coreplus API

The coreplus API provides access to appointment booking related end points, such as clients, practitioners, availability slots and appointments. It is a RESTful API, which utilises the HTTP verbs for creating viewing objects.

If you are a developer looking to create an external consumer server to server application for your coreplus clients, then by signing up for a sandbox account you will get access to your own trial coreplus account on our sandbox server with authorisation credentials.

If you have any questions regarding the API documentation, please do not hesitate to contact us at

Creating a Json Web Token to call the coreplus API

Json Web Token (hereon specified as jwtoken) passes a header, number of claims and signature from the API Consumer to the coreplus API. All jwtokens must be signed, and currently the coreplus API supports the HMAC SHA-256 (HS256) algorithm. All systems generating jwtokens should be synchronized with internet clocks, to ensure jwtokens are not rejected.

The claims that are available are:

Claim Type Description
iss (mandatory) String The issuer of the claim. This should be filled in as the url of the company’s web site.
aud (mandatory) String The audience of the claim. This should be filled in as the url of the company who the token is for (eg:
nbf (mandatory) Long The nbf (not before) claim identifies the time before which the token MUST NOT be accepted for processing.. The UTC unix time at which this token was issued. jwtoken’s will not be accepted if the coreplus API UTC time is before this time.
exp (mandatory) Long The exp (expiration time) claim identifies the expiration time on or after which the token MUST NOT be accepted for processing. The UTC unix time at which this token was issued. This time should be set at 1 minute past the Issued time.
consumerId (mandatory) String(50) The Consumer Id of the application calling the coreplus API. This can be found when setting up your add-on application as per the Create a coreplus add-on page.
accessToken (mandatory) String(50) The Access Token used to identify which Customer the API commands should be executed on. Typically, this can be obtained from the customer as part of the setup process.
url (mandatory) String The url of the actual API request.
httpMethod (mandatory) String The http method (eg: GET, POST) used in the request.

The jwtokens should always be signed. Any jwtoken without a signature will be deemed invalid. The signature should be signed using the HMAC SHA-256 (HS256) algorithm, using the Consumer Secret.

Example encoded jwtoken, where blue is the header, pink is the claims and orange is the signature.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb25zdW1lcklkIjoiQ2xpZW50UG9ydGFsIiwiYWNjZXNzVG9rZW4iOiIwMGY0MjAzYi0xOTAxLTRmOGQtYjliZC05MDM2OGQ1NDMwNDkiLCJ1cmwiOiJodHRwOi8vbG 9jYWxob3N0OjIxNzc0L2FwcG9pbnRtZW50Ym9va2luZy9sb2NhdGlvbiIsImh0dHB NZXRob2QiOiJHRVQiLCJpc3MiOiJodHRwOi8vY2xpZW50cG9ydGFsLmNvcmVwbHVz LmNvbS5hdSIsImF1ZCI6Imh0dHA6Ly9jb3JlcGx1cy5jb20uYXUiLCJleHAiOjE0M

Jwtoken Header


Jwtoken Claims


The following is a very simple straight forward python 3 example of how one might create a Jwtoken and make a request to the Client end point to get a list of all of all the customer's clients:

import jwt
import _datetime
import requests

app_consumer_id = " < your consumer ID here > "
app_consumer_secret = " < your consumer secret here > "
app_access_token = " < your access token goes here > "
base_url = ""
end_point = "/API/Core/v2.1/client/"
httpMethod = "GET"

# obtain the uri for the endpoint I'm going to query for
uri = base_url + end_point

# set up the jwt token claims dictionary
claims = {
    "iss": "",
    "aud": "",
    "nbf": _datetime.datetime.utcnow(),
    "exp": _datetime.datetime.utcnow() + _datetime.timedelta(seconds=60),
    "consumerId": app_consumer_id,
    "accessToken": app_access_token,
    "url": uri,
    "httpMethod": httpMethod

# create the base64 encoded JWtoken string as byte code
encoded_jwt_byte = jwt.encode(claims, app_consumer_secret, algorithm='HS256')

# convert the byte code to a string
jwt_str = str(encoded_jwt_byte, 'utf-8')

# create signing headers
headers = {'Authorization': 'JwToken' + ' ' + jwt_str, 'content-type': 'application/json'}

# send the request and obtain the result
response = requests.get(uri, verify=True, headers=headers, timeout=45)

# print the returned json to my console

Console output from the print statement of the returned JSON

	"clients": [
			"dateOfBirth": "1984-05-07T00:00:00",
			"firstName": "Cathy",
			"gender": "Female",
			"relatedClients": [],
			"lastName": "Johnson",
			"title": "",
			"clientId": "5dbf87f6-e50f-4ca1-9ef9-7e102ee27817",
			"middleName": ""
			"dateOfBirth": "1969-10-14T00:00:00",
			"firstName": "Frank",
			"gender": "Male",
			"relatedClients": [],
			"lastName": "Walker",
			"title": "",
			"clientId": "cc403b9e-de42-47fa-b5d4-d04eccf75344",
			"middleName": ""
	"paging": {
		"pageNumber": 1,
		"totalRows": 2,
		"pageSize": 50
	"statusMessages": []

Develop with us

Use the form to sign-up and start developing with coreplus today.

Please leave this field empty.