Bookings are read from PMS tables. URL uses a public code; session token is hidden (HttpOnly cookie) and auto-rotates.