coreplus API

The coreplus API provides access to appointment booking related end points, such as clients, practitioners, availability slots and appointments. It is a RESTful API, which utilises the HTTP verbs for creating viewing objects.

If you are a developer looking to create an external consumer server to server application for your coreplus clients, then by signing up for a sandbox account you will get access to your own trial coreplus account on our sandbox server with authorisation credentials.

If you have any questions regarding the API documentation, please do not hesitate to contact us at


Q. I keep getting a “429 Client Error – Too Many Requests for url: xxxxx ” ?

A. The current limit of calls is restricted to 10 requests per second. We recommend ensuring your HTTP client code is configured to follow this rate limit.


Q. I’m receiving an Invalid token error when I try to make an API call.

A. This problem is most often caused by an invalid authorisation as the error reports. Either the token you have created is incorrect or the authorisation header containing the token is incorrect. We would recommend you re-read the pages on creating a Jwtoken and Authentication carefully taking note of the specifics in the description sections. Some common causes that other developers have had previously are:

  • Not setting the nbf and exp fields of the token in UTC Unix time. At there is an explanation of unix time and at you can see an example of the current UTC Unix time.
  • It could be caused by not specifying the content type as “application/json” in the authorisation header
  • It can be caused by not formatting the authorisation field value correctly with a space between “JwToken” and the actual encoded jwtoken string


Q. I’m receiving an Invalid token error after I published my app to the production environment but it still works on the sandbox environment.

A. We receive support calls about this very frequently. In almost all cases, the developer has not updated their application to use the production environment api credentials and they are still using the sandbox credentials when trying to connect to the production url. If you are experiencing this problem we suggest you.

  1. Double check the: Consumer Id, Access Token, Secret and the URL you are connecting to. Make sure they are using the values provided to you for the production environment and not the sandbox environment. It is probably a good idea to build your app so you can easily modify these parameters to be able to adapt from one environment to another and also in the event that you want to publish your app to multiple coreplus customers.
  2.  It is always a good idea to ensure you can decode your own JwToken with the credentials you have been provided with. For example if you were using the python language as has been used for most of the examples here, you would using the following code snippet to test your token.

import jwt
jwt.decode(jwt=jwtoken, key=secret, verify=True, algorithm='HS256')

The result from this query should say Signature Verified or Signature Expired depending on whether you ran it before the expiry time used in the construction of the token. If the result is Signature Verification Failed then it means either the secret or the algorithm you are testing with, doesn’t match what you created the token with. Other programming languages will have similar functionality for decoding JwTokens.


Q. I am not able to get practitioner details via the API ?

A. For practitioners to be visible via the API they need to be published. You can do this by going to Setup > Settings > User Profile and ticking ‘Publish’ and then ‘Save’.



Q. When I try to call one or more particular endpoints I receive the following 401 error:

{“result”=>[{“severity”=>2, “reason”=>”Not authorized for viewing <some part of the target endpoint>”}]}.


{"result"=>[{"severity"=>2, "reason"=>"Not authorized for viewing client list"}]}

A. You may not have selected sufficient permissions in the application details when you were setting up the application. In the above example there is a permission called “VIEW_CLIENTLIST”. If that was not ticked when you enabled your application, you will receive the error in the example when you try to query it.

Alternatively you may have added a permission after the application was enabled. The applications effective permissions will not be updated until you re-enable the application. Simply disable, then enable the application again and it will have the new permission set.

To locate the application details page follow the directions on page


Q. I changed the permissions in my app settings, but I’m still getting unauthorised errors when using the related endpoint?

A. After you’ve changed your application permissions from within coreplus, you will need to go to Settings > Add ons and open your app, then disable and re-enable to activate the changes. This also applies to all other changes in the app’s settings found in the Developer > Applications area. In the production environment the requirement to re-enable forces the customer to agree to the terms and conditions again, so you may want to consider updating the terms and conditions.


Q. Does coreplus allow all types of user agents in the headers?

A. coreplus may block generic user agents, such as WordPress default. If that happens, change the user agent of your application and try to call the API again.

Develop with us

Use the form to sign-up and start developing with coreplus today.

Please leave this field empty.