API authentication

To access API with a new authentication process, you first need to create yourself an API client.

API client is the very same concept you would found when you’d like to integrate with Facebook:

  • first, you need to create a developer account (here you have an employee with specific permissions)
  • then you create a facebook application (here you have API client)
  • you can connect to facebook API using your application credentials (here you have API client credentials)
    To do this, you need to have proper permissions:

The employee could be a basic one (manager for example) or the one created for the single purpose of integrating with API.
If you have a third party company, that would like to connect to PerfectGym API, you can create them an employee with
permissions restricted strictly to creating and utilizing API clients. This is most recommended: this way you don’t have to
send them credentials via email (this is very dangerous!!). They would simply log into PerfectGym and create API client for themselves.

Mentioned permissions consist of:

  • CreateApiClients - allows you to create an API client - without this, no integration would work.
    Taking back this permission makes all already created clients unusable. It’s required for other permissions to even work.
  • ApiAccess - if the employee has this permission, API clients which he created could be used to directly access API.
    Further information about this below.
  • OpenIdMemberLogin - this permission allows to integrate third-party applications with ClientPortal and in future also with API
    using OpenID Connect standard. More on this topic in OpenID Connect integration.
    Note, that because these permissions are being used in other applications than PGM, it may take some time for them to propagate after the change.
    If your API client won’t work, wait for some time, that may be permission cache issue.

Having proper permissions you can enter API Clients screen (you can find it in Settings section of PGM menu):

Click on Create API client

You need to name your client. For the purpose of this document, we would skip OpenID configuration.

Now you can see two codes generated. First is your Client ID which is something similar to login when using API.

The second one is a Client Secret. This piece of information is very important, as serves as a password. You need to copy it now
because it’s impossible to restore it after you close the window. However, you can always create a new client.

API client credentials are very sensitive pieces of information and let anyone access a big part of PG system. Please store them safely and do not share with anyone not eligible. Also: do not send them via email, they are rarely encrypted.

And probably most important:
Do not store client secret inside website scripts, or inside mobile app code! This way you’d give anyone access to precious data of your members and control over your club!

You can make your client ID public, but not client secret! Please be very aware of this and in case of any doubts contact PerfectGym team to guide you through details!

Having this set, you can use PerfectGym API. To authenticate, you need to include two headers in your requests:
X-Client-Id - enter your Client ID here
X-Client-Secret - enter your Client secret here

Any request made with this credentials would be done on behalf of the employee, that created this API client.

This way of API authorization is much different than the one described in our official docs. It would let you access the same API endpoints,
you would access the old way. Old method still works, however, in future we would like to deprecate it and migrate to a newer one.

In future, we would also provide more granular authorization control to specific endpoints and pieces of data, so please watch this document if you’re interested.