Versions Compared

Old Version 1

changes.mady.by.user Iryna Ananko

Saved on

compared with

New Version Current

changes.mady.by.user Iryna Ananko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

OAuth2

Cloud Appointments API requires authentication, to obtain access clients need to have an access token . This is accomplished by utilizing the standard OAuth2 Client Credentials flow. To obtain an access token you must first have a ClientID and a ClientSecret in place, which your QMATIC representative will provide you withuses OAuth 2.0 for authentication and authorization. Use your client credentials to call Cloud Appointment's Identity server in order to to receive a session token, with which you are able to include as a bearer token for all requests to the API Interfaces.

Expiration

Session tokens expire after 60 minutes, for security reasons this cannot be changed. A refresh token can be used in order to allow clients to continue to have a valid access token without further interaction with the user.

Access Permissions

To achieve fine grained access control, your access token needs to be decorated with a set of scopes. The scopes are requested when an access token is requested. The table below describes the different scopes that are supported and can be requested, provided to client.

Scope

Description

com.qmatic.saas.appointments/external.appointment.book

Grants access to
book an
appointment

com.qmatic.saas.appointments/external.appointment.reschedule

Grants access to
reschedule an
appointment

com.qmatic.saas.appointments/external.appointment.cancel

Grants access to
cancel an
appointment

Retrieve access token

Before you begin, you need to base64 encode your clientId and clientSecret which your QMATIC representative will provide you with.

...

This curl command exemplifies the retrieval of an access token.

Code Block
curl -H "Authorization: Basic ${BASIC_AUTH}"

...

 \
-H "Content-Type: application/x-www-form-urlencoded"

...

 \
-H "X-ACCOUNT: ${ACCOUNT_NAME}"

...

 \
-d "grant_type=client_credentials&scope=${SCOPES}"

...

 \
-X POST https://api.eu-west-1.qmatic.io/oauth2/token

${SCOPES} must be space-separated if multiple scopes are requested. ${ACCOUNT_NAME} should be replaced by the name of your QMATIC account in lowercase with any spaces
stripped off.

...

{
"access_token":"...",
"expires_in":3600,
"token_type":"Bearer"
}The default expiration for an access token is set to 1 hour which means that a new access token
need to be refreshed every hour.

Request example:

Your request should look something like this:

curl POST 'https://[SUBDOMAIN]/oauth2/token' \
--header 'X-ACCOUNT: [system name without spaces, lowercased]
--header 'Authorization: Basic N21yNzJlbjdxc2lrZG8zNjFkbnU4MGFnc3E6MTNoOGY4aWVldHE5Zjhyamczam92YzVzbzhqcWpmc3JzM2k3MjFyYXEydWgyNWJiZ2VkcQ==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=com.qmatic.saas.appointments/external.appointment.book' \
--data-urlencode 'x-account=system name without spaces, lowercased'