Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/azahel79/Spartans-gym/llms.txt

Use this file to discover all available pages before exploring further.

The Spartans Gym API is a JSON REST API built with Express, Prisma, and MySQL. Every feature of the gym management platform — from member check-ins to financial transactions — is accessible through a single, consistent API surface. All routes share the same /api prefix, the same JSON response envelope, and the same error contract, so once you understand the basics here you can navigate any endpoint group with confidence.

Base URL

The API server defaults to port 3000. Use the appropriate base URL depending on your environment:
EnvironmentBase URL
Productionhttps://YOUR_BACKEND_DOMAIN/api
Local devhttp://localhost:3000/api
Replace YOUR_BACKEND_DOMAIN with the actual hostname where you deploy the backend. The PORT environment variable controls which port the server binds to (default 3000).

Health Check

Before integrating, confirm the API is reachable with the public health endpoint. No authentication is required.
GET /api/health
Example response:
{
  "success": true,
  "message": "API funcionando correctamente",
  "environment": "production",
  "uptime": 3821.54,
  "timestamp": "2024-11-15T10:23:45.123Z"
}
FieldTypeDescription
successbooleanAlways true for this endpoint
messagestringHuman-readable status message
environmentstringValue of the NODE_ENV environment variable
uptimenumberProcess uptime in seconds since last restart
timestampstringISO 8601 timestamp of the response

Route Groups

Every resource in the platform is organized under a dedicated route prefix. The table below lists all available groups, their purpose, and the roles permitted to access them.
PrefixDescriptionRequired Role
/api/authLogin, current user, and logoutPublic / Any authenticated
/api/clientsMember registration and managementadmin, recepcionista
/api/plansMembership plan catalogueadmin, recepcionista
/api/attendancesCheck-in and attendance recordsadmin, recepcionista
/api/productsProduct and supplement inventoryadmin, recepcionista
/api/transactionsFinancial transactions and salesadmin, recepcionista
/api/dashboardAggregated stats and analyticsadmin
/api/usersStaff user managementadmin
/api/configGym-level configuration settingsadmin
/api/uploadFile and image upload (Cloudinary)admin, recepcionista
Route-level authorization is enforced by the authenticate middleware. Requests without a valid Bearer token on protected routes receive a 401 Unauthorized response immediately.

Standard Response Format

Every API response — success or error — follows the same JSON envelope shape. You can always branch on the success boolean before reading data or error.
{
  "success": true,
  "data": { },
  "message": "Optional human-readable message"
}
{
  "success": false,
  "error": "Human-readable error description"
}

HTTP Status Codes

The API uses a standard subset of HTTP status codes. Prisma-layer errors are translated to appropriate HTTP codes by the global error handler before they reach the client.
CodeMeaningCommon cause
200 OKRequest succeededNormal successful response
400 Bad RequestInvalid inputMissing required fields, duplicate unique value (Prisma P2002)
401 UnauthorizedMissing or invalid tokenNo Authorization header, expired or malformed JWT
403 ForbiddenInsufficient roleAuthenticated but not permitted for this resource
404 Not FoundResource missingRecord not found (Prisma P2025) or unknown route
500 Internal Server ErrorUnexpected server errorUnhandled exception — check server logs

Request Format

Send all write requests (POST, PUT, PATCH) with a JSON body and the correct Content-Type header. The server enforces a 2 MB limit on JSON payloads.
curl -X POST https://YOUR_BACKEND_DOMAIN/api/clients \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <token>" \
  -d '{"name": "Jane Doe", "email": "jane@example.com"}'
For image and file uploads, use multipart/form-data against the /api/upload endpoints — do not send binary data as base64 in a JSON body.

CORS

Cross-Origin Resource Sharing is controlled by the ALLOWED_ORIGINS environment variable. The server accepts a comma-separated list of origin URLs and strips trailing slashes before matching. Credentials (cookies, Authorization headers) are explicitly allowed.
# .env example — allow both local dev and production frontend
ALLOWED_ORIGINS=http://localhost:5173,https://app.spartansgym.com
In production, ALLOWED_ORIGINS must be set explicitly. Leaving it unset falls back to FRONTEND_URL, which defaults to http://localhost:5173 — this will block all production frontend requests.

Next Steps

Authentication

Learn how to obtain a JWT token and authorize every subsequent request with the Bearer scheme.

Clients

Register members, search by name or plan, and manage membership status.

Plans

Create and update membership plans with pricing and duration.

Dashboard

Pull aggregated statistics and analytics for the gym management dashboard.

Build docs developers (and LLMs) love