#
Authentication API
sTvOS supports multiple authentication flows for end users, trainers, and partner staff.
#
Client User Authentication
All client user auth endpoints require the X-API-Key header.
#
Register
POST /auth/register
Create a new user account under the client identified by the API key.
{
"email": "user@example.com",
"password": "securepassword",
"name": "Jane Doe",
"voucherCode": "STUDIO-ABC123",
"sessionId": "onboarding-session-id",
"coachId": 5,
"profile": {
"age": 28,
"gender": "female",
"fitnessLevel": "intermediate"
},
"settings": {
"notifications": true
}
}Only email and password are required. All other fields are optional.
{
"success": true,
"data": {
"user": {
"id": 1,
"email": "user@example.com",
"name": "Jane Doe",
"role": "user"
},
"accessToken": "eyJhbGciOi...",
"refreshToken": "eyJhbGciOi..."
}
}Onboarding merge
If sessionId is provided, the pending onboarding profile is automatically merged into the new account. If voucherCode is provided, it is redeemed and the user is assigned to the voucher's partner client.
#
Login
POST /auth/login
Authenticate a user with email and password.
{
"email": "user@example.com",
"password": "securepassword"
}{
"success": true,
"data": {
"user": {
"id": 1,
"email": "user@example.com",
"name": "Jane Doe",
"role": "user"
},
"accessToken": "eyJhbGciOi...",
"refreshToken": "eyJhbGciOi...",
"client": {
"id": 1,
"name": "Studio Name",
"branding": { }
}
}
}Universal API key
When using the universal API key, the response includes a client object so the app knows which branding to apply. This enables a single mobile app to serve multiple studio clients.
#
Refresh Token
POST /auth/refresh
Exchange a refresh token for a new access token.
{
"refreshToken": "eyJhbGciOi..."
}{
"success": true,
"data": {
"accessToken": "eyJhbGciOi..."
}
}
#
Logout
POST /auth/logout
Bearer
Stateless logout. The server does not invalidate tokens -- the client should discard stored tokens.
{
"success": true,
"data": {
"message": "Logged out successfully"
}
}
#
Current User
GET /auth/me
Get the current authenticated user. Requires both X-API-Key and Authorization: Bearer <token>.
{
"success": true,
"data": {
"user": {
"id": 1,
"email": "user@example.com",
"name": "Jane Doe",
"role": "user",
"profile": { },
"settings": { }
},
"client": {
"id": 1,
"name": "Studio Name"
}
}
}
#
Voucher Validation
#
Validate Code
POST /auth/voucher/validate
Validate a voucher code before registration. Requires X-API-Key only (no bearer token).
{
"code": "STUDIO-ABC123"
}{
"success": true,
"data": {
"valid": true,
"partner": {
"name": "Partner Name",
"clientId": 1
}
}
}
#
Trainer Authentication
Trainer auth endpoints accept either X-API-Key or X-Master-Trainer-Key.
#
Check Email
POST /trainer-auth/check-email
Check if a trainer email is enabled for registration.
{
"email": "trainer@example.com"
}{
"success": true,
"data": {
"exists": false,
"canRegister": true,
"trainer": { "id": 5, "name": "Coach Mike" }
}
}
#
Register Trainer
POST /trainer-auth/register
Register a trainer as a user account. The trainer record must already exist (created by admin).
{
"email": "trainer@example.com",
"password": "securepassword"
}{
"success": true,
"data": {
"user": {
"id": 10,
"email": "trainer@example.com",
"name": "Coach Mike",
"role": "trainer"
},
"accessToken": "eyJhbGciOi...",
"refreshToken": "eyJhbGciOi..."
}
}
#
Trainer Login
POST /trainer-auth/login
Authenticate a trainer. Returns user tokens and trainer-specific information.
{
"email": "trainer@example.com",
"password": "securepassword"
}{
"success": true,
"data": {
"user": {
"id": 10,
"email": "trainer@example.com",
"name": "Coach Mike",
"role": "trainer"
},
"trainer": {
"id": 5,
"name": "Coach Mike",
"specialisations": ["strength", "hiit"]
},
"accessToken": "eyJhbGciOi...",
"refreshToken": "eyJhbGciOi..."
}
}
#
Partner Staff Authentication
Partner auth endpoints do not require a client API key.
#
Login
POST /partner-auth/login
Authenticate a partner staff member. Returns JWT tokens with 8-hour expiry.
{
"email": "staff@partner.com",
"password": "securepassword"
}{
"success": true,
"data": {
"staff": {
"id": 1,
"email": "staff@partner.com",
"name": "Staff Name",
"role": "admin",
"clientId": 1
},
"accessToken": "eyJhbGciOi...",
"refreshToken": "eyJhbGciOi..."
}
}
#
Refresh
POST /partner-auth/refresh
Refresh a partner staff access token.
{
"refreshToken": "eyJhbGciOi..."
}{
"success": true,
"data": {
"accessToken": "eyJhbGciOi..."
}
}
#
Current Staff
GET /partner-auth/me
Partner JWT
Get the current authenticated partner staff member.
{
"success": true,
"data": {
"staff": {
"id": 1,
"email": "staff@partner.com",
"name": "Staff Name",
"role": "admin",
"clientId": 1,
"client": {
"id": 1,
"name": "Partner Studio"
}
}
}
}
#
Logout
POST /partner-auth/logout
Partner JWT
Stateless logout for partner staff. Discard stored tokens on the client side.
#
FAQ
How long do access tokens last?
Access tokens are short-lived JWTs. When a 401 response is received, call /auth/refresh with the stored refresh token to obtain a new access token.
What happens if a voucher code is invalid or expired?
The /auth/voucher/validate endpoint returns { "valid": false } with a reason. Registration with an invalid voucher code will be rejected with a 400 error.
Can a user belong to multiple clients?
No. Each user belongs to exactly one client. The client is determined at registration time by the API key (or voucher code for universal key flows).