Authentication

Scopes

Every endpoint requires a scope, and a token carries only what was granted. Users see the exact scopes an app requests — ask for the minimum you need.

Available scopes

ScopeGrants access to
profile:readDisplay name, username, units, gender, height, goal
workouts:readWorkout history, workout detail (exercises & sets), workout templates
records:readPersonal records (1RM, weight, volume, reps, duration, distance)
measurements:readBody weight and circumference measurements
stats:readStreaks, total XP and trophies
splits:readCustom training splits
exercises:readThe global exercise and equipment catalogs

The API is read-only today — there are no write scopes. Write access will be introduced as explicit new scopes, never folded silently into existing ones.

Enforcement

Scopes are enforced server-side on every request. Calling an endpoint your token wasn’t granted returns 403 with a problem-details body:

GET /api/v1/measurements
Authorization: Bearer gat_…   (granted: workouts:read stats:read)

HTTP/1.1 403 Forbidden
{
  "status": 403,
  "title": "Missing scope",
  "detail": "This authorization is missing the 'measurements:read' scope."
}

Defaults

Token typeDefault scopes
Personal tokenAll scopes, unless you narrow them at creation — it’s your own data.
OAuth appOnly the scopes registered for your app and consented to by the user.
MCP connectionA fixed scope set granted when you connect your account; enforced per tool call.