• Verified
  • Authentication

    OAuth2

    Cloud Appointments API uses OAuth 2.0 for authentication and authorization. Use your client credentials to call Cloud Appointment's Identity server in order to to receive a session token, with which you are able to include as a bearer token for all requests to the API Interfaces.

    Expiration

    Session tokens expire after 60 minutes, for security reasons this cannot be changed. A refresh token can be used in order to allow clients to continue to have a valid access token without further interaction with the user.

    Access Permissions

    To achieve fine grained access control, your access token needs to be decorated with a set of scopes. The scopes are requested when an access token is requested. The table below describes the different scopes that are supported and can be requested, provided to client.

    Scope

    Description

    Scope

    Description

    com.qmatic.saas.appointments/external.appointment.book

    Grants access to
    book an
    appointment

    com.qmatic.saas.appointments/external.appointment.reschedule

    Grants access to
    reschedule an
    appointment

    com.qmatic.saas.appointments/external.appointment.cancel

    Grants access to
    cancel an
    appointment

    Retrieve access token

    Before you begin, you need to base64 encode your clientId and clientSecret which your QMATIC representative will provide you with.

    BASIC_AUTH=$(echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64)

    Your clientId and clientSecret should be kept secret and should never exposed in
    an end user’s browser for example.

    This curl command exemplifies the retrieval of an access token.

    curl -H "Authorization: Basic ${BASIC_AUTH}" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "X-ACCOUNT: ${ACCOUNT_NAME}" \ -d "grant_type=client_credentials&scope=${SCOPES}" \ -X POST https://api.eu-west-1.qmatic.io/oauth2/token

    ${SCOPES} must be space-separated if multiple scopes are requested. ${ACCOUNT_NAME} should be replaced by the name of your QMATIC account in lowercase with any spaces
    stripped off.

    The above command will yield:

    {
    "access_token":"...",
    "expires_in":3600,
    "token_type":"Bearer"
    }

    Request example:

    Your request should look something like this:

    curl POST 'https://[SUBDOMAIN]/oauth2/token' \
    --header 'X-ACCOUNT: [system name without spaces, lowercased]
    --header 'Authorization: Basic N21yNzJlbjdxc2lrZG8zNjFkbnU4MGFnc3E6MTNoOGY4aWVldHE5Zjhyamczam92YzVzbzhqcWpmc3JzM2k3MjFyYXEydWgyNWJiZ2VkcQ==' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'scope=com.qmatic.saas.appointments/external.appointment.book' \
    --data-urlencode 'x-account=system name without spaces, lowercased'

    Â