To integrate Replit with Mindbody, store your Mindbody API credentials in Replit Secrets, then call the Mindbody Public API v6 from your server-side code to retrieve class schedules, manage bookings, and access staff and client data. Mindbody uses OAuth 2.0 for authentication, so your Replit backend handles the token exchange and all API calls securely.
Build Fitness Booking Apps with Mindbody and Replit
Mindbody powers tens of thousands of fitness studios, yoga centers, spas, and wellness businesses. Its Public API v6 exposes class schedules, appointment availability, client management, staff data, and payment records — everything needed to build custom booking experiences, mobile apps, membership portals, and automated business workflows. Developers at boutique fitness brands frequently use the Mindbody API to create white-label booking pages that match their brand rather than using the default Mindbody widget.
Replit is a strong platform for Mindbody integrations because it handles the always-on server requirement needed for OAuth token management. Mindbody access tokens expire and must be refreshed, so you need a persistent backend — not a static site or serverless function with cold starts. A Replit Autoscale deployment gives you a stable server-side environment that manages token lifecycle, caches responses to stay within Mindbody's rate limits, and exposes clean API endpoints to your frontend.
This tutorial covers OAuth 2.0 token acquisition, reading class schedules, managing bookings, and deploying the full integration. Both Python (using Flask and requests) and Node.js (using Express and fetch) implementations are provided, so you can choose the language your team is most comfortable with.
Integration method
The Mindbody Public API v6 uses OAuth 2.0 for authentication. Your Replit backend exchanges your API key and subscriber credentials for an access token, then uses that token to call endpoints for classes, appointments, clients, and staff. Token refresh is handled automatically in your server-side code.
Prerequisites
- A Mindbody business account with API access — apply at developers.mindbodyonline.com for a developer API key
- Your Mindbody API key, site ID (the numeric ID of the business you are integrating with), and staff username/password for OAuth token requests
- A Replit account (Replit Core recommended for production Autoscale deployments)
- Basic knowledge of OAuth 2.0 token flow and REST APIs
- Node.js or Python familiarity for writing the backend server code
Step-by-step guide
Apply for Mindbody API Access and Collect Credentials
Apply for Mindbody API Access and Collect Credentials
The Mindbody API requires an approved developer account before you can make any calls. Visit developers.mindbodyonline.com and apply for API access. Mindbody reviews applications — approval typically takes 1-3 business days. Once approved, you receive an API key (called a 'developer API key' in their docs) that must be included in every request as the API-Key header. In addition to your developer API key, Mindbody API v6 uses user token authentication. You authenticate by POSTing to the UserTokens endpoint with your site's staff username and password plus your developer API key. The response returns an AccessToken that you include as a bearer token in subsequent API calls. The access token has a limited lifetime and must be refreshed periodically. Collect these values before proceeding: your developer API key, the SiteId for the business you are integrating (a numeric value like -99 for the sandbox or your real site ID for production), and a staff username and password with API access permissions. In the Mindbody admin, staff accounts need the 'Access reports and information through third-party software' permission enabled. Mindbody provides a sandbox environment (SiteId -99) for testing. Always develop against the sandbox before switching to your production site ID.
Pro tip: Use SiteId -99 (Mindbody sandbox) during development and testing. The sandbox contains demo clients, classes, and staff so you can test all API operations without affecting real business data.
Expected result: You have your Mindbody developer API key, sandbox SiteId (-99), and a staff account username/password with API permissions, ready to add to Replit Secrets.
Store Credentials in Replit Secrets
Store Credentials in Replit Secrets
Open your Replit project and click the lock icon (🔒) in the left sidebar to open the Secrets panel. You need to store four secrets: your developer API key, your site ID, and your staff account username and password. Click + New Secret and create: MINDBODY_API_KEY (your developer API key), MINDBODY_SITE_ID (the numeric site ID, e.g., -99 for sandbox), MINDBODY_USERNAME (staff account email), and MINDBODY_PASSWORD (staff account password). Each value is encrypted and injected as environment variables when your Repl starts. In Python, access them via os.environ['MINDBODY_API_KEY']. In Node.js, use process.env.MINDBODY_API_KEY. If you update any secret value while the Repl is running, stop and restart the Repl to pick up the new value. For the deployed Autoscale instance, redeploy after changing secrets. Be aware that storing staff credentials in Secrets is necessary for the OAuth token flow but does carry some security implications. Use a dedicated API service account in Mindbody rather than a real staff member's personal account, and grant it only the minimum permissions required.
1import os23# Verify all required Mindbody secrets are present4required = {5 'MINDBODY_API_KEY': 'Developer API key from developers.mindbodyonline.com',6 'MINDBODY_SITE_ID': 'Numeric site ID (-99 for sandbox)',7 'MINDBODY_USERNAME': 'Staff account username/email',8 'MINDBODY_PASSWORD': 'Staff account password'9}1011for key, description in required.items():12 val = os.environ.get(key)13 if not val:14 print(f'MISSING: {key} — {description}')15 else:16 print(f'OK: {key} ({len(val)} chars)')Expected result: All four secrets show 'OK' with character counts, confirming the Mindbody credentials are correctly loaded into the Replit environment.
Implement OAuth Token Management
Implement OAuth Token Management
The Mindbody API v6 requires a bearer token on every request. You obtain this token by POSTing to the UserTokens endpoint with your staff credentials and API key. The token expires after a set period, so your server needs to handle token refresh automatically — either by tracking expiry time and re-requesting before expiry, or by catching 401 responses and re-authenticating. The token management pattern below implements a simple caching approach: the access token and its expiry timestamp are stored in memory. Every API call first checks if the cached token is still valid; if not, it requests a new one. This avoids making unnecessary authentication requests on every API call while handling expiry gracefully. The base URL for API v6 is https://api.mindbodyonline.com/public/v6. All endpoints require two headers: API-Key with your developer API key, and Authorization: Bearer {token} with your access token. The SiteId is passed as a query parameter or header depending on the endpoint.
1# Python Mindbody API client with token caching2import os3import time4import requests56API_KEY = os.environ['MINDBODY_API_KEY']7SITE_ID = os.environ['MINDBODY_SITE_ID']8USERNAME = os.environ['MINDBODY_USERNAME']9PASSWORD = os.environ['MINDBODY_PASSWORD']10BASE_URL = 'https://api.mindbodyonline.com/public/v6'1112# Token cache13_token_cache = {'token': None, 'expires_at': 0}1415def get_access_token():16 """Return a valid access token, refreshing if expired."""17 if _token_cache['token'] and time.time() < _token_cache['expires_at'] - 60:18 return _token_cache['token']1920 response = requests.post(21 f'{BASE_URL}/usertoken/issue',22 headers={'API-Key': API_KEY, 'SiteId': SITE_ID},23 json={24 'Username': USERNAME,25 'Password': PASSWORD26 }27 )28 response.raise_for_status()29 data = response.json()30 token = data['AccessToken']31 # Mindbody tokens typically valid for 2 hours (7200 seconds)32 _token_cache['token'] = token33 _token_cache['expires_at'] = time.time() + 720034 return token3536def mb_get(endpoint, params=None):37 """Make an authenticated GET request to Mindbody API."""38 token = get_access_token()39 headers = {40 'API-Key': API_KEY,41 'SiteId': SITE_ID,42 'Authorization': f'Bearer {token}'43 }44 response = requests.get(f'{BASE_URL}{endpoint}', headers=headers, params=params)45 response.raise_for_status()46 return response.json()4748# Fetch classes for next 7 days49def get_classes(start_date, end_date):50 return mb_get('/class/classes', params={51 'StartDateTime': start_date,52 'EndDateTime': end_date53 })5455# Get client details by email56def get_client(email):57 return mb_get('/client/clients', params={'SearchText': email})5859if __name__ == '__main__':60 from datetime import datetime, timedelta61 today = datetime.now().strftime('%Y-%m-%dT00:00:00')62 week = (datetime.now() + timedelta(days=7)).strftime('%Y-%m-%dT23:59:59')63 classes = get_classes(today, week)64 print(f"Found {classes.get('TotalResults', 0)} classes in next 7 days")Pro tip: Token expiry in Mindbody is 2 hours by default. The cache subtracts 60 seconds as a buffer to avoid using a token that expires mid-request. For long-running batch jobs, re-check token validity before each API call.
Expected result: Running the script authenticates, caches the token, and prints the number of classes found in the next 7 days from your Mindbody sandbox or production site.
Build a Booking API with Node.js Express
Build a Booking API with Node.js Express
This step creates a Node.js Express server that exposes clean endpoints for class schedules and client bookings. The server manages the OAuth token lifecycle, translates simple HTTP requests into Mindbody API calls, and returns formatted JSON responses to your frontend or mobile app. The implementation below provides three endpoints: GET /classes for upcoming schedules, POST /bookings to enroll a client in a class, and DELETE /bookings/:id to cancel a booking. Each endpoint authenticates with a cached token and handles Mindbody-specific error codes (like trying to book a full class or a client who is already enrolled). Bind the server to 0.0.0.0 port 3000 — this is required for Replit's networking. Replit automatically assigns the server a public URL that you can use as your API base URL from the frontend.
1// Node.js Express server for Mindbody API2const express = require('express');3const app = express();4app.use(express.json());56const API_KEY = process.env.MINDBODY_API_KEY;7const SITE_ID = process.env.MINDBODY_SITE_ID;8const USERNAME = process.env.MINDBODY_USERNAME;9const PASSWORD = process.env.MINDBODY_PASSWORD;10const BASE_URL = 'https://api.mindbodyonline.com/public/v6';1112let tokenCache = { token: null, expiresAt: 0 };1314async function getToken() {15 if (tokenCache.token && Date.now() < tokenCache.expiresAt - 60000) {16 return tokenCache.token;17 }18 const res = await fetch(`${BASE_URL}/usertoken/issue`, {19 method: 'POST',20 headers: { 'API-Key': API_KEY, 'SiteId': SITE_ID, 'Content-Type': 'application/json' },21 body: JSON.stringify({ Username: USERNAME, Password: PASSWORD })22 });23 const data = await res.json();24 tokenCache = { token: data.AccessToken, expiresAt: Date.now() + 7200000 };25 return tokenCache.token;26}2728async function mbFetch(path, options = {}) {29 const token = await getToken();30 const headers = {31 'API-Key': API_KEY, 'SiteId': SITE_ID,32 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json',33 ...options.headers34 };35 const res = await fetch(`${BASE_URL}${path}`, { ...options, headers });36 return res.json();37}3839// GET /classes?startDate=2025-01-01&endDate=2025-01-0740app.get('/classes', async (req, res) => {41 try {42 const { startDate, endDate } = req.query;43 const data = await mbFetch(`/class/classes?StartDateTime=${startDate}&EndDateTime=${endDate}`);44 res.json(data);45 } catch (err) {46 res.status(500).json({ error: err.message });47 }48});4950// POST /bookings { classId, clientId }51app.post('/bookings', async (req, res) => {52 try {53 const { classId, clientId } = req.body;54 const data = await mbFetch('/class/addclienttoclass', {55 method: 'POST',56 body: JSON.stringify({ ClassId: classId, ClientId: clientId })57 });58 res.json(data);59 } catch (err) {60 res.status(500).json({ error: err.message });61 }62});6364app.listen(3000, '0.0.0.0', () => console.log('Mindbody API server running on port 3000'));Expected result: The Express server starts successfully. Calling GET /classes with date range parameters returns a JSON list of classes from Mindbody.
Deploy to Replit Autoscale
Deploy to Replit Autoscale
Deploy your Mindbody integration to Replit Autoscale for a production-ready, permanently available API. Autoscale is the right deployment type here because Mindbody API traffic is typically bursty (spikes when class schedules are viewed or during booking windows) and the service needs to be continuously available for booking confirmations. Click the Deploy button in the Replit editor, select Autoscale, and configure your run command (node index.js for Node.js or python app.py for Python). Set the machine size to at least 0.5 vCPU and 512MB RAM to comfortably handle concurrent booking requests. Your Replit Secrets are automatically available in the deployed environment. After deployment, Replit provides a stable production URL. Use this URL as the API base URL in your frontend application or Mindbody widget replacement. The URL remains constant even when the Repl is updated — you do not need to update frontend configs after redeployments. For production fitness studio integrations, configure CORS on your Express server to only allow requests from your specific frontend domain. Add rate limiting middleware to protect against accidental or malicious excessive API calls, which could exhaust your Mindbody API rate limit.
1# Example: add CORS and rate limiting to your Express server2# Install: npm install cors express-rate-limit34# In index.js, add:5# const cors = require('cors');6# const rateLimit = require('express-rate-limit');7#8# app.use(cors({ origin: 'https://yourstudio.com' }));9# app.use(rateLimit({ windowMs: 60 * 1000, max: 100 })); // 100 req/minPro tip: The Mindbody API enforces per-site rate limits. Cache class schedule responses for 5-10 minutes in memory or Redis to reduce API calls during peak traffic when many users are viewing the schedule simultaneously.
Expected result: Your Mindbody API service is live on Replit Autoscale with a permanent URL. Class schedule and booking endpoints are accessible from your frontend application.
Common use cases
Custom Class Schedule Widget
A fitness studio wants a branded class schedule on their website instead of the default Mindbody widget. Your Replit server fetches class schedules from the Mindbody API, formats them as JSON, and serves them to a custom React frontend. Clients can filter by instructor, time slot, and class type, and book directly through a custom interface.
Build a Node.js Express API that fetches class schedules from the Mindbody API for the next 7 days and returns them as JSON, with filtering by class name and instructor. The frontend will call this endpoint to display a branded schedule.
Copy this prompt to try it in Replit
Automated Waitlist Notifications
When a popular class fills up, clients join a waitlist. Your Replit server polls the Mindbody API every 5 minutes for class enrollment changes, detects when a spot opens, and immediately sends an SMS (via Twilio) to the first person on the waitlist with a booking link. This replaces the native Mindbody waitlist with faster, customizable notifications.
Create a Python script that polls the Mindbody API every 5 minutes for class capacity changes, detects when a previously full class has an open spot, and sends an SMS notification via Twilio to the next client on the waitlist.
Copy this prompt to try it in Replit
New Client Onboarding Sync
When a new client signs up on your website, a webhook triggers your Replit server to create their Mindbody client record, assign them to the correct membership type, and send a welcome email. This eliminates double data entry between your website CRM and your Mindbody business account.
Build a Flask endpoint that receives new client data from a website signup form, creates the client in Mindbody via the API, adds them to a default membership contract, and triggers a welcome email sequence.
Copy this prompt to try it in Replit
Troubleshooting
401 Unauthorized when calling any Mindbody API endpoint
Cause: The access token has expired, the token request failed silently, or the API-Key header is missing or incorrect. Mindbody requires both the API-Key header and the Authorization Bearer token on every request.
Solution: Log the full response from the token request to verify you are receiving an AccessToken. Confirm both headers are set in every outgoing request. Check that your MINDBODY_API_KEY secret matches the key shown in your Mindbody developer account. If using the sandbox, ensure your SiteId is -99.
1# Debug token request2response = requests.post(3 f'{BASE_URL}/usertoken/issue',4 headers={'API-Key': API_KEY, 'SiteId': SITE_ID},5 json={'Username': USERNAME, 'Password': PASSWORD}6)7print('Status:', response.status_code)8print('Response:', response.json())Error: 'The site ID is required' or SiteId not recognized
Cause: The SiteId is being sent as a query parameter instead of as a header, or the value contains extra whitespace from the Replit Secrets entry.
Solution: The Mindbody API v6 expects SiteId as a request header, not a query parameter. Ensure your MINDBODY_SITE_ID secret value has no leading/trailing spaces. In Python, strip the value: SITE_ID = os.environ['MINDBODY_SITE_ID'].strip(). Sandbox SiteId is the integer -99.
1SITE_ID = os.environ['MINDBODY_SITE_ID'].strip()2print(f'SiteId: [{SITE_ID}]') # Check for hidden whitespaceMindbody API returns results but classes list is empty for known dates
Cause: The sandbox site (-99) has a fixed set of demo data with classes only on specific dates, not necessarily the current week. Alternatively, the date format may be incorrect — Mindbody expects ISO 8601 datetime strings.
Solution: For sandbox testing, use dates in the range 2023-01-01 to 2023-12-31 which have demo class data. Ensure dates are formatted as YYYY-MM-DDTHH:MM:SS (e.g., 2023-06-01T00:00:00). For production, verify the SiteId matches your real business location.
Token request fails with 'Staff credentials not authorized for API access'
Cause: The staff account used for API authentication does not have the required permission enabled in Mindbody. API access must be explicitly granted per staff account.
Solution: In Mindbody Admin, go to Setup > Staff > select the staff account > Permissions. Enable 'Access reports and information through third-party software' permission. Save changes and retry the token request. Create a dedicated API service account with only the permissions your integration needs.
Best practices
- Create a dedicated Mindbody staff service account for API access rather than using a real employee's credentials, and grant it only the minimum permissions required.
- Cache access tokens in memory and refresh them proactively before expiry to avoid failed API calls during token transitions.
- Cache class schedule responses for 5-10 minutes — schedules change infrequently and caching dramatically reduces your API call volume.
- Always develop and test against the Mindbody sandbox (SiteId -99) before switching to your production site ID.
- Store all Mindbody credentials in Replit Secrets (lock icon 🔒) — never hardcode API keys, usernames, or passwords in source code.
- Deploy on Replit Autoscale for fitness booking integrations — the always-available endpoint ensures booking requests are never dropped.
- Implement request rate limiting on your Replit server to protect against your frontend accidentally flooding the Mindbody API during traffic spikes.
- Log all booking and cancellation operations with client IDs and timestamps for business reporting and dispute resolution.
Alternatives
Acuity Scheduling is a general-purpose appointment booking tool with a simpler API, making it easier to integrate for businesses that don't specifically need fitness studio features.
Zocdoc focuses on healthcare appointment booking with verified provider profiles, making it a better fit for medical or clinical wellness services rather than fitness studios.
If your primary goal is handling payments for fitness memberships or class packs rather than managing bookings and schedules, Stripe Connect offers more flexible payment processing.
Frequently asked questions
Does Replit work with the Mindbody API?
Yes. Replit runs standard Node.js and Python server code that can call the Mindbody Public API v6 over HTTPS. Your Replit server handles OAuth token acquisition, caching, and refresh, then forwards requests to the Mindbody API. Deploy on Replit Autoscale for a production-grade booking backend.
How do I store my Mindbody API key in Replit?
Click the lock icon (🔒) in the Replit sidebar to open the Secrets panel, then add MINDBODY_API_KEY, MINDBODY_SITE_ID, MINDBODY_USERNAME, and MINDBODY_PASSWORD as individual secrets. Access them in code via os.environ['MINDBODY_API_KEY'] (Python) or process.env.MINDBODY_API_KEY (Node.js). Restart the Repl after adding secrets.
Can I use Replit with Mindbody for free?
Replit's free tier can run a Mindbody integration for development and testing. However, Mindbody API access requires a paid Mindbody business subscription with API access enabled — there is no free API tier for Mindbody. For production use, upgrade to Replit Core for reliable Autoscale deployments.
How do I test Mindbody API calls without affecting real data?
Use Mindbody's sandbox environment by setting SiteId to -99 in your Replit Secrets. The sandbox has pre-populated demo classes, clients, and staff that you can use to test all API operations. Your developer API key works against both the sandbox and production environments — only the SiteId changes.
What is the Mindbody API rate limit?
Mindbody enforces rate limits per site per developer key, typically around 300 requests per minute for most endpoints. Class schedule endpoints are called frequently when many users view the schedule simultaneously, so implement server-side caching of schedule responses (5-10 minute TTL) to stay well within the limit. Booking endpoints should not require caching.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation