Skip to content

Authentication

This section describes authentication and authorization for the Glofox API. All API requests must include the following headers: x-glofox-branch-id, x-api-key, and x-glofox-api-token.

Header Description
x-glofox-branch-id Branch ID for the current request.
x-api-key API key for the integration.
x-glofox-api-token API token for the integration.

Security

Always proxy API key and token requests through a secure backend. Never expose credentials in client-side applications.

Get started

First, you need to request access to our API. To request API access you have two options:

  1. Glofox Integration Contact: Email Glofox Integrations at glofox.APISupport@abcfitness.com. Include company information and location owner authorization as needed.
  2. Slack Channel: If available, use the dedicated Slack channel for faster collaboration.

You will receive credentials that grant access to the development endpoints. The Glofox API provides dedicated development, testing, staging, and sandbox environments to support end‑to‑end validation. Two sets of tokens/keys are issued: one for development/testing and one for production. Both sets point to the same environment configuration. Webhook configuration is supported. Access to the Glofox Dashboard is required to complete development and testing workflows.

Tip

To verify your credentials, send a GET request to https://gf-api.aws.glofox.com/prod/2.0/members with the required headers.

Security and Rate Limiting

We apply security validations and rate limits to the API. The main measures are:

  • Backend Proxies: All API key and token operations must be performed through a secure backend service. This prevents direct client‑side access and protects sensitive credentials. API keys and tokens are intended exclusively for backend integrations and must never be exposed in browsers or other public-facing environments. Implement strong credential lifecycle management, including rotation and secure storage.

  • Rate Limiting: The API enforces a limit of 10 requests per second. Implement client‑side and server‑side rate limiting to prevent abuse, throttling, and unintentional denial‑of‑service conditions. Higher throughput quotas may be granted upon review.

Payments Collector iframe

If you use the payment collector iframe, your domain must be authorized. Request authorization via email or Slack. The domain https://localhost is pre-authorized for local development.