Pathé Netherlands API Reference

Bearer token ✓ Saved Stored in localStorage — never sent anywhere except directly to the API.

API Domains

apps.pathe.nl

Public content: movies, cinemas, showtimes, home feed. No authentication required.

s.pathe.nl

Account & booking: login, tickets, tunnel, scan. Requires Bearer token.

c.pathe.nl

Auth URL broker: returns Auth0 authorize URL for PKCE login flow.

login.pathe.me

Auth0 tenant for PKCE/OIDC. Handles user login and returns access tokens.

Required header for all requests:
x-lcpg-mobile-key: and/8.0/prd/fuLi-79Qu8wEeMn5m7m2_Me86YG82srEvP5WPTeh95uC67bH43HJ

This header is injected by CPGHeadersInterceptor. Without it the server returns HTTP 403. The value was recovered by decoding the XOR-obfuscated int arrays in the APK using the HmacSHA512 key derived from ("someKey", "x7GNQQrnKxLeKHfZdvzv8Hmv").

Most endpoints also accept a language query parameter (nl, fr, en). A plain Accept: application/json header is recommended but not required.

Domain	Base URL	Auth	Purpose
apps.pathe.nl	`https://apps.pathe.nl/api/v1/`	None	Public content API
s.pathe.nl	`https://s.pathe.nl/`	Bearer token	Account & booking API
c.pathe.nl	`https://c.pathe.nl/api/v1/`	None	Auth URL broker
login.pathe.me	`https://login.pathe.me/`	—	Auth0 tenant (PKCE/OIDC)
www.pathe.nl	`https://www.pathe.nl/api/`	None	Search proxy
walletobjects.googleapis.com	`https://walletobjects.googleapis.com/walletobjects/v1/`	Google	Google Pay wallet objects

Authentication

Auth0 PKCE

The app uses Auth0 PKCE + OIDC flow. There is no resource-owner password grant — login must go through the browser-based Auth0 flow. The Auth0 client ID is QAYtx0lRPXfh9MtVbXmOKj9ND2rmEgG7 and the tenant is login.pathe.me.

Get Auth0 authorize URL

GET https://c.pathe.nl/api/v1/authUrl — Returns an AuthUrlResponse containing the full Auth0 authorize URL with PKCE code_challenge already embedded.

Open URL in browser

Direct the user to the returned URL (Auth0 Universal Login at login.pathe.me). The user enters their credentials.

Receive authorization code

Auth0 redirects back to the app's custom scheme with ?code=…. Exchange it for tokens using the standard Auth0 token endpoint with your code_verifier.

Use Bearer token

Add Authorization: Bearer {access_token} header to all s.pathe.nl requests.

Refresh on 401

POST https://s.pathe.nl/api/{language}/refresh-authentication — The AuthInterceptor automatically retries with a fresh token on HTTP 401 responses.

Auth0 Configuration

Property	Value
Auth0 Domain	`login.pathe.me`
Client ID	`QAYtx0lRPXfh9MtVbXmOKj9ND2rmEgG7`
Flow	Authorization Code + PKCE
Token endpoint	`https://login.pathe.me/oauth/token`

GET https://c.pathe.nl/api/v1/authUrl Get Auth0 authorize URL

Query Parameters

Name	Type	Required	Description
`language`	string	optional	Language code (`nl`, `fr`)

Response · AuthUrlResponse

{ "url": "https://login.pathe.me/authorize?..." }

POST https://s.pathe.nl/api/{language}/login Login with email/password Auth required

Used for direct credential login. In practice, Auth0 PKCE is the primary flow; this endpoint may be used as a fallback.

Path Parameters

Name	Type	Description
`language`	string	Language code (`nl`, `fr`)

Request Body (JSON)

{ "email": "[email protected]", "password": "..." }

Response · JwtToken

{ "access_token": "eyJ...", "refresh_token": "...", "token_type": "Bearer" }

POST https://s.pathe.nl/api/{language}/refresh-authentication Refresh access token Auth required

Called automatically by AuthInterceptor when a request returns HTTP 401. Send the current refresh_token to receive a new access_token.

Public Content API

No auth required apps.pathe.nl

GET https://apps.pathe.nl/api/v4/cinemas List all cinemas

Query Parameters

Name	Type	Required	Description
`language`	string	optional	Language (`nl`, `fr`)

Response · List<CinemaResponse>

[{ "id": "1", "slug": "amsterdam-reguliersbreestraat", "name": "Amsterdam Reguliersbreestraat", "tags": ["string"], "theaters": [TheaterResponse], "status": true, "comment": "", "backdrop": ImageResponse, "description": "...", "hallCount": 7, "seatCount": 1234, "attachmentCity": "Amsterdam", "department": DepartmentResponse, "refVista": "AMS", "alexPatheGroupId": "..." }]

GET https://apps.pathe.nl/api/v4/cinema/{idCinema}/details Cinema details (prices, services)

Path Parameters

Name	Type	Description
`idCinema`	string	Cinema ID (from /v4/cinemas)

Query Parameters

Name	Type	Description
`language`	string	Language code

Response · CinemaDetailResponse

{ "id": "1", "slug": "...", "legends": {"key": "label"}, "prices": [Price], "additionalPrices": [Price], "services": [ServiceCinema], "ecards": [int], "cinepass": [CinePassResponse], "priceTerms": "...", "slides": [SlideResponse], "vistaRef": "AMS" }

GET https://apps.pathe.nl/api/v4/cinema/{idCinema}/showtimes/{date} Showtimes for a cinema on a date

Path Parameters

Name	Type	Description
`idCinema`	string	Cinema ID
`date`	string	Date in `YYYY-MM-DD` format

Query Parameters

Name	Type	Description
`language`	string	Language code

Response · List<ShowTimeResponse>

[{ "show": "show_id", "theater": "theater_id", "status": "open", "time": "2025-06-01T14:30:00Z", "is3d": false, "tags": ["OV", "NL"], "version": "NL", "reservabilityStart": "...", "reservabilityEnd": "...", "auditoriumCapacity": 180, "auditoriumName": "Zaal 1", "url": "booking_url", "refCmd": "CMD123", "special": SpecialResponse }]

💡 The url field contains a per-showtime booking reference used as the i field in CpgTunnelRequest.

GET https://apps.pathe.nl/api/v6/shows All current shows (v6)

Query Parameters

Name	Type	Description
`language`	string	Language code

Response · List<ShowResponseV5>

Array of show objects. See ShowResponseV5 model — superset of ShowResponse with additional fields.

GET https://apps.pathe.nl/api/v5/show/{idShow} Single show by ID (v5)

Path Parameters

Name	Type	Description
`idShow`	string	Show ID

Query Parameters

Name	Type	Description
`language`	string	Language code

Response · ShowResponseV5

{ "id": "movie_id", "externalId": "...", "slug": "inception", "name": "Inception", "originalTitle": "Inception", "synopsis": "...", "duration": 148, "genres": ["Thriller"], "directors": ["Christopher Nolan"], "actors": ["..."], "nationality": "USA", "poster": ImageResponse, "backdrop": ImageResponse, "trailers": [TrailerResponse], "releasedAt": "2010-07-16T00:00:00Z", "contentRating": ["12"], "tags": ["IMAX"], "isNew": false, "flag": FlagResponse, "categories": {"key": Category}, "showtimesDisplayDate": "...", "salesOpeningDate": "..." }

GET https://apps.pathe.nl/api/v4/show/external/{externalId} Show by external ID

Fetch a show using an external identifier (e.g. partner system ID). Returns ShowResponse.

GET https://apps.pathe.nl/api/v3/cinema/{idCinema}/shows Shows currently playing at a cinema

Path Parameters

Name	Description
`idCinema`	Cinema ID

Response · CinemaShowsResponse

Contains an array of CinemaShow objects linking shows to their showtimes at this cinema.

GET https://apps.pathe.nl/api/v3/show/{showId}/cinemas Cinemas showing a specific movie

Returns ShowCinemasResponse — list of cinemas that have scheduled showings of this show.

GET https://apps.pathe.nl/api/v3/home/{section} Home feed sections

Available Sections

Path	Returns	Description
`/v3/home/current?language=`	List<CurrentFilmResponse>	Currently showing films
`/v3/home/featuring?language=`	List<HomeFeaturingResponse>	Featured films (optionally filter with `&genre=`)
`/v3/home/highlighted?language=`	List<String>	Highlighted show IDs
`/v3/news?language=`	List<NewsResponse>	News articles
`/v3/alerts?language=`	List<AlertResponse>	App alerts/announcements

GET https://apps.pathe.nl/api/v1/gpxp Premium experience technologies (IMAX, 4DX, etc.)

Returns List<TechnoResponse>. Each entry is a premium format (GPXP = Grande Première eXpériences Premium). Use idTechno in the related endpoints below.

Related GPXP Endpoints

Path	Returns	Description
`/v3/gpxp/{idTechno}/shows`	TechnoShowsResponse	Shows using this technology
`/v3/gpxp/{idTechno}/highlighted`	List<String>	Highlighted show IDs for technology
`/v3/gpxp/{idTechno}/{idCinema}/shows`	TechnoShowsResponse	Shows using technology at specific cinema
`/v4/gpxp/{idTechno}/showtimes/{date}`	List<ShowTimeResponse>	Showtimes by technology and date

GET https://apps.pathe.nl/api/v1/{resource} Settings, tags, versions, vouchers, content ratings

URL	Returns	Description
`/v1/settings?language=`	SettingsResponse	App settings (feature flags, config)
`/v1/tags?language=`	List<TagResponse>	Show tags (OV, IMAX, etc.)
`/v1/versions?language=`	List<VersionResponse>	Version metadata
`/v1/vouchers?language=`	List<EcardResponse>	E-card / voucher types
`/v1/content-ratings?language=`	List<ContentRatingResponse>	Age/content rating labels
`/v3/client/feelings?language=`	FeelingShowDetailsResponse	User sentiment options for shows
`/v3/client/show/{showId}/feeling`	FeelingParamResponse	GET/POST user feeling for a show
`/v3/show/{showId}/hot`	FeelingShowDetailsResponse	Trending/hot show details
`/v4/client/shows`	List<ShowResponseV5>	Shows on the client's watchlist

GET https://www.pathe.nl/api/search/full Full-text search

Query Parameters

Name	Type	Description
`language`	string	Language code
`q`	string	Search query

Account & Booking API

Bearer token required s.pathe.nl

All endpoints on s.pathe.nl require the Authorization: Bearer {access_token} header obtained from the Auth0 PKCE flow. The AuthInterceptor automatically refreshes the token on HTTP 401 via POST /api/{language}/refresh-authentication.

GET https://s.pathe.nl/accounts/me?language={language} Current user account info Auth required

Response · UserAccountResponse — key fields

{ "email": "[email protected]", "firstName": "Jan", "lastName": "de Vries", "gender": "M", "phone": "+31...", "lang": "nl", "username": "...", "seatMaps": true, "cinemaId": "1", "cinemaRefVista": "AMS" }

GET https://s.pathe.nl/api/{language}/preferences User preferences Auth required

GET or PATCH user preferences. Returns PreferencesResponse with notification settings, language, favorite genres, etc.

GET https://s.pathe.nl/accounts/me/{sub-resource} Account sub-resources Auth required

URL	Returns	Description
`/accounts/me/cards?language=`	List<CardResponse>	Loyalty/e-cards attached to account
`/accounts/me/prepaids?language=`	List<PrepaidResponse>	Prepaid credits/passes
`/accounts/me/advantages?language=`	List<AdvantageResponse>	Member advantages/rewards
`/accounts/me/goodies?language=`	List<GoodiesResponse>	Goodies/free gifts
`/accounts/me/cinemas?language=`	List<CinemaFavoriteResponse>	Favourite cinemas
`/accounts/me/movieToNote?language=`	List<ShowResponse>	Watchlist (movies to remember)
`/accounts/me/friends?language=`	List<RequestFriendResponse>	Friends list
`/accounts/me/notifications`	—	Push notification settings
`/api/{language}/accounts/me/newsletters`	PreferencesResponse	GET / PATCH newsletter subscriptions
`/api/accounts/prepaids`	List<PrepaidResponse>	All prepaids (no language param)

GET https://s.pathe.nl/api/app/compte/ebillet All e-tickets for current user Auth required

Also available as GET /api/app/compte/{orderToken}/ebillet for a specific order.

Response · List<TicketResponse>

[{ "ticketId": "...", "orderId": "...", "orderRef": "ABC123", "orderToken": "...", "showName": "Inception", "cinemaName": "Amsterdam", "seatName": "Rij 5 Stoel 12", "time": "2025-06-01T14:30:00Z" }]

POST https://s.pathe.nl/api/app/webview Get booking tunnel URL (WebView) Auth required

Booking tunnel: This is the entry point to the ticket purchase flow. The response contains a URL (u) that the app loads in a WebView. The actual seat selection and payment happen inside that WebView via a JavaScript bridge. To build a headless booking flow, you'll need to drive the returned URL with a browser automation tool.

Request Body · CpgTunnelRequest

{ "i": "showtime_url_or_id", // from ShowTimeResponse.url "car": "0", // card ID ("0" = none) "l": null, // language (optional) "c": "1234AB", // postal code "v": "10.6", // app version (hardcoded) "o": "android" // platform (hardcoded) }

Alternative constructors: for e-card only pass car=<ecardId> with empty i. For prepaid pass prog (program code) instead.

Response · CpgTunnelResponse

{ "u": "https://..." // WebView URL to open }

Also: POST /api/app/webview/cs for ClickServe tunnel (response: {"url": "..."}), and POST /api/app/webview with PatheFriendsTunnelRequest body for Pathé Friends.

POST https://s.pathe.nl/api/app/scan Validate a scanned ticket / card Auth required

Request Body · ScanRequest

{ "num": "1234567890" // barcode/QR number }

Response · ScanInfo

Returns validation result with card/ticket info, status, and associated scan data.

POST https://s.pathe.nl/api/app/ebillet/{orderRef}/email/{email}/cancel Cancel a ticket Auth required

Path Parameters

Name	Type	Description
`orderRef`	string	Order reference from `TicketResponse.orderRef`
`email`	string	User's email address

Response · CancelTicketResponse

Confirmation of cancellation. Returns CancelTicketResponse.

GET https://s.pathe.nl/api/google/{language}/eventTicket/{ebilletId} Google Pay JWT for a ticket Auth required

Returns TicketPayJwt — a signed JWT for adding the ticket to Google Wallet. ebilletId is the ticket ID from TicketResponse.

API key decoded ✓ — The CPGHeadersInterceptor injects exactly one obfuscated header recovered by static analysis:
x-lcpg-mobile-key: and/8.0/prd/fuLi-79Qu8wEeMn5m7m2_Me86YG82srEvP5WPTeh95uC67bH43HJ
Decoding: HmacSHA512(key="someKey", data="x7GNQQrnKxLeKHfZdvzv8Hmv") → lowercase hex → XOR each int in the array with the corresponding hex character. Verified live: GET /api/v4/cinemas returns HTTP 200 with this header, HTTP 403 without it.