To access API with a new authentication process, you first need to create yourself an API client.
API client is the very same concept you would found when you’d like to integrate with Facebook:
The employee could be a basic one (manager for example) or the one created for the single purpose of integrating with API.
If you have a third party company, that would like to connect to PerfectGym API, you can create them an employee with
permissions restricted strictly to creating and utilizing API clients. This is most recommended: this way you don’t have to
send them credentials via email (this is very dangerous!!). They would simply log into PerfectGym and create API client for themselves.
Mentioned permissions consist of:
Having proper permissions you can enter API Clients screen (you can find it in Settings section of PGM menu):
Click on Create API client
You need to name your client. For the purpose of this document, we would skip OpenID configuration.
Now you can see two codes generated. First is your Client ID which is something similar to login when using API.
The second one is a Client Secret. This piece of information is very important, as serves as a password. You need to copy it now
because it’s impossible to restore it after you close the window. However, you can always create a new client.
API client credentials are very sensitive pieces of information and let anyone access a big part of PG system. Please store them safely and do not share with anyone not eligible. Also: do not send them via email, they are rarely encrypted.
And probably most important:
Do not store client secret inside website scripts, or inside mobile app code! This way you’d give anyone access to precious data of your members and control over your club!
You can make your client ID public, but not client secret! Please be very aware of this and in case of any doubts contact PerfectGym team to guide you through details!
Having this set, you can use PerfectGym API. To authenticate, you need to include two headers in your requests:
X-Client-Id - enter your Client ID here
X-Client-Secret - enter your Client secret here
Any request made with this credentials would be done on behalf of the employee, that created this API client.
This way of API authorization is much different than the one described in our official docs. It would let you access the same API endpoints,
you would access the old way. Old method still works, however, in future we would like to deprecate it and migrate to a newer one.
In future, we would also provide more granular authorization control to specific endpoints and pieces of data, so please watch this document if you’re interested.