Client Credentials

Authentication in Version 3.0.0

OnSched version 3.0.0 uses Google Cloud's enterprise-grade data encryption and 99.95% uptime reliability. Data is automatically encrypted at rest and in transit using AES-256 encryption, ensuring the highest level of security for your applications and user data. With built-in redundancy, load balancing, and a globally distributed infrastructure, OnSched also guarantees high availability and minimal downtime.

You can now obtain an Access Token from the V3 Dashboard, Access Tokens will expire after 60 minutes, if you wish to make requests from your application you will need to create a backend function that refreshes the access token using the Refresh Token which can also be obtained from your V3 Dashboard.

Session Bearer Token

An access token is a short-lived credential that must be included as a Bearer token authentication header on all requests to the OnSched API.

Company API Key (x-api-key header)

The Company API Key (included in the request as the x-xpi-key header) will define from which of your Companies to fetch data. Instead of managing multiple client credentials for each OnSched Company that you create, you can instead create Companies under the same user Account in the Dashboard, then access them using the same access token!

The Company (authenticated with the access token) must be a part of your Organization to return a successful response. The Company API Key must be used in conjunction with a valid access token or the Public Client ID, and therefore may be exposed.

Refresh Token

....

....

......

Public Client ID (x-client-id header)

The Public Client ID (included in the request as the x-client-id header) fetch data from public endpoints only. These include requests such as GET /availability and POST /appointment. You may disable use of the Public Client ID by deleting the ID via the API.