Developers

Gym Seva is an API-first system.

Every screen you see in the app is a client of the same REST API. That means the whole product is programmable — connect your own tools, sync data into your stack, or let an AI agent run the gym through the Model Context Protocol.

Browse the referenceMCP for AI agents →
428+
REST endpoints
62
route modules
100%
of the app runs on it

Base URL

One host for the whole API. Business routes carry the /api prefix; health and metrics sit at the root.

https://api.gymseva.com/api

Authentication

A Bearer API key for programmatic access (generate one in Settings → API keys) or the app’s session cookie in the browser. A key inherits your exact role + gym access. Public routes need only a capability token in the URL.

Authorization: Bearer gsk_…

Response format

Raw JSON, keyed to the resource — no wrapper envelope. The HTTP status carries success; lists return a total alongside their rows.

{ "clients": [ … ], "total": 128 }

Errors

A flat { error } string at the right status: 400 validation (with details), 401, 403, 404, 429. Server errors are scrubbed to a generic message.

400 { "error": "validation" }

Rate limiting

Per-IP fixed-window limits protect auth and every public route; inbound webhooks allow 600/min. Back off on a 429 and retry shortly.

429 too many requests

Health & metrics

A liveness probe and Prometheus metrics, both unauthenticated and at the root — handy for uptime checks and dashboards.

GET https://api.gymseva.com/health
Quickstart

One key, then you’re calling.

Generate a key in the dashboard, then send it as a Bearer token on any endpoint your role can reach. A key acts as you — it can do exactly what your account can, and nothing more. Everything the app does, you can do.

Create and revoke keys under Settings → API keys, then try any call live in the reference console below.

cURL
# 1. Generate a key in the dashboard:
#    Settings → API keys → Generate key   (it starts with gsk_)

# 2. Call any endpoint your role can reach — send the key as a Bearer token
curl -s https://api.gymseva.com/api/clients \
  -H 'Authorization: Bearer gsk_live_your_api_key_here'

# → { "clients": [ … ], "total": 128 }
Model Context Protocol

Let an AI agent run the gym.

We ship an open-source MCP server that wraps the API as tools an assistant can call — ask Claude “who’s due for renewal this week?” and it reads it straight from your gym.

Set up the MCP server →
Reference

The complete endpoint surface.

Grouped by domain and fully searchable. This is a representative catalogue of the 428+ endpoints across 62 route modules — the same surface the web and mobile apps are built on.

Add your API key to run live requests

Your key stays in this browser (localStorage) and is sent only to api.gymseva.com. Don’t have one? Generate a key in Settings → API keys. A key can do exactly what your account can — nothing more.

Showing 276 endpoints — expand any row for code samples and a live console

Health & metrics

Liveness and Prometheus metrics — unauthenticated, at the root (no /api prefix).

Authentication

Email/password login sets the httpOnly `gid` session cookie. Signup creates a brand pending approval.

API keys

Mint, list and revoke your personal Bearer keys. A key inherits your exact role + gym access — it can do what you can, nothing more. The secret is shown once, at creation, and only its hash is stored.

Clients & members

The member record — roster, profile, group members, trials and disciplinary holds.

Sessions & PIN approvals

Trainers log workouts; members confirm by PIN. Approved sessions drive counts and pay.

Subscriptions, payments & lifecycle

Plans, collections, renewals, freezes, upgrades, transfers and the lifecycle timeline.

Progress & measurements

Body measurements, progress photos and the trainer / transformation leaderboards.

Trainers & salary

The trainer roster, bulk reassignment, and session-driven salary with monthly finalisation.

Reports & KPIs

Business analytics — sales, KPIs, premium, churn, receivables and renewals.

Dashboard

Role-aware gym dashboard and brand-wide “All Gyms” rollups, including cash.

Config & masters

The gym config bundle plus CRUD for plans, sources, methods, exercises, GST, commission and more.

Brand, gyms & staff

Brand identity, gym provisioning, staff and role assignment, departments and vendors.

Leads / CRM

The full lead pipeline — capture, board, follow-ups, activities, stages, conversion and reports.

Inbound channels

Meta / WhatsApp / email ingestion — channel config, routing rules and the triage queue.

Onboarding

The new-member first-days checklist — worklist, timeline, documents and welcome sends.

Tickets — support, MX & help desk

One ticket engine across member support, member-experience and the employee help desk, with SLAs, approvals and confidentiality.

Tickets config & analytics

Category / SLA / routing / Turnstile config plus ticket analytics and the Employee Happiness Index.

Tickets — public portal

The unauthenticated member portal at /t/:token — submit, verify, track, reopen and confirm.

Incidents & first-aid

Injuries, behaviour, theft, lost & found and facility damage — structured intake, evidence, corrective actions and an FSM.

Cash & finance

A single-drawer cash ledger with tiered approvals, inter-branch transfers, reconciliation and cash reports.

Events & workshops

Draft → approval → live events, with registration, payments, attendance, passes, feedback and reports.

Events — public portal

The unauthenticated registration portal at /e/… — register, verify, check pass and give feedback.

Accessories retail (POS)

Point-of-sale for supplements and merch, with inventory, restock, adjustments and transfers.

Assets & equipment

The equipment register and full lifecycle — repair, return, retire, maintenance and transfers.

Inward / outward movements

Gate-passed material movements with dual FSMs, approvals, photo handover proof and reports.

Inspections (5S / Gemba)

Daily rated facility walks with a live photo, manager flag worklist and analytics.

Email, jobs & notifications

Branded templates, per-brand SMTP, the delivery log and manual scanner runs.

Files

Stream a stored blob. Access is decided per key-prefix; denials return 404 to avoid disclosure.

Webhooks (inbound)

HMAC-verified Meta / WhatsApp webhooks. The unguessable path token resolves the brand before any payload is trusted.

Platform (super-admin)

The SaaS control plane behind a separate `pid` session — brands, entitlements, billing and the overview.