> ## Documentation Index
> Fetch the complete documentation index at: https://developers.safarapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Detailed agency record

> Full record for one Safariat agency or independent guide: profile, contact, social links, certifications, badges, aggregate rating and total number of active adventures currently in the catalog. The `id` is the agency identifier returned in `AdventureSummary.agency.id` (or in any review whose `reviewable_type` is `AGENCY`).
Inactive or deleted agencies return `404`.



## OpenAPI

````yaml /api-reference/openapi.yaml get /agencies/{id}
openapi: 3.1.0
info:
  title: SafarAPI
  version: 1.0.0
  summary: B2B API for banking partners — Safariat catalog and booking
  description: >
    SafarAPI lets banking partners integrate the Safariat travel catalog into
    their

    authenticated customer areas and book on behalf of their own end customers
    who are

    already authenticated and KYC-verified on the bank side.


    ## Channel model

    - The traveler never authenticates with Safariat.

    - Payment is collected on the banking platform (out-of-band from Safariat).

    - The bank submits the HMAC-signed payment confirmation at booking time.

    - Monthly post-payment settlement (see `GET /settlements`).


    ## Authentication

    Bearer API key in the `Authorization` header. Format
    `sk_live_<prefix>_<secret>` (production)

    or `sk_test_<prefix>_<secret>` (sandbox). The secret is shown only once at
    key generation —

    Safariat stores only an argon2id hash.


    ## Write request signing

    Production write requests (`POST`, `PUT`, `DELETE`) additionally require:

    - `X-Timestamp`: Unix timestamp in seconds, validity window ±5 minutes.

    - `X-Signature`: `hex(HMAC_SHA256(secret,
    "{timestamp}\n{method}\n{path}\n{body}"))`.

    - `Idempotency-Key`: opaque string unique per operation (UUID v4
    recommended),
      retained for 24 h. Replayed responses carry an `Idempotent-Replayed: true` header.

    Request signing applies only to production `sk_live_*` keys. Sandbox
    `sk_test_*` keys are

    exempt from request signing: `X-Signature` and `X-Timestamp` are not
    required for writes

    in the sandbox (so the developer-portal "Try it" playground works end to
    end).

    `Idempotency-Key` is still required on writes in both environments.


    ## Error format

    All errors follow the `Error` schema with a stable i18n code, an English
    message, and the

    `request_id` for correlation with Safariat logs.


    ## Versioning

    URL-based versioning (`/v1`). No breaking changes within a version. Removals
    are announced

    6 months in advance via the `Sunset` header (RFC 8594).


    ## Rate limiting

    Default limit of 600 req/min per key, contractually adjustable. The
    `X-RateLimit-Limit`,

    `X-RateLimit-Remaining`, and `X-RateLimit-Reset` headers are returned on
    every response.

    Exceeding the limit → `429 Too Many Requests` plus the `Retry-After` header.


    ## Sandbox

    An `sk_test_*` key targets the same infrastructure as production but
    isolates bookings in

    `test_mode=true`: no real email is sent, no settlement is issued, and
    webhooks are marked

    `test: true`.
  contact:
    name: SafarAPI Team
    email: api@safariat.ma
    url: https://developers.safariat.ma
  license:
    name: Proprietary — use subject to a signed partner agreement
  termsOfService: https://safariat.ma/legal/partner-terms
servers:
  - url: https://api.safarapi.com/api/partner/v1
    description: >-
      Production and sandbox share this host. The environment is selected by the
      API key prefix: sk_live_ targets production, sk_test_ targets the sandbox.
security:
  - apiKey: []
tags:
  - name: Meta
    description: Metadata for the current key, service health.
  - name: Catalog
    description: Browsing the Safariat adventure catalog.
  - name: Quotes
    description: Price-locked quotes (30 min TTL) ahead of booking.
  - name: Bookings
    description: Creating, retrieving, and cancelling bookings.
  - name: Settlements
    description: Monthly Safariat → partner payout invoices.
  - name: Webhooks
    description: Managing endpoints that receive Safariat events.
  - name: Team
    description: Members of the partner console workspace and their roles.
  - name: Reviews
    description: Read-only access to traveler reviews on the Safariat catalog.
  - name: Files
    description: Presigned uploads for partner-supplied files (currently review photos).
paths:
  /agencies/{id}:
    get:
      tags:
        - Catalog
      summary: Detailed agency record
      description: >-
        Full record for one Safariat agency or independent guide: profile,
        contact, social links, certifications, badges, aggregate rating and
        total number of active adventures currently in the catalog. The `id` is
        the agency identifier returned in `AdventureSummary.agency.id` (or in
        any review whose `reviewable_type` is `AGENCY`).

        Inactive or deleted agencies return `404`.
      operationId: getAgency
      parameters:
        - in: path
          name: id
          required: true
          schema:
            type: string
            format: uuid
          description: Agency identifier.
      responses:
        '200':
          description: Agency found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Agency'
              example:
                id: 1c2d3e4f-5a6b-4c7d-8e9f-0a1b2c3d4e5f
                slug: sahara-demo-trekking
                name: Sahara Demo Trekking
                type: AGENCY
                description: Family-run desert specialists based in Marrakech since 2008.
                long_description: >
                  Sahara Demo Trekking is a Marrakech-based operator focused on
                  small-group

                  desert circuits, with a permanent camp in Erg Chebbi and
                  certified local guides.
                logo_url: https://placehold.co/256x256?text=LOGO
                cover_image_url: https://placehold.co/1600x900?text=COVER
                location: Marrakech, Morocco
                city: Marrakech
                country: Maroc
                founded_year: 2008
                team_size: 14
                languages:
                  - fr
                  - en
                  - ar
                specialties:
                  - Desert
                  - Trekking
                  - Cultural
                certifications:
                  - ONMT licensed
                badges:
                  - label: Agence vérifiée
                    icon: CheckCircle
                contact_email: contact@sahara-demo.example
                contact_phone: '+212522000000'
                website: https://sahara-demo.example
                social_links:
                  instagram: https://instagram.com/sahara-demo
                rating:
                  value: 4.7
                  review_count: 184
                total_adventures: 12
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
        '429':
          $ref: '#/components/responses/TooManyRequests'
components:
  schemas:
    Agency:
      type: object
      required:
        - id
        - slug
        - name
        - type
        - total_adventures
        - rating
      description: >
        Public profile of a Safariat partner — either an `AGENCY` (legal entity)
        or

        a `GUIDE` (independent guide). Internal compliance fields (VAT, ICE,
        CIN,

        license numbers, postal address, commercial terms) are intentionally

        omitted from this representation.
      properties:
        id:
          type: string
          format: uuid
        slug:
          type: string
          description: Stable URL-friendly identifier.
          example: sahara-demo-trekking
        name:
          type: string
          example: Sahara Demo Trekking
        type:
          type: string
          enum:
            - AGENCY
            - GUIDE
          description: AGENCY = legal entity, GUIDE = independent licensed guide.
        description:
          type: string
          nullable: true
          description: Short public bio (~ one paragraph).
        long_description:
          type: string
          nullable: true
          description: Full public bio (markdown-free plain text).
        logo_url:
          type: string
          format: uri
          nullable: true
        cover_image_url:
          type: string
          format: uri
          nullable: true
        location:
          type: string
          nullable: true
          description: Human-readable location label (e.g. "Marrakech, Morocco").
        city:
          type: string
          nullable: true
        country:
          type: string
          nullable: true
          description: Defaults to "Maroc" when unset.
        founded_year:
          type: integer
          nullable: true
          minimum: 1900
        team_size:
          type: integer
          nullable: true
          minimum: 0
        languages:
          type: array
          items:
            type: string
          description: >-
            ISO-639-1 language codes the partner team speaks (e.g. fr, en, ar,
            es).
        specialties:
          type: array
          items:
            type: string
        certifications:
          type: array
          items:
            type: string
        badges:
          type: array
          items:
            type: object
            required:
              - label
            properties:
              label:
                type: string
              icon:
                type: string
                nullable: true
                description: Lucide icon name.
        contact_email:
          type: string
          format: email
          nullable: true
        contact_phone:
          type: string
          nullable: true
        website:
          type: string
          format: uri
          nullable: true
        social_links:
          type: object
          nullable: true
          description: >-
            Only present when at least one network is set. Null/missing fields =
            no link.
          properties:
            facebook:
              type: string
              format: uri
              nullable: true
            instagram:
              type: string
              format: uri
              nullable: true
            twitter:
              type: string
              format: uri
              nullable: true
        rating:
          type: object
          required:
            - value
            - review_count
          properties:
            value:
              type: number
              format: float
              minimum: 0
              maximum: 5
            review_count:
              type: integer
              minimum: 0
        total_adventures:
          type: integer
          minimum: 0
          description: Number of active adventures currently published by this partner.
    Error:
      type: object
      required:
        - code
        - message
        - request_id
      properties:
        code:
          type: string
          description: |
            Stable, documented i18n code. Form `domain.subdomain.detail`
            (e.g. `payment.amount.mismatch`, `auth.api_key.invalid`).
          example: validation.required.field
        message:
          type: string
          description: >-
            English message (for bank logs). API errors are never localized on
            the Safariat side.
          example: Field 'rate_pack_id' is required.
        request_id:
          type: string
          description: Unique request ID on the Safariat side.
        details:
          type: object
          description: Optional structured details (offending field, expected value, etc.).
          additionalProperties: true
  responses:
    Unauthorized:
      description: API key missing, invalid, expired, or incorrect HMAC signature.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          examples:
            missing:
              value:
                code: auth.api_key.missing
                message: Authorization header is required.
                request_id: 01HXY2ZRPM3R8K9PSBTRQYNFHC
            invalid:
              value:
                code: auth.api_key.invalid
                message: The provided API key is invalid or has been revoked.
                request_id: 01HXY2ZRPM3R8K9PSBTRQYNFHC
            signatureInvalid:
              value:
                code: auth.signature.invalid
                message: HMAC signature does not match.
                request_id: 01HXY2ZRPM3R8K9PSBTRQYNFHC
            timestampSkew:
              value:
                code: auth.timestamp.skew
                message: Timestamp is more than 5 minutes off server time.
                request_id: 01HXY2ZRPM3R8K9PSBTRQYNFHC
    NotFound:
      description: Resource does not exist or is inaccessible for this partner.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    TooManyRequests:
      description: Rate limit exceeded for the current key.
      headers:
        Retry-After:
          $ref: '#/components/headers/RetryAfter'
        X-RateLimit-Limit:
          $ref: '#/components/headers/XRateLimitLimit'
        X-RateLimit-Remaining:
          $ref: '#/components/headers/XRateLimitRemaining'
        X-RateLimit-Reset:
          $ref: '#/components/headers/XRateLimitReset'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: rate_limit.exceeded
            message: Rate limit exceeded for this API key.
            request_id: 01HXY2ZRPM3R8K9PSBTRQYNFHC
  headers:
    RetryAfter:
      schema:
        type: integer
      description: Seconds to wait before the next attempt (RFC 7231).
    XRateLimitLimit:
      schema:
        type: integer
      description: Request limit per minute for the current key.
    XRateLimitRemaining:
      schema:
        type: integer
      description: Requests remaining in the current window.
    XRateLimitReset:
      schema:
        type: integer
        format: int64
      description: Unix timestamp (s) at which the window resets.
  securitySchemes:
    apiKey:
      type: http
      scheme: bearer
      bearerFormat: sk_live_<prefix>_<secret> or sk_test_<prefix>_<secret>
      x-default: sk_test_DEMO0000_replace_with_your_sandbox_key
      description: >
        API key authentication. Issued by the Safariat admin or via the partner
        portal.

        The secret is shown only once at generation.


        Production `sk_live_*` keys must additionally sign every write request

        (`POST`/`PUT`/`DELETE`) with the `X-Timestamp` and `X-Signature`
        headers.

        Sandbox `sk_test_*` keys are exempt from request signing: `X-Signature`
        and

        `X-Timestamp` are not required for writes in the sandbox (so the
        developer-portal

        "Try it" playground works end to end). The `Idempotency-Key` header
        remains

        required on writes in both environments.

````