Partner Integration
Integrate OTABot into your PMS, channel manager, or hospitality platform. Offer rate intelligence to your users with just a few lines of code.
Redirect Login
Redirect users to OTABot with a signed JWT. They land on the dashboard with a session — no registration needed.
Iframe Embedding
Embed OTABot pages directly in your app. Get an embed token server-side, pass it to an iframe — users never leave your product.
How It Works
Get Your Credentials
Contact us to receive your API Key (pk_...) and Secret (sk_...). Store the secret securely — never expose it in client-side code.
Sign a JWT
On your server, sign a short-lived JWT (60s) with your secret using HS256. The payload must include the user's email.
Redirect or Embed
Redirect the user to our login endpoint, or request an embed token and load an iframe. Users are auto-registered on first login.
Redirect Login
Redirect users to the following URL with your API key and signed JWT:
GET https://otabot.com/api/auth/partner-login?key=YOUR_API_KEY&token=YOUR_JWTOTABot verifies the token, creates a session cookie, and redirects to /dashboard. If the user doesn't have an account, one is created automatically.
const jwt = require('jsonwebtoken');
// Your partner credentials (from OTABot admin panel)
const API_KEY = 'pk_your_api_key_here';
const SECRET = 'sk_your_secret_here';
function generateOTABotLoginUrl(userEmail) {
const token = jwt.sign(
{ email: userEmail },
SECRET,
{ expiresIn: '60s' }
);
return `https://otabot.com/api/auth/partner-login?key=${API_KEY}&token=${token}`;
}
// Usage: redirect the user to this URL
const loginUrl = generateOTABotLoginUrl('user@example.com');
// e.g. res.redirect(loginUrl)Iframe Embedding
Request an embed token from your server, then pass it to an iframe:
GET https://otabot.com/api/auth/partner-embed-token?key=YOUR_API_KEY&token=YOUR_JWTResponse: { "embedToken": "eyJ..." } — valid for 24 hours.
<iframe
src="https://otabot.com/embed/dashboard?token=EMBED_TOKEN"
width="100%" height="800"
style="border: none; border-radius: 8px;"
></iframe>Available Pages
| Path | Description |
|---|---|
/embed/dashboard | Monitored URLs and snapshots |
/embed/alerts | Alert settings and history |
/embed/compare | Side-by-side competitor comparison |
/embed/map | Interactive competitor map |
/embed/positioning | Rate positioning analysis |
const jwt = require('jsonwebtoken');
const API_KEY = 'pk_your_api_key_here';
const SECRET = 'sk_your_secret_here';
async function getEmbedToken(userEmail) {
const token = jwt.sign(
{ email: userEmail },
SECRET,
{ expiresIn: '60s' }
);
const res = await fetch(
`https://otabot.com/api/auth/partner-embed-token?key=${API_KEY}&token=${token}`
);
const data = await res.json();
return data.embedToken; // Valid for 24 hours
}
const embedToken = await getEmbedToken('user@example.com');Customization
Customize embed pages to match your brand by passing color parameters on the iframe URL:
<iframe
src="https://otabot.com/embed/dashboard?token=TOKEN&primaryColor=2563EB&bgColor=F0F4FF"
width="100%" height="800"
style="border: none; border-radius: 8px;"
></iframe>primaryColor— hex color without #. Replaces the default purple across buttons, links, and accents.bgColor— hex color without #. Changes the page background to match your app.
Colors can also be configured per-partner in the admin panel as defaults, but URL params always take priority.
User Management
Partner-managed users don't see OTABot billing or Stripe checkout. You control their plans via API and invoice them however you want.
List Users
GET https://otabot.com/api/partners/users?key=YOUR_API_KEYReturns all users created through your partner integration:
{
"users": [
{
"id": "...",
"email": "user@hotel.com",
"plan": "growth",
"maxMonitoredUrls": 10,
"createdAt": "2026-03-20T..."
}
]
}Set User Plan
PUT https://otabot.com/api/partners/users?key=YOUR_API_KEYUpdate a user's plan. The request body should contain:
{
"email": "user@hotel.com",
"plan": "growth"
}Valid plans: free, essential, growth, business. The user's maxMonitoredUrls is automatically set based on the plan.
Security Notes
- — Never expose your secret in client-side (browser) code
- — Always generate tokens server-side with a short expiry (60s)
- — Store your secret in environment variables, not in source code
- — Each partner JWT should be single-use; generate a fresh one per request
- — Embed tokens expire after 24 hours — refresh them when needed
Ready to integrate?
Contact us to get your partner credentials and start offering rate intelligence to your users.
Get in Touch