[Bug] Adding attendees to existing bookings via the API returns a 403 Forbidden error,

[linear]

Summary

Adding attendees to existing bookings via the API returns a 403 Forbidden error, preventing users from adding new participants. Additionally, v2 API does not currently support adding attendees at all, forcing reliance on v1, which also fails to send invitation or confirmation emails to the newly added attendee.

Steps to Reproduce

1. Use the v1 API endpoint: POST /attendees
2. Include a valid bookingId, email, name, and timeZone in the request body.
3. Observe the API response.

Expected Result

• The attendee should be successfully added to the existing booking.
• The new attendee should receive the standard invitation and confirmation emails.
• The API should respond with a 200 OK or 201 Created.

Actual Result

• API returns a 403 Forbidden error.
• No attendee is added to the booking.
• No confirmation or invitation emails are sent.

Impact

• Severity: S1 (Critical) — This issue blocks a customer demo and delays potential revenue.
• Users affected: All API users attempting to manage attendees for existing bookings (particularly enterprise and integrations).

Notes

• v1 allows attendee creation but lacks email notifications.
• v2 currently does not support adding attendees to existing bookings.
• Related request: prioritizing attendee management via v2 API.
• Issue is time-sensitive — customer waiting for resolution to proceed with integration and payment.
• Confirmed reproducible using valid API keys and booking IDs.

[linear]

CAL-6527