Every screen you see in the app is a client of the same REST API. That means the whole product is programmable — connect your own tools, sync data into your stack, or let an AI agent run the gym through the Model Context Protocol.
One host for the whole API. Business routes carry the /api prefix; health and metrics sit at the root.
https://api.gymseva.com/api
Authentication
A Bearer API key for programmatic access (generate one in Settings → API keys) or the app’s session cookie in the browser. A key inherits your exact role + gym access. Public routes need only a capability token in the URL.
Authorization: Bearer gsk_…
Response format
Raw JSON, keyed to the resource — no wrapper envelope. The HTTP status carries success; lists return a total alongside their rows.
{ "clients": [ … ], "total": 128 }
Errors
A flat { error } string at the right status: 400 validation (with details), 401, 403, 404, 429. Server errors are scrubbed to a generic message.
400 { "error": "validation" }
Rate limiting
Per-IP fixed-window limits protect auth and every public route; inbound webhooks allow 600/min. Back off on a 429 and retry shortly.
429 too many requests
Health & metrics
A liveness probe and Prometheus metrics, both unauthenticated and at the root — handy for uptime checks and dashboards.
GET https://api.gymseva.com/health
Quickstart
One key, then you’re calling.
Generate a key in the dashboard, then send it as a Bearer token on any endpoint your role can reach. A key acts as you — it can do exactly what your account can, and nothing more. Everything the app does, you can do.
# 1. Generate a key in the dashboard:
# Settings → API keys → Generate key (it starts with gsk_)
# 2. Call any endpoint your role can reach — send the key as a Bearer token
curl -s https://api.gymseva.com/api/clients \
-H 'Authorization: Bearer gsk_live_your_api_key_here'
# → { "clients": [ … ], "total": 128 }
Model Context Protocol
Let an AI agent run the gym.
We ship an open-source MCP server that wraps the API as tools an assistant can call — ask Claude “who’s due for renewal this week?” and it reads it straight from your gym.
Grouped by domain and fully searchable. This is a representative catalogue of the 428+ endpoints across 62 route modules — the same surface the web and mobile apps are built on.
Add your API key to run live requests
Your key stays in this browser (localStorage) and is sent only to api.gymseva.com. Don’t have one? Generate a key in Settings → API keys. A key can do exactly what your account can — nothing more.
Showing 276 endpoints — expand any row for code samples and a live console
Health & metrics
Liveness and Prometheus metrics — unauthenticated, at the root (no /api prefix).
Authentication
Email/password login sets the httpOnly `gid` session cookie. Signup creates a brand pending approval.
API keys
Mint, list and revoke your personal Bearer keys. A key inherits your exact role + gym access — it can do what you can, nothing more. The secret is shown once, at creation, and only its hash is stored.
Clients & members
The member record — roster, profile, group members, trials and disciplinary holds.
Sessions & PIN approvals
Trainers log workouts; members confirm by PIN. Approved sessions drive counts and pay.
Subscriptions, payments & lifecycle
Plans, collections, renewals, freezes, upgrades, transfers and the lifecycle timeline.
Progress & measurements
Body measurements, progress photos and the trainer / transformation leaderboards.
Trainers & salary
The trainer roster, bulk reassignment, and session-driven salary with monthly finalisation.
Reports & KPIs
Business analytics — sales, KPIs, premium, churn, receivables and renewals.
Dashboard
Role-aware gym dashboard and brand-wide “All Gyms” rollups, including cash.
Config & masters
The gym config bundle plus CRUD for plans, sources, methods, exercises, GST, commission and more.
Brand, gyms & staff
Brand identity, gym provisioning, staff and role assignment, departments and vendors.
Leads / CRM
The full lead pipeline — capture, board, follow-ups, activities, stages, conversion and reports.
Inbound channels
Meta / WhatsApp / email ingestion — channel config, routing rules and the triage queue.
Onboarding
The new-member first-days checklist — worklist, timeline, documents and welcome sends.
Tickets — support, MX & help desk
One ticket engine across member support, member-experience and the employee help desk, with SLAs, approvals and confidentiality.
Tickets config & analytics
Category / SLA / routing / Turnstile config plus ticket analytics and the Employee Happiness Index.
Tickets — public portal
The unauthenticated member portal at /t/:token — submit, verify, track, reopen and confirm.
Incidents & first-aid
Injuries, behaviour, theft, lost & found and facility damage — structured intake, evidence, corrective actions and an FSM.
Cash & finance
A single-drawer cash ledger with tiered approvals, inter-branch transfers, reconciliation and cash reports.
Events & workshops
Draft → approval → live events, with registration, payments, attendance, passes, feedback and reports.
Events — public portal
The unauthenticated registration portal at /e/… — register, verify, check pass and give feedback.
Accessories retail (POS)
Point-of-sale for supplements and merch, with inventory, restock, adjustments and transfers.
Assets & equipment
The equipment register and full lifecycle — repair, return, retire, maintenance and transfers.
Inward / outward movements
Gate-passed material movements with dual FSMs, approvals, photo handover proof and reports.
Inspections (5S / Gemba)
Daily rated facility walks with a live photo, manager flag worklist and analytics.
Email, jobs & notifications
Branded templates, per-brand SMTP, the delivery log and manual scanner runs.
Files
Stream a stored blob. Access is decided per key-prefix; denials return 404 to avoid disclosure.
Webhooks (inbound)
HMAC-verified Meta / WhatsApp webhooks. The unguessable path token resolves the brand before any payload is trusted.
Platform (super-admin)
The SaaS control plane behind a separate `pid` session — brands, entitlements, billing and the overview.