Skip to content

Bite API (v2)

Introduction

Overview

Bite exposes online ordering functionality through a REST API which third party developers can use to create applications on top of the Bite platform.

Bite Nomenclature

Customers

A Bite "Customer" represents a full end-user account created on Bite's platform. Customers can be created with a Bite password or can be authenticated against a Single Sign-On provider such as Paytronix or Punchh. Bite Customers have the following features:

  • A single set of credentials could be used to create completely different accounts under different brands that Bite works with.
  • Storing credit cards on file so that they could be used for future purchases.
  • Access to the customer's favorite ordered items and recent order history.
  • Storing delivery addresses on file for future purchases.

After creating or authenticating a Bite Customer through the API, a unique authentication token will be returned which can be used to refer to that user from that moment on without the need to store their password in your application.

Usage Basics

Environments

A dedicated sandbox environment will be provisioned for each new third-party developer. All development and testing must be carried out through that environment. It will include both an API sandbox as well as Admin Portal sandbox so that test locations could be modified by the developers for the purposes of testing their integration with Bite. The Sandbox environment runs the same code as production. https://YOUR_SANDBOX_SUB_DOMAIN.getbite.com/api

The production environment endpoint is: [REDACTED]

All communication must be encrypted over TLS 1.2

Request/Response Basics

Headers and Status Codes

https://<environment_domain>/<API_version>/<resource>?[params]

  • Bite API expects both the request and the response bodies to encoded with JSON, so both the HTTP Accept and Content-Type headers should be set to application/json.
  • HTTP Status Codes will be returned as follows:
    • 200 OK - The requested operation completed successfully!
    • 400 Bad Request - An error occurred on the Bite side or on the POS side. Please reference the response body's "code" value in the Bite Error Codes documentation.
    • 403 Forbidden - Invalid API credentials or insufficient access to a resource or operation.
    • 500 Server Error - An unexpected error occurred. Please verify that your request is correctly formatted.
  • Every API call must include the following headers:
    Header
    		DescriptionExample
    x-md-api-versionMust be set to 4x-md-api-version: 4
    x-bite-org-idMust be set to the brand id that you are working with. This value will be provided along with the sandbox environment.x-bite-org-id: 5fa31dc97acd2f0031e023eb
    x-customer-app-scopeMust be set to the brand's account scope. This value will be provided along with the sandbox environment.x-customer-app-scope: my-brand-scope
    AuthorizationMust be set to Bearer: API_TOKEN. The API_TOKEN will be provided along with the sandbox environment.Authorization: Bearer 2979c798-c901-4ceb-8478-3b26c24a998d
    User-AgentUnique user agent value that identifies the app. Please send this formatted as application_name/version.User-Agent: SomeApp/v1.2.3
    X-Device-IdUnique hardware identifier for the device.X-Device-Id: 993e0082-5bfd-4bbc-98ec-d13b50bbd54a

Response Structure

A success response structure will look as follows:

{
  success: true;
  data?: {...};
}

An error response structure will look as follows:

{
  success: false;
  code: number;
  message?: string;
  data?: {...};
}

Bite Error Codes

Any error response will contain an error code:

CodeMeaningSuggested Action
60Customer Password Already Used: The customer is trying to use a password they have previously used.
61Customer Token Invalid: The token has been malformed or has expired.Maybe the customer needs to log out and log in again because they've changed their password.
62Customer Account Not Verified: The customer resource being accessed requires a verified customer account.
63Customer Account Disabled: The specified customer account has been disabled by one of the brand admins.
64Customer Account Deleted: The specified customer account has been deleted by one of the brand admins.

Versioning and Compatibility

Please treat all IDs in the API as strings.

We will not remove properties from the current API version, but we do add new properties to return objects from time to time.

There is no guaranteed ordering of properties. We request that properties are accessed by name and not by index.

Please do not rely on error messages for logic. Error text may change periodically. Rather rely on error codes, which are guaranteed to not change.

Rate Limiting

Some API endpoints are protected through the use of rate limiting. The base rate limit can be found in the description of the API endpoint.

Information about the current usage can be found in the headers of the response:

  • Ratelimit-Limit: The amount of requests permitted
  • Ratelimit-Remaining: How many requests can be made in the interval
  • Ratelimit-Reset: How long, in seconds, until the rate-limit interval ends and the remaining amount of requests resets

The rate limit maximum is adjusted by the number of locations associated with the token. For example, if an API has a base rate limit of 50 requests per minute, then an organization with 10 locations may use the API endpoint 500 times per minute.

Changelog

2026-02-24

  • Updated definitions of openingHoursByFulfillmentMethod

2025-07-23

  • Updated security for Bite API Token based requests

2024-08-29

  • Added consentedToMarketing field to order

2024-01-22

  • Added section to ordered item schema

2024-01-03

  • More details regarding rate limiting

2023-11-07

  • Deprecated: POST /api/v2/reporting/orders/day
  • New Endpoint: GET /api/v2/reporting/orders/day/:date

2022-12-19

  • Updated rate limits of API calls
  • Reversed order of change log

2022-10-25

  • New endpoints:
    • POST /api/v2/reporting/orders/day
    • GET /api/v2/locations
  • Rate Limiting

2021-10-19

  • First Draft
Download OpenAPI description
bite-api-v2.json
bite-api-v2.yaml
Languages
Servers
Mock server
https://documentation.getbite.com/_mock/openapi/v2/bite-api-v2
Sandbox
https://{sandboxApiSubDomain}.getbite.com/api

Account Management

Customer account signup/login and other CRUD operations.

Operations

Delivery Addresses

Management of saved delivery addresses on the customer account.

Operations

Order History

Past orders associated with the customer account.

Operations

Payment Methods

Management of saved payment methods on the customer account.

Operations

Push Tokens

Save mobile app push notification tokens on the customer account.

Operations

Pick a Location

Endpoints for picking a location from which to order.

Operations

Orders

Endpoints for ordering actions

Operations

Mobile App Config

Endpoints for getting the config bundle of a mobile app

Operations

Reporting

Endpoints for generating reports

Operations

Webhooks

Webhooks can be used to notify non-Bite systems of events happening at Bite. They can be configured by Bite employees at the organization level. They use pre-defined location groups to determine which locations the webhooks are active at.

Operations

Webhook Request Body

The webhook request body is composed of these top-level properties:

  • event: A key indicating which event triggered this webhook to be sent.
  • data: The payload of the webhook. This field may not exist if the webhook has no payload.

Bite Signatures

Bite Webhooks are sent with a signature in the x-bite-signature header that allow you to verify that the request was sent by Bite.

The x-bite-signature header is composed of two parts, the timestamp and the signature. The timestamp (prefixed by t=) is the epoch time when the webhook was sent from the Bite server. The signature (prefixed by v=) is the hex encoded HMAC SHA256 hash of the webhook.

Here is an example of a x-bite-signature header:

t=1650064620000,v=cbb9af052e4e9bfe061e3fa76aadf047b022e6d189a73f047181ea7d0c40f51b

The timestamp value can be used to determine when the request was sent and ignore any old requests which may be part of a replay attack.

Verify Signature

To verify the signature, you will need the private key associated with the webhook. This will be provided by a Bite employee after the webhook is configured.

  1. Extract the timestamp and signature values from the header. Do not include the prefix.

  2. Construct the payload to sign following this schematic: {{timestamp}}.{{request_body}}

    ex: Consider a webhook with a x-bite-signature header of t=1650064620000,v=... and the following request body:

    { event: 'order-sent', data: { someKey: 'Some Value' } }

    The resulting payload will be:

    1650064620000.{ event: 'order-sent', data: { someKey: 'Some Value' } }

  3. Calculate the HMAC of the payload with the SHA256 hash function using the private key of the webhook.

  4. Compare the HMAC you calculated with the signature extracted from the x-bite-signature header. Ensure that the values are identical to verify that the request was generated by a Bite server.

Order Sent

Request

Returns details of an order immediately after the order has closed and been sent to the POS integrations. If the location does not have any POS integrations, the webhooks will still send a response after the order is closed. At the discretion of the organization, this webhook can be configured to include item and transaction data.

Bodyapplication/json
eventstringrequired
Value"order-sent"
dataobject(OrderExternal)required
data.​createTimestringrequired

The ISO time of order creation with timezone offset.

data.​orgNamestringrequired

The name of the org at which the customer placed the order.

data.​orgIdstring(OrgId)required

The ID of the org at which the customer placed the order.

data.​siteNamestringrequired

The name of the site at which the customer placed the order.

data.​siteIdstringrequired

The ID of the site at which the customer placed the order.

data.​locationIdstring(LocationId)required

The ID of the location (in the specified org) at which the customer placed the order.

data.​orderChannelstring(OrderChannel)required

Denotes the ordering channel through which orders are placed:

  • catering - Catering Website
  • flash - Contactless (QR-code)
  • kiosk - Kiosk
  • linebuster - Linebuster
  • web - Online Ordering Website
Enum"catering""flash""kiosk""linebuster""web"
data.​diningOptionstringrequired

The name of the dining option with which the customer placed the order.

data.​sourcestringrequired

Whether the order was made from a kiosk, mobile, or desktop browser.

data.​orderIdstringrequired

The Bite ID of the order.

data.​checkIdsArray of objectsrequired

The IDs of the check from POS integrations.

data.​checkIds[].​valuestringrequired

The check ID value.

data.​checkIds[].​namestringrequired

The name of the check ID. ex: posCheckId

data.​checkIds[].​vendorNamestringrequired

The name of the vendor from which the check ID originated. If location is single-vendor or does not have a POS, defaults to "Default Vendor".

data.​loyaltyCheckIdsstringrequired

The IDs of the loyalty check from loyalty integrations (if any). Absent if loyalty doesn't exist or order was not checked into loyalty.

data.​isCancelledbooleanrequired

Indicates if the order was cancelled after it was closed.

data.​orderNumberstringrequired

Sequential client ID that loops around.

data.​itemsArray of objectsnon-empty

Items of the order.

data.​subTotalinteger(int32)(SubTotal)required

The order sub total in cents.

data.​taxTotalinteger(int32)(TaxTotal)required

The amount of tax collected on the order in cents.

data.​tipTotalinteger(int32)(TipTotal)>= 0required

The tip amount on the order in cents.

data.​discountNamesArray of stringsrequired

Names of the discounts applied to the order.

data.​discountTotalinteger(int32)(DiscountTotal)required

The amount discounted from the order sub total in cents.

data.​totalinteger(int32)(Total)required

The total amount that the guest paid in cents. This number includes the tip.

data.​refundedAmountinteger(int32)required

Amount refunded from order in cents.

data.​transactionsArray of objects

Transactions of the order.

data.​orderUrlstringrequired

A URL pointing to the Bite Admin entry of the order.

data.​futureOrderTimestring

The time the customer is expected to pickup an order, in ISO with timezone offset. Only available if the order is a future-order.

data.​outpostDeliveryLocationstring

The name of the outpost. Only available if the dining option is an Outpost dining option.

data.​deliveryAddressobject(DeliveryAddress)

The delivery address for this order. This value is required if this is a delivery address.

data.​tableNumberstring(TableNumber)

Number of the table or table tent that the order is associated with.

data.​isTaxExemptbooleanrequired

Whether or not the order is tax exempt

data.​serviceChargeTotalinteger(int32)(ServiceChargeTotal)required

The sum of all the service charges added to the order in cents.

data.​serviceChargesArray of objects(ServiceCharges)non-emptyrequired

A list of all the service charges added to the order. If this property is available, then serviceChargeTotal is definitely available on the order. However, this property may not be available even if there is a serviceChargeTotal because not every POS will provide a breakdown of the service charges.

data.​serviceCharges[].​namestringrequired

A name of the service charge as it should appear on the receipt.

data.​serviceCharges[].​amountinteger(int32)required

The amount of the service charge in cents.

data.​redeemedLoyaltyRewardboolean

Whether or not the guest redeemed a loyalty reward for the order.

data.​guestobjectrequired

Info about the guest who placed the order.

data.​guest.​guestIdstringrequired

Bite ID of the guest.

data.​guest.​namestring

Name of the guest. Only available if the Guest Name identifier was used.

data.​guest.​emailstring(email)

Email of the guest. Only available if the guest requested the receipt to be emailed after placing their order or if it was provided during payment.

data.​guest.​phoneNumberstring

Phone Number of the guest. Only available if the Guest Vehicle identifier was used.

data.​guest.​vehicleobject

Info about the guest's vehicle. Only available if the Guest Vehicle identifier was used.

data.​guest.​satisfactionScoreinteger(int32)>= 1

How satisfied the guest was with their experience. Only available if the guest completed the survey.

data.​guest.​satisfactionMaximuminteger(int32)>= 1

The maximum possible satisfaction score for the survey. Only available if the guest completed the survey.

data.​guest.​ageRangestring

An approximate age range of the guest. Only available if the guest used facial recognition. ex: 22 - 28

data.​guest.​genderstring

A calculated guess as to the gender of the guest. Only available if the guest used facial recognition.

Enum"M""F"
data.​guest.​consentedToMarketingboolean

Whether the guest consented to marketing. Only present if the location os configured to ask the guest for consent. The guest may be asked while submitting their email address or phone number.

data.​selectedLanguagestring

The language the guest selected for their order. Only available if the guest selected a language.

data.​loyaltyIdsArray of objectsrequired

The IDs of the guest's loyalty account. If the array is empty, then the guest did not connect a loyalty account. There may be multiple entries if the guest used multiple methods of connecting to their account.

data.​loyaltyIds[].​valuestringrequired

The loyalty ID value.

data.​loyaltyIds[].​entryMethodstring(LoyaltyAuthEntryMethod)required

How the information connecting a guest to their loyalty account was collected.

Enum"barcode-scanned""card-number-manually-entered""email-manually-entered""email-and-password-manually-entered""email-and-phone-number-manually-entered""email-and-phone-number-provided-externally""phone-number-manually-entered""phone-number-provided-externally""redemption-code-manually-entered""unknown-manually-entered"
curl -i -X POST \
  https://documentation.getbite.com/_mock/openapi/v2/bite-api-v2/v2/webhooks/order-sent \
  -H 'Content-Type: application/json' \
  -d '{
    "event": "order-sent",
    "data": {
      "createTime": "string",
      "orgName": "string",
      "orgId": "string",
      "siteName": "string",
      "siteId": "string",
      "locationId": "string",
      "orderChannel": "catering",
      "diningOption": "string",
      "source": "string",
      "orderId": "string",
      "checkIds": [
        {
          "value": "string",
          "name": "string",
          "vendorName": "string"
        }
      ],
      "loyaltyCheckIds": "string",
      "isCancelled": true,
      "orderNumber": "string",
      "items": [
        {
          "specialRequest": "string",
          "vendorName": "string",
          "scannedBarcode": "string",
          "posId": "string",
          "name": "string",
          "price": 0,
          "quantity": 1,
          "unitPrice": 0,
          "saleUnit": 0,
          "addToCartSource": "string",
          "weight": 0.1,
          "section": {
            "name": "string",
            "posId": "string"
          },
          "modGroups": [
            {
              "posId": "string",
              "name": "string",
              "mods": [
                {
                  "modGroups": []
                }
              ]
            }
          ]
        }
      ],
      "subTotal": 0,
      "taxTotal": 0,
      "tipTotal": 0,
      "discountNames": [
        "string"
      ],
      "discountTotal": 0,
      "total": 0,
      "refundedAmount": 0,
      "transactions": [
        {
          "cardType": "string",
          "transactionType": "sale",
          "amount": 0,
          "lastFour": "string",
          "gateway": "string",
          "cardEntryMethod": "string"
        }
      ],
      "orderUrl": "string",
      "futureOrderTime": "string",
      "outpostDeliveryLocation": "string",
      "deliveryAddress": {
        "line1": "string",
        "line2": "string",
        "city": "string",
        "state": "string",
        "postalCode": "string"
      },
      "tableNumber": "string",
      "isTaxExempt": true,
      "serviceChargeTotal": 0,
      "serviceCharges": [
        {
          "name": "string",
          "amount": 0
        }
      ],
      "redeemedLoyaltyReward": true,
      "guest": {
        "guestId": "string",
        "name": "string",
        "email": "user@example.com",
        "phoneNumber": "string",
        "vehicle": {
          "make": "string",
          "model": "string",
          "color": "string"
        },
        "satisfactionScore": 1,
        "satisfactionMaximum": 1,
        "ageRange": "string",
        "gender": "M",
        "consentedToMarketing": true
      },
      "selectedLanguage": "string",
      "loyaltyIds": [
        {
          "value": "string",
          "entryMethod": "barcode-scanned"
        }
      ]
    }
  }'

Responses

Indicate that the webhook was received successfully.

Embedding Bite in a 3rd Party Mobile App