๐ Grant Type
We currently support the Client Credentials grant type for API authorization. This method is designed for server-to-server communication, where the API is accessed from a trusted backend rather than directly from a front-end application.
โ
Use Cases
The Client Credentials grant type is ideal for:
- Backend services that need to interact with our API without user intervention
- Automated processes, such as scheduled tasks or data synchronization
- Creating a custom backend API that securely fetches data and exposes only what your front-end needs
Warning
Do not use these APIs directly from a front-end application. Exposing client credentials in a front-end environment poses a significant security risk.
Instead, create your own secure backend that communicates with our API and acts as a safe proxy for the front-end.
๐ Scopes
OAuth 2.0 scopes define the level of access granted to an API client. Scopes allow you to control what category of endpoints your client can access and what actions it can perform.
๐ Available Scopes
| Category | Scope |
|---|---|
| Accounts | read:accounts |
write:accounts | |
| Moves | read:moves |
| Biometrics | read:biometrics |
write:biometrics | |
| Classes & Bookings | read:classes_and_bookings |
write:classes_and_bookings | |
delete:classes_and_bookings | |
| Challenges | read:challenges |
| Facilities | read:facilities |
Quick Tip:
Only request the scopes your app actually needs.
This keeps access tightly scoped, improves security, and follows the principle of least privilege.
โณ Token Expiration
Access tokens issued through the Client Credentials grant expire after 1 hour (3600 seconds).
This short lifespan ensures improved security and encourages apps to request fresh tokens as needed.
๐ Best Practice
Your application should treat access tokens as short-lived and be prepared to:
-
Store the token temporarily in memory or cache
-
Automatically request a new token when the current one expires
-
Avoid hardcoding tokensโthey're tied to time and client credentials
You donโt need to manually track expiration timeโjust request a new token before each batch of API calls or implement a caching strategy with automatic refresh.
Quick Tip
The token response includes an
expires_infield (in seconds), which your app can use to calculate when to refresh:{ "access_token": "...", "expires_in": 3600, "token_type": "Bearer" }
๐งช See It in Action
Want to see how to authenticate and get an access token using OAuth 2.0?
๐ Check out our recipe to learn how to:
- Request an access token from our auth portal
- Authenticate securely using your client ID and secret
- Use the token to make authorized API requests
This example is perfect if you're building a backend integration and want a quick, working starting point.