Authentication

Web authentication uses the same JWT model as the other WorkoutKit clients.

When getAccessToken() is needed

Provide getAccessToken() in workoutkit.start() only when your WorkoutKit API integration requires authenticated requests.

The Web SDK expects your frontend to retrieve the token from your backend, not to sign it locally.

getAccessToken: async function () {
  const response = await fetch('/api/workoutkit/token', {
    method: 'POST',
    credentials: 'include',
  })

  if (!response.ok) {
    throw new Error('Unable to retrieve WorkoutKit access token')
  }

  const data = await response.json()
  return data.accessToken
}

Security requirements

• Issue JWTs server-side only.
• Keep the private signing key in your infrastructure only.
• Do not hardcode access tokens in frontend code.
• Return short-lived tokens from your backend.
• Bind user identity and authorization rules in your own backend before issuing the token.

For the full JWT contract, see API Authentication.

For the WorkoutKit device/token handshake model, see SDK Authentication.