Authentication

Personal access tokens

The fastest way in. A personal token is bound to your own account and can never see anyone else’s data — perfect for dashboards, scripts, spreadsheets and side projects.

Create a token

Personal tokens are managed from your own account, so these three endpoints use your normal Gravl session (the same authentication the mobile app uses) — not the token itself.

Create
POST https://api.gravl.ai/api/user/personal-tokens
Authorization: Bearer <your Gravl session token>
Content-Type: application/json

{
  "name": "My stats dashboard",
  "scopes": ["workouts:read", "stats:read"],
  "expiresInDays": 365
}

{
  "token": "gat_k3rB…",          // ← shown exactly once, store it now
  "clientId": "gci_9fJq…",
  "name": "My stats dashboard",
  "scopes": "workouts:read stats:read",
  "expiresAt": "2027-07-14T09:30:00Z"
}
FieldTypeNotes
namestringRequired. What you’re building — shown when you list your tokens. Max 120 chars.
scopesstring[]Optional. Defaults to all scopes (it’s your own data). See scopes.
expiresInDaysnumberOptional. 1–365; defaults to 365.

The token value is returned once and stored only as a hash. Lose it and you revoke + recreate — there is no way to read it back.

Use it

Send the token as a bearer token against any /api/v1 endpoint it has scopes for:

curl "https://api.gravl.ai/api/v1/stats" \
  -H "Authorization: Bearer gat_k3rB…"

{
  "streak": { "current": 6, "longest": 14, "workoutsThisWeek": 3 },
  "totalXp": 12480,
  "trophyCount": 22
}

List and revoke

MethodPathDescription
GET/api/user/personal-tokensYour active tokens — name, clientId, scopes, created, last used, expiry. Never the token value.
DELETE/api/user/personal-tokens/{clientId}Revokes the token immediately. In-flight requests with it start failing with 401 right away.

Limits

LimitValue
Active tokens per account10
Maximum lifetime365 days
Rate limit100 requests / 15 minutes (per token per user)

Need longer-lived automation, app-to-app access, or higher limits? That’s what OAuth apps are for.