API docs by Redocly

MOK Integration API (v1)

Download OpenAPI specification:

MokLabs: devs-moklabs@grupomok.com

Integration reference for MOK partners. It covers the Provider Network API (OAuth2) for validating contracts and creating/updating service requests, the webhooks we send for service request events, and the token-authenticated Admin API for loading contracts and point transactions.

Getting started

  1. Request OAuth2 client credentials (client_id / client_secret) and, for the Admin API, an admin user email + token from devs-moklabs@grupomok.com.
  2. Exchange your credentials for a Bearer token at the OAuth2 token endpoint.
  3. Validate a user's contract with GET /api/v1/provider_networks/contracts, then use the returned contract and service ids to create a service request.
  4. Receive status updates on your configured webhook URL (see Webhooks).

Authentication

Provider Network API — OAuth2 Bearer

Send Authorization: Bearer <access_token> on every /api/v1/provider_networks/* request. Tokens are obtained via the client-credentials flow at POST /oauth/token with scope: provider_networks.

Admin API — token headers

The Admin API uses a different audience (sponsor/admin integrators). Send both X-Admin-User-Email and X-Admin-User-Token headers; no OAuth token is required.

Webhooks

Service request events (service_request.created, service_request.updated) are delivered to your configured webhook_url. Each request is signed with an X-Signature HMAC-SHA256 header. See the Webhooks section for payloads and verification.

Changelog

2026-04-29

Contracts
  • Documented the three variable_copayment_* limit types in the limits field (variable_copayment_by_days_of_current_service_request, variable_copayment_by_usage_by_period, variable_copayment_by_accumulated_days_by_period).
  • Added copayment_tiers to the service_limit schema for variable copayment limits.

2025-12-18

Contracts
  • Added limits field to services in the response, containing usage limits information.

2025-12-02

Contracts
  • Added plan_name field to the response.

2025-11-06

Service requests
  • Added access_identifier_kind field to the response.

2025-09-04

Contracts
  • Added external_extra_data field to the response.

2025-08-05

Service requests
  • Added user_email field to the response.
  • Added type (the type of the dynamic form input) to each form answer inside the answers field.

2025-07-21

Contracts
  • Added unique_contract_id, client_contract, and mobile_phone_number fields to the response.

2025-06-18

Service requests
  • Added answers field to the response, it contains the answers from the form if the service has a dynamic form configured.

2025-05-12

Service requests
  • Added user_first_name and user_last_name fields to the response. user_full_name is deprecated and will be removed in the future.
Contracts
  • Added last_name field to the response, it combines surname and second_surname. surname and second_surname may be deprecated in the future so it's recommended to use last_name instead.

Authentication

Obtain an access token

OAuth2 endpoint to obtain an access token using client credentials flow. The access token must be included in all subsequent API requests in the Authorization header.

Example:

Authorization: Bearer your_access_token
Request Body schema: application/json
grant_type
required
string
client_id
required
string
client_secret
required
string
scope
required
string

Responses

Request samples

Content type
application/json
{
  • "grant_type": "client_credentials",
  • "client_id": "109fb51a-ba5a-49d7-92e6-89fc67a63e9f",
  • "client_secret": "v1OINpq6T",
  • "scope": "provider_networks"
}

Response samples

Content type
application/json
{
  • "access_token": "YOUR_ACCESS_TOKEN_HERE",
  • "token_type": "Bearer",
  • "scope": "provider_networks",
  • "created_at": 1777889583
}

Provider Networks

Get provider network info and webhook URL

Retrieves information about the authenticated provider network, including their services that are present in this specific application, and your configured webhook_url.

Webhook Notifications

Service request events are delivered to your configured webhook_url. Rendered API docs also show each event as a dedicated Webhooks entry with its full payload schema.

Events

  • service_request.created: a service request was created from one of our platforms.
  • service_request.updated: a service request was updated from one of our platforms.

Payload

{
  "event": "service_request.created",
  "payload": { ...service request (see the Service Requests schema for all fields) }
}

Security

Each request includes an X-Signature header: an HMAC-SHA256 hex digest of the raw request body, keyed with your webhook_secret. A Webhook-From header carries the sending host. Verify the signature before trusting the payload:

signature = request.headers['X-Signature']
expected  = OpenSSL::HMAC.hexdigest('SHA256', webhook_secret, request.raw_post)
valid     = ActiveSupport::SecurityUtils.secure_compare(signature, expected)

Authentication (optional, configured per provider network)

Requests may also carry credentials via HTTP Basic, a static Bearer token, or a Bearer token fetched from a configured auth URL. Contact us to set or change your webhook_url, secret, or auth mode.

Authorizations:
Bearer

Responses

Response samples

Content type
application/json
{
  • "provider_network": {
    }
}

Contracts

Retrieves contracts for a document identifier, national ID, email, ID or access identifier

Returns a list of contracts associated with the provided document identifier (DNI, mobile phone number, or access code), national ID, email, ID or access identifier. Each contract includes the customer's personal information, contract dates, and available services so you can validate them before creating a service request.

Important: The contract id and service id returned in this response are required to create a service request.

Important

  • The document_identifier field is deprecated and will be removed in the future.
  • The access_identifier field is the new field that will be used to identify the contract.

Service Limits

Each service includes a limits object that describes usage restrictions for the user. The limits field is only present when searching by access_identifier or document_identifier.

Limit Types

  • usage_frequency_by_end_of_contract: Maximum number of uses allowed until the contract ends.
  • usage_frequency_by_period: Maximum number of uses allowed per period (e.g., monthly).
  • waiting_period: Time the user must wait before using the service.
  • max_cost_by_end_of_contract: Maximum cost allowed until the contract ends.
  • max_cost_by_period: Maximum cost allowed per period.
  • max_cost_by_use: Maximum cost allowed per single use.
  • copayment: Copayment amount required for the service.
  • variable_copayment_by_days_of_current_service_request: Copayment that varies based on the number of days of the current service request, defined by tiers.
  • variable_copayment_by_usage_by_period: Copayment that varies based on usage within a period, defined by tiers.
  • variable_copayment_by_accumulated_days_by_period: Copayment that varies based on accumulated days within a period, defined by tiers.

Interpreting Limit Values

  • multiplans_limit: The maximum allowed value (uses or cost).
  • multiplans_limit_progress: Current usage towards the limit.
  • block_service: If true, the user cannot use this service (limit exceeded or waiting period active).
  • multiplans_until_date: Date until which the limit applies (format: dd/mm/yyyy).
  • copayment_tiers: Array of tiers describing the copayment structure for variable copayment limits. Only present for variable_copayment_* limit types.

Quick Check

  • Use has_any_limits to check if any limits are configured for the service.
  • Use block_service (at the root level) to check if the service is blocked due to any limit.
Authorizations:
Bearer
query Parameters
document_identifier
string

Document identifier to search contracts for. Can be one of:

  • DNI/National ID (e.g. "12345678-9")
  • Mobile phone number with or without country code, the country code will be automatically added if missing.
  • Access code (e.g. "123456")
access_identifier
string

Access identifier to search contracts for. Can be one of:

  • DNI/National ID (e.g. "12345678-9")
  • Mobile phone number with or without country code, the country code will be automatically added if missing. (e.g. "1234567890")
  • Access code (e.g. "123456")
national_id
string

National ID used to search for contracts

id
string

ID used to search for contracts

email
string

Email used to search for contracts

Responses

Response samples

Content type
application/json
{
  • "contracts": [
    ]
}

Plans

Retrieves plans

Returns a list of plans. Only services owned by the logged in provider network are included in each plan.

Authorizations:
Bearer

Responses

Response samples

Content type
application/json
{
  • "plans": [
    ]
}

Service Requests

Get all service requests

Retrieves all service requests associated with the logged in provider network.

Important

  • The document_identifier field is deprecated and will be removed in the future.
  • The access_identifier field is the new field that will be used to identify the contract.
  • The access_identifier_kind field is the kind of the access identifier. It can be national_id, mobile_phone_number, email, phone_number or access_code.
Authorizations:
Bearer
query Parameters
current_status
string

Filter service requests by current status

service_id
integer

Filter service requests by service ID

contract_id
integer

Filter service requests by contract ID

external_id
string

Filter service requests by your external ID

access_identifier
string

Filter service requests by User access identifier

document_identifier
string

Filter service requests by User document identifier

service_external_id
string

Filter service requests by service external ID

page[number]
integer
Default: 1

Page number

page[size]
integer
Default: 25

Number of results per page

Responses

Response samples

Content type
application/json
{
  • "service_requests": [
    ]
}

Create a new service request

Creates a new service request for a user. This endpoint allows creating service requests for contracts that were previously validated using the contracts endpoint or by providing a document identifier or access identifier that matches an existing contract.

Important:

  • A valid service is required and must be provided either by including the service_id parameter or by providing a service_external_id that matches an existing service's external ID.
  • If both service_id and service_external_id are provided, the service_external_id will have priority.
  • A valid contract is required and must be provided either by including the contract_id or by providing a access_identifier or document_identifier that matches an existing contract.
  • The external_id is an optional field that can be used to link the service request to your internal reference ID.

Important

  • The document_identifier field is deprecated and will be removed in the future.
  • The access_identifier field is the new field that will be used to identify the contract.

Accepted fields

service_id, contract_id, external_id, current_status, access_identifier, requested_at, service_name, origin_address, origin_latitude, origin_longitude, destination_address, destination_latitude, destination_longitude, scheduled_date, scheduled_end_date, scheduled_time, provider_name, provider_phone, technician_name, user_phone, source, contact_center_phone, service_external_id

Authorizations:
Bearer
Request Body schema: application/json
object

Responses

Request samples

Content type
application/json
Example
{
  • "service_request": {
    }
}

Response samples

Content type
application/json
{
  • "service_request": {
    }
}

Get a service request

Retrieves a specific service request by its ID.

Authorizations:
Bearer
path Parameters
id
required
integer

Responses

Response samples

Content type
application/json
{
  • "service_request": {
    }
}

Update a service request

Updates an existing service request. This endpoint allows updating certain fields of a service request after it has been created.

Important:

  • Some fields like service_id and contract_id cannot be modified after creation

Important

  • The document_identifier field is deprecated and will be removed in the future.
  • The access_identifier field is the new field that will be used to identify the contract.

Accepted fields

external_id, current_status, service_name, origin_address, origin_latitude, origin_longitude, destination_address, destination_latitude, destination_longitude, scheduled_date, scheduled_end_date, scheduled_time, provider_name, provider_phone, technician_name, user_phone, contact_center_phone

Authorizations:
Bearer
path Parameters
id
required
integer
Request Body schema: application/json
object

Responses

Request samples

Content type
application/json
{
  • "service_request": {
    }
}

Response samples

Content type
application/json
{
  • "service_request": {
    }
}

WhatsApp

Request WhatsApp message sending

Receives a request to send a WhatsApp message.

The whatsapp_number parameter is required.

The whatsapp_number must be a valid number according to the E.164 standard.

Authorizations:
Bearer
Request Body schema: application/json
whatsapp_number
required
string

WhatsApp number of the user who called the call center

Responses

Request samples

Content type
application/json
{
  • "whatsapp_number": "123456789"
}

Response samples

Content type
application/json
null

Webhooks

service_request.created Webhook

Sent to your configured webhook_url whenever a service request is created from one of our platforms. Your endpoint should respond with a 2xx status to acknowledge receipt; non-2xx responses are retried with exponential backoff.

Security

Every request includes an X-Signature header: an HMAC-SHA256 hex digest of the raw request body, keyed with your webhook_secret. Verify it before trusting the payload:

signature = request.headers['X-Signature']
expected  = OpenSSL::HMAC.hexdigest('SHA256', webhook_secret, request.raw_post)
valid     = ActiveSupport::SecurityUtils.secure_compare(signature, expected)

Authentication (optional, configured per provider network)

In addition to the signature, requests may carry credentials in one of these modes:

  • Basic — HTTP Basic Authorization header with your username/password.
  • Bearer (static) — a fixed bearer token that does not expire.
  • Bearer (fetched) — we POST your username/password to a configured auth URL and use the returned token. The JSON keys for username, password and token are configurable.

To change your webhook_url, webhook_secret, or auth mode, contact us at devs-moklabs@grupomok.com.

Authorizations:
Bearer
header Parameters
X-Signature
string

HMAC-SHA256 hex digest of the raw request body, keyed with your webhook_secret.

Webhook-From
string

The application host that sent the webhook.

Request Body schema: application/json
event
required
string
Enum: "service_request.created" "service_request.updated"

The event that triggered the webhook.

required
object (service_request)

Responses

Request samples

Content type
application/json
{
  • "event": "service_request.created",
  • "payload": {
    }
}

service_request.updated Webhook

Sent to your configured webhook_url whenever a service request is updated from one of our platforms (for example, a status change). The signature, authentication and acknowledgement rules are identical to service_request.created above.

Authorizations:
Bearer
header Parameters
X-Signature
string

HMAC-SHA256 hex digest of the raw request body, keyed with your webhook_secret.

Webhook-From
string

The application host that sent the webhook.

Request Body schema: application/json
event
required
string
Enum: "service_request.created" "service_request.updated"

The event that triggered the webhook.

required
object (service_request)

Responses

Request samples

Content type
application/json
{
  • "event": "service_request.updated",
  • "payload": {
    }
}

Admin · Contracts

List contracts

Returns every contract known to the application.

Authorizations:
(AdminUserEmailAdminUserToken)

Responses

Response samples

Content type
application/json
{
  • "contracts": [
    ]
}

Create or update a contract

Creates a contract, or updates the active contract that matches the given application_code (plan code) and access_identifier. When an active contract exists with a different client_contract, a new contract is created instead of updating the existing one.

The response new_contract? flag tells you whether a contract was created or updated, and success? / errors report validation results.

Authorizations:
(AdminUserEmailAdminUserToken)
Request Body schema: application/json
required
object

Responses

Request samples

Content type
application/json
{
  • "contract": {
    }
}

Response samples

Content type
application/json
{
  • "contract": {
    }
}

Batch create or update contracts

Creates or updates many contracts in a single request. Each item follows the same rules as create_or_update. The response returns one contract object per item, each carrying its own success? / errors, so partial failures can be inspected without failing the whole batch.

Authorizations:
(AdminUserEmailAdminUserToken)
Request Body schema: application/json
required
Array of objects

Responses

Request samples

Content type
application/json
{
  • "contracts": [
    ]
}

Response samples

Content type
application/json
{
  • "contracts": [
    ]
}

Admin · Point Transactions

List point transactions

Returns every point transaction.

Authorizations:
(AdminUserEmailAdminUserToken)

Responses

Response samples

Content type
application/json
{
  • "point_transactions": [
    ]
}

Create a point transaction

Adds or spends points for the user identified by access_identifier. The transaction is processed asynchronously.

Authorizations:
(AdminUserEmailAdminUserToken)
Request Body schema: application/json
required
object

Responses

Request samples

Content type
application/json
{
  • "point_transaction": {
    }
}

Response samples

Content type
application/json
{
  • "point_transaction": {
    }
}

Get a point transaction

Authorizations:
(AdminUserEmailAdminUserToken)
path Parameters
id
required
integer

Point transaction ID

Responses

Response samples

Content type
application/json
{
  • "point_transaction": {
    }
}

Admin · Recurrent Point Transactions

List recurrent point transactions

Authorizations:
(AdminUserEmailAdminUserToken)

Responses

Response samples

Content type
application/json
{
  • "recurrent_point_transactions": [
    ]
}

Create a recurrent point transaction

Schedules a rule that issues point transactions on a recurring cadence defined by recurrence_period (an ISO 8601 duration such as P1D or P1M).

Authorizations:
(AdminUserEmailAdminUserToken)
Request Body schema: application/json
required
object

Responses

Request samples

Content type
application/json
{
  • "recurrent_point_transaction": {
    }
}

Response samples

Content type
application/json
{
  • "recurrent_point_transaction": {
    }
}

Get a recurrent point transaction

Authorizations:
(AdminUserEmailAdminUserToken)
path Parameters
id
required
integer

Recurrent point transaction ID

Responses

Response samples

Content type
application/json
{
  • "recurrent_point_transaction": {
    }
}

Update a recurrent point transaction

Authorizations:
(AdminUserEmailAdminUserToken)
path Parameters
id
required
integer

Recurrent point transaction ID

Request Body schema: application/json
required
object

Responses

Request samples

Content type
application/json
{
  • "recurrent_point_transaction": {
    }
}

Response samples

Content type
application/json
{
  • "recurrent_point_transaction": {
    }
}

Delete a recurrent point transaction

Authorizations:
(AdminUserEmailAdminUserToken)
path Parameters
id
required
integer

Recurrent point transaction ID

Responses

Provider Ranking

Get provider ranking for a zone and service

Returns the providers ranked for a given zone and service, scoped to the authenticated provider network.

Both zone_external_id and service_external_id are required; omitting either returns a 422 with detail missing_required_params.

Authorizations:
Bearer
query Parameters
zone_external_id
required
string

External ID of the zone to rank providers for.

service_external_id
required
string

External ID of the service to rank providers for.

Responses

Response samples

Content type
application/json
{
  • "providers": [
    ]
}