Architecture

WorkoutKit combines platform SDKs and a shared backend contract.

Platform SDKs

WorkoutKit is exposed through two native SDKs. The iOS SDK is delivered as an XCFramework and can be integrated with Swift Package Manager or manual framework integration; the current baseline is iOS 15+, Swift 5.9+, and Xcode 15+. The Android SDK is delivered as a Maven package via GitHub Packages, integrates with a Fragment-based approach, and targets Android 5.0+ (API 21+).

Backend and security model

Content is delivered through GraphQL, while identity is transported through JWT tokens signed by your backend. The API layer validates those tokens using your public key. User identity remains fully owned by your product, and WorkoutKit only stores workout-related session data.

WorkoutKit supports public-key validation through JWKS or PEM public-key configuration. The canonical JWT contract is documented in Server-side Request Authentication.

Each B2B client receives a sandbox environment and a production environment. Both run on the same technical infrastructure as FizzUp. Endpoints are provisioned per client. Quotas, rate limits, and SLA commitments depend on the contractual offer attached to the client account.

Runtime flow

At runtime, your backend may issue a user JWT when the target GraphQL operation requires authenticated end-user context. The app then fetches workout payloads from GraphQL, receives the device-bound WorkoutKitToken for session detail requests, and launches the iOS or Android WorkoutKit UI with signature and content. During and after the session, the SDK emits completion and tracking signals for host-app persistence, analytics, and product logic.