Time-Check

API Reference

Overview

The Time-Check API provides privacy-preserving calendar availability sharing through a RESTful interface. All sensitive data is encrypted end-to-end, ensuring zero-knowledge architecture where servers cannot access personal calendar information.

Table of Contents

• Authentication
• Base URL & Versioning
• Request Format
• Response Format
• Error Handling
• Rate Limiting
• Endpoints
• Data Models
• Security
• SDKs & Libraries

Authentication

Time-Check uses anonymous authentication with cryptographic keys instead of traditional user accounts.

Anonymous Device IDs

Each client generates a unique anonymous device identifier:

• Format: UUIDv4 string
• Rotation: Automatically rotates to prevent tracking
• Scope: Used only for request routing and rate limiting

Cryptographic Keys

Each availability request uses unique encryption keys:

• Algorithm: NaCl Box (Curve25519 + XSalsa20 + Poly1305)
• Key Generation: Client generates fresh key pairs for each request
• Public Key: Included in request for response encryption
• Private Key: Kept locally for response decryption

Base URL & Versioning

Production

https://prod.api.time-check.com/api/v1/

Staging

https://staging.api.time-check.com/api/v1/

Version Support

• Current Version: v1
• Deprecation Policy: 12 months notice for breaking changes
• Backward Compatibility: Maintained within major versions

Request Format

Content Type

All requests must use JSON content type:

Content-Type: application/json

Headers

Required headers for all requests:

Content-Type: application/json
User-Agent: TimeCheck/1.0 (iOS; Device)

Authentication Header

Requests include anonymous device ID:

X-Device-ID: 550e8400-e29b-41d4-a716-446655440000

Response Format

Success Response

{
  "success": true,
  "data": {
    // Response data
  },
  "metadata": {
    "request_id": "req_123456789",
    "timestamp": "2024-01-15T10:30:00Z",
    "version": "v1"
  }
}

Error Response

{
  "success": false,
  "error": {
    "code": "INVALID_REQUEST",
    "message": "The request is malformed or missing required fields",
    "details": {
      "field": "email_address",
      "reason": "Invalid email format"
    }
  },
  "metadata": {
    "request_id": "req_123456789",
    "timestamp": "2024-01-15T10:30:00Z",
    "version": "v1"
  }
}

Error Handling

HTTP Status Codes

• 200: Success
• 400: Bad Request - Invalid request format
• 401: Unauthorized - Invalid authentication
• 403: Forbidden - Access denied
• 404: Not Found - Resource not found
• 429: Too Many Requests - Rate limit exceeded
• 500: Internal Server Error - Server error
• 503: Service Unavailable - Maintenance mode

Error Codes

• INVALID_REQUEST: Malformed request data
• INVALID_EMAIL: Invalid email address format
• REQUEST_NOT_FOUND: Availability request not found
• ENCRYPTION_ERROR: Encryption/decryption failure
• RATE_LIMIT_EXCEEDED: Too many requests
• SERVICE_UNAVAILABLE: Service temporarily unavailable

Rate Limiting

Limits

• Requests: 100 requests per hour per device ID
• Availability Requests: 20 new requests per hour per device ID
• Check-ins: 60 check-ins per hour per device ID

Headers

Rate limit information is included in response headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1642248600

Endpoints

Submit Availability Request

Submit a request to check someone’s calendar availability.

Endpoint: POST /requests

Request Body:

{
  "email_address": "joe@company.com",
  "requestor_id": "alex_device_123",
  "public_key": "base64_encoded_public_key",
  "start_date": "2024-01-15",
  "end_date": "2024-01-19",
  "time_zone": "America/New_York"
}

Response:

{
  "success": true,
  "data": {
    "request_id": "req_7f8a9b2c3d4e5f6g",
    "status": "pending",
    "expires_at": "2024-01-16T10:30:00Z",
    "estimated_response_time": "2-5 minutes"
  }
}

Client Check-in

Clients check in to receive pending availability requests.

Endpoint: POST /checkin

Request Body:

{
  "device_id": "device_456789",
  "capabilities": ["calendar_access"],
  "last_checkin": "2024-01-15T10:25:00Z"
}

Response:

{
  "success": true,
  "data": {
    "pending_requests": [
      {
        "request_id": "req_7f8a9b2c3d4e5f6g",
        "encrypted_request": "base64_encoded_encrypted_data",
        "public_key": "base64_encoded_public_key",
        "priority": "normal"
      }
    ],
    "next_checkin": "2024-01-15T10:35:00Z"
  }
}

Submit Availability Response

Submit an encrypted availability response for a request.

Endpoint: POST /responses

Request Body:

{
  "request_id": "req_7f8a9b2c3d4e5f6g",
  "encrypted_response": "base64_encoded_encrypted_availability_data",
  "response_hash": "sha256_hash_of_plaintext_response"
}

Response:

{
  "success": true,
  "data": {
    "response_id": "resp_1a2b3c4d5e6f7g8h",
    "status": "delivered",
    "timestamp": "2024-01-15T10:32:00Z"
  }
}

Retrieve Availability Response

Retrieve the encrypted availability response for a request.

Endpoint: GET /requests/{request_id}/response

Query Parameters:

• requestor_id: The original requestor device ID

Response:

{
  "success": true,
  "data": {
    "request_id": "req_7f8a9b2c3d4e5f6g",
    "encrypted_response": "base64_encoded_encrypted_availability_data",
    "response_hash": "sha256_hash_of_plaintext_response",
    "responded_at": "2024-01-15T10:32:00Z",
    "expires_at": "2024-02-14T10:32:00Z"
  }
}

Health Check

Check API service health and status.

Endpoint: GET /health

Response:

{
  "success": true,
  "data": {
    "status": "healthy",
    "version": "v1.2.3",
    "uptime": 86400,
    "features": {
      "encryption": "enabled",
      "rate_limiting": "enabled",
      "monitoring": "enabled"
    }
  }
}

Data Models

Availability Request

{
  "request_id": "string",
  "email_address": "string (email)",
  "requestor_id": "string (UUID)",
  "public_key": "string (base64)",
  "start_date": "string (YYYY-MM-DD)",
  "end_date": "string (YYYY-MM-DD)", 
  "time_zone": "string (IANA timezone)",
  "status": "pending|processing|completed|expired",
  "created_at": "string (ISO 8601)",
  "expires_at": "string (ISO 8601)"
}

Availability Response

{
  "response_id": "string",
  "request_id": "string", 
  "encrypted_response": "string (base64)",
  "response_hash": "string (SHA256)",
  "status": "pending|delivered|expired",
  "responded_at": "string (ISO 8601)",
  "expires_at": "string (ISO 8601)"
}

Availability Bitmap

The decrypted availability response contains a compressed bitmap:

{
  "start_date": "2024-01-15",
  "end_date": "2024-01-19",
  "time_zone": "America/New_York",
  "granularity_minutes": 15,
  "availability_bitmap": "base64_encoded_compressed_bitmap",
  "busy_periods": [
    {
      "start": "2024-01-15T09:00:00Z",
      "end": "2024-01-15T10:30:00Z"
    }
  ]
}

Error Model

{
  "code": "string",
  "message": "string",
  "details": {
    "field": "string",
    "reason": "string",
    "allowed_values": ["array"]
  }
}

Security

Encryption Details

• Algorithm: NaCl Box (Curve25519 ECDH + XSalsa20 + Poly1305 MAC)
• Key Size: 32 bytes (256 bits)
• Nonce: 24 bytes (192 bits), randomly generated per message
• Authentication: Poly1305 MAC prevents tampering

Request Flow Security

1. Key Generation: Client generates ephemeral key pair
2. Request Encryption: Request details encrypted with recipient’s public key
3. Server Routing: Server routes encrypted request (cannot decrypt)
4. Response Encryption: Response encrypted with requestor’s public key
5. Secure Retrieval: Only requestor can decrypt response

Data Protection

• Zero Knowledge: Server cannot access plaintext request/response data
• Perfect Forward Secrecy: Unique keys per request prevent historical decryption
• Automatic Expiration: All data automatically deleted after 30 days
• Minimal Metadata: Only essential routing information stored

SDKs & Libraries

Official SDKs

• iOS SDK: Native Swift SDK for iOS applications
• Go Client: Reference implementation in Go
• JavaScript SDK: Browser and Node.js support (planned)

Community Libraries

• Python Client: Community-maintained Python library
• Ruby Gem: Community-maintained Ruby library
• PHP Client: Community-maintained PHP library

Example Usage (Go)

package main

import (
    "github.com/zoratu/time-check-go-sdk"
)

func main() {
    client := timecheck.NewClient("https://prod.api.time-check.com/api/v1/")
    
    request := &timecheck.AvailabilityRequest{
        EmailAddress: "joe@company.com",
        RequestorID:  "alex_device_123",
        StartDate:    "2024-01-15",
        EndDate:      "2024-01-19",
        TimeZone:     "America/New_York",
    }
    
    response, err := client.SubmitRequest(request)
    if err != nil {
        log.Fatal(err)
    }
    
    // Wait for response...
    availability, err := client.GetResponse(response.RequestID, request.RequestorID)
    if err != nil {
        log.Fatal(err)
    }
    
    // Decrypt and process availability...
}

---

Note: This API reference covers the Time-Check REST API. For client implementation examples, see our GitHub repository. For iOS-specific integration, see the iOS App documentation.