Authentication
The API uses API keys for server-to-server authentication. Each key is scoped to a single company (coaching business) and grants the same permissions as the coach account.
Creating an API key
- Open the TrainerStudio coach app.
- Go to Settings → API Keys.
- Click Create API Key and give it a descriptive name (e.g. "Zapier integration", "Claude agent").
- Copy the key immediately — it is only shown once.
Using the key
Send the key in the X-API-Key header on every request:
curl https://api.trainerstudio.io/coach/customers \
-H "X-API-Key: YOUR_API_KEY"Key properties
| Property | Detail |
|---|---|
| Scope | Company-level. The key can access all clients, programs, and data within the coach's company. |
| Format | Opaque string. Treat it as a secret. |
| Storage | The server stores a hash — if you lose the key, revoke it and create a new one. |
| Revocation | Instant. Go to Settings → API Keys → Delete. |
Error responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid X-API-Key header. |
403 Forbidden | The key is valid but the operation requires a different role. |
{
"statusCode": 401,
"message": "Missing X-API-Key header"
}Security best practices
- Never expose keys in client-side code — API keys are for server-to-server use only.
- Use one key per integration so you can revoke individually without breaking other systems.
- Store keys in environment variables or a secrets manager, never in source code.
- Rotate keys periodically — create a new one, update your integration, then revoke the old one.