OAuth2

Cloud Appointments API uses OAuth 2.0 for authentication and authorization. Use your client credentials to call Cloud Appointment's Identity server in order to to receive a session token, with which you are able to include as a bearer token for all requests to the API Interfaces.

Expiration

Session tokens expire after 60 minutes, for security reasons this cannot be changed. A refresh token can be used in order to allow clients to continue to have a valid access token without further interaction with the user.

Access Permissions

To achieve fine grained access control, your access token needs to be decorated with a set of scopes. The scopes are requested when an access token is requested. The table below describes the different scopes that are supported and can be requested, provided to client.

Scope

Description

com.qmatic.saas.appointments/external.appointment.book

Grants access to
book an
appointment

com.qmatic.saas.appointments/external.appointment.reschedule

Grants access to
reschedule an
appointment

com.qmatic.saas.appointments/external.appointment.cancel

Grants access to
cancel an
appointment

Retrieve Access Token

Before you begin, you need to base64 encode your clientId and clientSecret which your QMATIC representative will provide you with.

Once you have you client values, you will need to encode it into Base64 encoding. You can do this with a website such as this or use the below command in a bash terminal to do so. Where CLIENT_ID and CLIENT_SECRET are the values from Qmatic.

echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64

Example:

echo -n "5lm7djk7jevsfgaqddalpfu06v:2a6f2cbhtre8mt5tbicf46su5fdsodom24q35f6ds9qu0p6fs016z" | base64

Also note that you may get two lines when running this command, be sure to remove any new lines. Example below.

$ echo -n "5lm7djk7jevsfgaqddalpfu06v:2a6f2cbhtre8mt5tbicf46su5fdsodom24q35f6ds9qu0p6fs016z" | base64
NWxtN2RqazdqZXZzZmdhcWRkYWxwZnUwNnY6MmE2ZjJjYmh0cmU4bXQ1dGJpY2Y0NnN1NWZkc29k
b20yNHEzNWY2ZHM5cXUwcDZmczAxNno=

The value should be NWxtN2RqazdqZXZzZmdhcWRkYWxwZnUwNnY6MmE2ZjJjYmh0cmU4bXQ1dGJpY2Y0NnN1NWZkc29kb20yNHEzNWY2ZHM5cXUwcDZmczAxNno=

Your clientId and clientSecret should be kept secret and should never exposed in
an end user’s browser for example.

API Request Values:

URLS:

URL

Region

https://api.eu-west-1.qmatic.io/oauth2/token

eu-west-1

https://api.us-east-1.qmatic.io/oauth2/token

us-east-1

Parameters:

Type

Key

Value

Header

Authorization

Basic base64-encoded-token

Header

X-ACCOUNT

tenant-account-name

Header

Content-Type

application/x-www-form-urlencoded

Body

grant_type

client_credentials

Body

scope

com.qmatic.saas.appointments/external.appointment.book

Now that you have these values you can run a curl command or use an application like postman to get the token.

Curl Example using tenant isb for reference and only one scope, additional scopes can be added with space separation.

curl --location 'https://api.eu-west-1.qmatic.io/oauth2/token' \
    --header 'Authorization: Basic REDACTED' \
    --header 'X-ACCOUNT: REDACTED' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --header 'Cookie: XSRF-TOKEN=27a92aa6-e204-4aea-b77a-2e3a3772de41' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'scope=com.qmatic.saas.appointments/external.appointment.book'

The above command will yield if correctly done.

{
"access_token":"...",
"expires_in":3600,
"token_type":"Bearer"
}

Postman Example:

image-20250314-165715.pngimage-20250314-165840.png