Skip to main content
The BeatPass API powers the platform’s frontend. This is a first-party API designed exclusively for BeatPass web and mobile applications.
First-Party Only — BeatPass does not offer a public developer API or third-party integrations. All endpoints documented here are for the official BeatPass application.

Quickstart

Get up and running quickly

Authentication

Learn the auth flow

API Reference

Explore all endpoints

Integration Requests

If you’re interested in integrating with BeatPass (partnerships, data licensing, embedded players), contact support to discuss options.

Partnership Inquiries

Contact support for integration discussions.

Base URL

All API requests use the base URL: 
https://open.beatpass.ca/api/v1

API Surface

The BeatPass API provides comprehensive functionality across the platform:

Tracks

List, view, upload, update, delete tracks

Albums

Album management and metadata

Artists

Artist profiles, followers, tracks

Playlists

Create, manage, share playlists

Search

Full-text search across content types

Genres

Genre listing and filtering

Request Format

HTTP Methods

GET

Retrieve data

POST

Create resources

PUT

Update resources

DELETE

Remove resources

Required Headers

Accept: application/json
Content-Type: application/json
Authenticated requests use Sanctum’s stateful session cookies. State-changing requests must include CSRF protection (XSRF-TOKEN cookie + X-XSRF-TOKEN header). See the Authentication guide for details.

Response Format

Success Response

Responses vary by endpoint. Most return data directly: 
{
  "id": 1234,
  "name": "Track Name",
  "artist": {...}
}

Error Response

{
  "message": "Error description",
  "errors": {
    "field": ["Validation error"]
  }
}

Pagination

Paginated endpoints use Laravel’s standard pagination: 
{
  "data": [...],
  "current_page": 1,
  "per_page": 15,
  "total": 150,
  "last_page": 10,
  "links": {...}
}

Authentication Model

BeatPass uses Laravel Sanctum for authentication. This is a stateful SPA session model with CSRF/XSRF cookies. The API:
  • Uses session cookies for authentication (not Bearer tokens)
  • Does not issue personal access tokens
  • Is only available to the first-party BeatPass web application (no third-party/OAuth)
See Authentication for the SPA login flow and CSRF requirements.

Key Endpoint Groups

Public Endpoints (Optional Auth)

These endpoints work without authentication but return enhanced data when authenticated: 
GET /tracks              # List public tracks
GET /tracks/{id}         # Track details
GET /artists             # List artists
GET /artists/{id}        # Artist profile
GET /search              # Search content
GET /genres              # Available genres

Required Auth Endpoints

These require an authenticated session: 
POST /tracks                           # Upload track
POST /tracks/{track}/purchase/initiate # Start purchase
GET  /purchases                        # User's purchases
GET  /messaging/conversations          # User's messages
GET  /producer-intelligence/dashboard  # Producer analytics
POST /beat-requests                    # Create beat request

Rate Limiting

The API uses route-specific throttling. Key limits:

Producer Intelligence (public)

300 requests/minute Public analytics endpoints for unauthenticated users.
500 requests/minute Enhanced limits for authenticated producer sessions.
120 requests/minute Social engagement and follower analytics.
60 requests/minute Legacy endpoints (being phased out).

Rate Limits Reference

View complete rate limiting documentation and best practices.

Webhooks

BeatPass receives inbound webhooks from Stripe for payment processing. There is no outbound webhook system for external integrations. See Webhooks for Stripe webhook details.

What’s Not Covered

This documentation covers user-facing endpoints only. The following are intentionally excluded:

Admin Operations

Requires staff roles and elevated privileges

Internal Processing

Platform infrastructure and content pipelines

Security Systems

Protected by design for platform integrity
Attempting to access undocumented admin or internal endpoints without authorization is a violation of terms of service and may result in account termination.
Found a security issue? Report it responsibly to [email protected] — we appreciate responsible disclosure.

Next Steps

Authentication

Learn how Sanctum authentication works.

API Reference

Complete endpoint reference.
Last modified on December 5, 2025