a stable, unique external_id per booking, and retrying is safe.

Rate limits

  • 120 requests/minute per source — steady throughput ceiling.
  • Failed auth attempts are separately capped per IP (10 per 60s) to brake token guessing; a valid, active source is never touched by that brake.

Back off on 429 and honour Retry-After when present.

Getting set up

  1. Ask the TaoRide operator to create an api-type source for you and generate a token.
  2. If your field names differ from ours, agree on the field mapping.
  3. Send a test POST, confirm you get a 201 and the order appears in the desk.
  4. Go live — retry safely using a stable external_id.

We use cookies to enhance your browsing experience, analyze traffic, and personalize content.

Cookie Policy

Essential

Always On

Required for the website to function. Cannot be disabled.

Analytics

Help us understand how visitors use our website.

Marketing

Used to deliver personalized advertisements.