Boatfront API

Integrate with the worldwide yacht marketplace. Search listings, manage boats, and access broker data programmatically.

Broker access required

The Boatfront API is available exclusively to registered brokers. You can manage your OAuth apps and API keys from the Broker Portal → Developer section.

Authentication

The Boatfront API supports two authentication methods. Choose based on your use case:

OAuth 2.1

User-delegated access for apps that act on behalf of a broker. Supports PKCE, refresh tokens, and granular scopes.

API Keys

Server-to-server access for backend integrations. Simple Bearer token authentication with no user interaction.

All API requests must include an Authorization header:

bash

curl -X GET https://www.boatfront.com/api/listings \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

OAuth 2.1 Flow

Boatfront implements the OAuth 2.1 authorization code flow with PKCE. This is the recommended method for applications that need to access the API on behalf of a user.

1. Register your application

Create an OAuth app in the Broker Portal. You will receive a client_id and client_secret.

2. Generate a PKCE code challenge

PKCE is required for all clients per the OAuth 2.1 specification.

javascriptGenerate PKCE challenge

import crypto from "crypto";

const codeVerifier = crypto.randomBytes(32).toString("base64url");
const codeChallenge = crypto
  .createHash("sha256")
  .update(codeVerifier)
  .digest("base64url");

3. Redirect to authorize

Send the user to the Boatfront authorization endpoint:

bashAuthorization request

GET https://www.boatfront.com/api/auth/oauth2/authorize?
  response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &scope=openid+listings:read
  &state=RANDOM_STATE
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256

The user will see a consent screen and choose to allow or deny access. On approval, they are redirected to your redirect_uri with a code parameter.

4. Exchange the code for tokens

bashToken request

curl -X POST https://www.boatfront.com/api/auth/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE" \
  -d "redirect_uri=https://yourapp.com/callback" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "code_verifier=CODE_VERIFIER"

Response

jsonToken response

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2...",
  "scope": "openid listings:read"
}

5. Refresh an access token

Access tokens expire after 1 hour. Use the refresh token to get a new one:

bashRefresh request

curl -X POST https://www.boatfront.com/api/auth/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=YOUR_REFRESH_TOKEN" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

6. Revoke a token

bashRevoke request

curl -X POST https://www.boatfront.com/api/auth/oauth2/revoke \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=TOKEN_TO_REVOKE" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

PKCE (Proof Key for Code Exchange)

PKCE prevents authorization code interception attacks and is mandatory for all OAuth clients — both public (native/MCP) and confidential (server-side).

Generate a random code_verifier (43-128 characters)
Create a code_challenge = Base64URL(SHA256(code_verifier))
Send code_challenge + code_challenge_method=S256 in the authorization request
Send the original code_verifier when exchanging the authorization code for tokens

API Keys

API keys provide a simpler authentication method for server-to-server integrations where user-delegated access is not needed.

Creating an API key

Generate keys in the Broker Portal → Developer → API Keys. Each key has a configurable expiration and is shown only once upon creation.

Using an API key

Include the key in the Authorization header:

bashAPI key request

curl -X GET https://www.boatfront.com/api/listings \
  -H "Authorization: Bearer bf_live_abc123def456..."

Listings API

GET/api/listings

List all active boat listings. Supports pagination.

Query parameters

Parameter	Type	Description
`page`	integer	Page number (default: 1)
`limit`	integer	Results per page (default: 20, max: 100)
`mine`	boolean	Filter to your own listings (requires listings:read scope)

bashExample

curl "https://www.boatfront.com/api/listings?page=1&limit=10" \
  -H "Authorization: Bearer YOUR_TOKEN"

jsonResponse

{
  "data": [
    {
      "id": "abc123",
      "title": "2022 Sunseeker Manhattan 68",
      "slug": "2022-sunseeker-manhattan-68-abc123",
      "price": 1950000,
      "currency": "GBP",
      "category": "motor",
      "location": { "city": "Southampton", "country": "GB" },
      "images": ["https://r2.boatfront.com/..."],
      "status": "active"
    }
  ],
  "total": 142,
  "page": 1,
  "limit": 10
}

POST/api/listings

Create a new boat listing. Requires listings:write scope.

jsonRequest body

{
  "title": "2023 Beneteau Oceanis 40.1",
  "category": "sail",
  "price": 285000,
  "currency": "GBP",
  "description": "Well-maintained sailing yacht...",
  "specifications": {
    "year": 2023,
    "length_m": 12.18,
    "beam_m": 4.18,
    "draft_m": 2.15
  },
  "location": {
    "city": "Hamble",
    "country": "GB"
  }
}

Brokers API

GET/api/broker/listings

List listings for your brokerage. Requires broker:read scope.

Query parameters

Parameter	Type	Description
`brokerId`	string	Broker ID (required)
`status`	string	Filter by status: active, draft, expired, sold

GET/api/broker/analytics

Get listing analytics for your brokerage. Requires broker:read scope.

jsonResponse

{
  "totalListings": 24,
  "activeListings": 18,
  "totalViews": 12450,
  "totalEnquiries": 89,
  "viewsTrend": [
    { "date": "2026-04-01", "views": 420 },
    { "date": "2026-04-02", "views": 385 }
  ]
}

Scopes

Scopes control what resources an access token can access. Request only the scopes your application needs.

Scope	Description
`openid`	Access your user ID
`profile`	Read your name and profile picture
`email`	Read your email address
`offline_access`	Stay connected when you're not using the app
`listings:read`	View and search boat listings
`listings:write`	Create and manage boat listings
`broker:read`	View broker profiles and analytics
`broker:write`	Manage broker profiles and team

Rate Limits

API requests are rate-limited per client to ensure fair usage. Rate limit information is included in response headers.

Endpoint	Limit	Window
`/api/listings`	100 requests	60 seconds
`/api/broker/*`	60 requests	60 seconds
`/oauth2/token`	20 requests	60 seconds
`/oauth2/authorize`	30 requests	60 seconds
`/oauth2/register`	5 requests	60 seconds

Response headers

http

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 94
X-RateLimit-Reset: 1713234060

When rate limited, the API returns a 429 Too Many Requests response. Retry after the X-RateLimit-Reset timestamp.

Errors

The API returns standard HTTP status codes. Error responses include a JSON body with details:

jsonError response format

{
  "error": "A human-readable error message",
  "code": "ERROR_CODE"
}

Status	Code	Description
`400`	`BAD_REQUEST`	Invalid request parameters or body
`401`	`UNAUTHORIZED`	Missing or invalid authentication
`403`	`FORBIDDEN`	Insufficient permissions or scope
`404`	`NOT_FOUND`	Resource does not exist
`409`	`CONFLICT`	Resource already exists (e.g. duplicate email)
`429`	`RATE_LIMITED`	Too many requests — slow down
`500`	`INTERNAL_ERROR`	Server error — contact support if persistent

Discovery Endpoints

Boatfront publishes standard OAuth 2.1 and OpenID Connect discovery metadata:

GET /.well-known/openid-configuration— OIDC discovery metadata

GET /.well-known/oauth-authorization-server— OAuth 2.1 server metadata

GET /api/auth/jwks— JSON Web Key Set for token verification