Approve (or deny) a pending OAuth authorization request for the chosen business. On approval, re-validates the request, re-authorizes the viewer's access to businessId, and mints a one-time authorization code; on denial, builds an error=access_denied redirect. Either way redirectUrl is the absolute URL the browser should be sent to (the client's redirect_uri with a code or error). Requires an authenticated viewer.

Register (or refresh) the calling device's push-notification token for a business's white-label app. Idempotent on the device token: re-registering updates the row and re-enables it. The token is scoped to the business identified by businessHandle. Requires an authenticated viewer.

Disable the calling device's push token (e.g. on sign-out or when the user turns off notifications). Returns true if a matching active token was disabled.

Take ownership of a concierge-built business via a claim token. Requires an authenticated viewer (sign-in/account creation happens first on the claim landing page). Transfers businesses.ownerId to the viewer, adds them as a staff member, and marks the claim claimed. Rejects unknown, expired, already-claimed, or revoked tokens.

Create a family (household) owned by the viewer, who becomes its first manager. A viewer can create more than one family.

Add a managed child to a family the viewer manages. Creates a login-less users row (no email) and a child membership. Requires a date of birth (YYYY-MM-DD) for age-eligibility.

Update a member's name and/or date of birth.

Remove a member from the family (soft-deletes the membership).

Create or replace a member's medical profile.

Record or update a single consent for a member.

Add an emergency contact for a member.

Remove an emergency contact (soft-delete).

Graduate a managed child to their own login by giving them an email. Only allowed for a child aged 13 or older (COPPA). Sends them a sign-in code so they can take over the account.

Invite another adult by email to join a family as a manager or guardian. The viewer must be a manager/guardian of the family. Emails the invitee a link that signs them in (creating an account if needed) and lands on the accept page. role must be manager or guardian — never child.

Accept a co-guardian invitation by its secret token. The viewer must be signed in with the email the invite was sent to; on success they join the family with the invited role.

Revoke a pending co-guardian invitation. Only a manager/guardian of the family may revoke it.

Request an email containing a 6-digit code to confirm a new account. Always returns success regardless of whether the email is already in use (anti-enumeration). If an account already exists for the email, a sign-in code is sent instead.

When businessHandle is set, the issued code is pinned to that business and the resulting token is scoped to it (does not set a cross-account cookie). Used by the business-pinned embed sign-in flow.

When name is set and the email resolves to a brand-new account at redemption time, that name is applied to the inserted user row. Ignored for emails that already have an account.

Request a sign-in email containing a 6-digit code. Always returns success regardless of whether the email matches an existing account (anti-enumeration).

When businessHandle is set, the issued code is pinned to that business and the resulting token is scoped to it (does not set a cross-account cookie). Used by the business-pinned embed sign-in flow.

Redeem a 6-digit auth code and sign the user in. Returns the created or signed-in user, the JWT token, and the redirect URL stored on the code. Sets the auth cookie on success — except for codes that were issued with a business pin, which return a business-scoped token without touching the cookie session.

Clear the auth cookie and sign out the current user.

Begin passkey registration for the currently authenticated user.

Complete passkey registration and save the credential.

Begin passkey authentication. Pass email to hint at known credentials.

Complete passkey authentication and issue an auth token. Sets the auth cookie unless businessHandle is set, in which case a business-scoped token is returned without touching the cookie session (embed sign-in flow).

Delete a saved passkey by ID.

Soft-delete the currently authenticated account, revoke its sessions, and immediately cancel any active recurring membership billing linked to it.

Revoke (sign out) one of the viewer's own sessions.

Revoke (sign out) all of the viewer's sessions except the current one.

Rename a saved passkey. The trimmed name must not be empty.

Report the result of a league match — the single match of a session. Allowed for an active captain of either competing team. Applies the activity's scoreEntryMode (immediate vs. admin-approval).

Dispute a completed league result (only under immediate scoring). Flags the match for staff adjudication; allowed for a captain of either team.

Register for an individual activity session. Use productPurchase to pay with an existing pass/membership, or omit it for direct purchase. Pass guest to register on behalf of someone else; the caller is recorded as the booker and pays. The activity's participant policy must allow guest registrations.

Pass buyer when the caller is not signed in to perform guest checkout. Requires the business's guestCheckoutEnabled setting.

Books an open time range on a structure: booking activity. Validates [startAt, endAt) is a contiguous run of the activity's open increments whose increment count is within [minIncrements, maxIncrements], then creates the booking — an activityId-tied appointment session + registration. Free bookings confirm immediately; activities set to request mode create a pending request the business approves or declines. Paid bookings charge bookingPricePerIncrement × increments and create the booking only once payment succeeds (via completeCheckout). buyer supplies guest details when the caller is not signed in.

productPurchase redeems one of the caller's passes/memberships (as surfaced by Activity.bookingPaymentResolution) against the booking: a pass spends the activity's creditCost (default 1) per booked increment, so a covering purchase settles the whole booking for creditCost × increments, confirming immediately via the free path — no charge, no checkout. It's all-or-nothing — the purchase must belong to the buyer, be active, cover the activity, and (for a finite session count) have enough sessions for the whole booking; otherwise it's rejected and the caller pays by card.

formData carries answers to the activity's registration blocks — intake questionnaires and consent/waiver signatures collected before the appointment — persisted as block metadata + an agreement PDF on the resulting registration, exactly like registerForActivity.

tipAmount adds an optional gratuity (cents) on top of a paid booking's service price; it is added after tax, ignored for free / package-covered bookings, and excluded from both the tax base and the platform-fee base.

emailMarketingConsent records the participant's optional opt-in to the business's marketing email, exactly like registerForActivity — honoured only when the booked activity carries an emailMarketing registration block and the business has consent collection enabled.

Cancel an existing activity registration.

Accept a waitlist offer. Completes registration; for card-paid offers with no reserved card on file, returns a CheckoutSession so the caller can drive Stripe.js. Optional discount and gift-card codes can be applied at accept time.

Create a SetupIntent for capturing a card to reserve a paid waitlist spot. The returned client secret is consumed by Stripe.js; the resulting PaymentMethod is then passed to registerForActivity as paymentMethod.

Register the current user for a challenge. Creates or reuses the participant record for the challenge's business.

Complete a checkout after Stripe payment confirmation. Verifies the payment status with Stripe, then fulfills the underlying entity (pass purchase or registration). Idempotent — safe to call multiple times.

Purchase a product (pass, membership, gift card, or physical product). Returns a checkout session if payment is required, or the purchase directly for free products.

Pass buyer when the caller is not signed in to perform guest checkout. Requires the business's guestCheckoutEnabled setting. Passes and memberships always require a signed-in user.

Persist the buyer's responses to a product's purchase-page blocks (contract acceptance, signature, acknowledgements, form fields) as an immutable snapshot, keyed by purchase. Sent as part of the checkout flow. Replaces any previously-recorded responses for the purchase.

Create a Stripe Customer Portal session for a membership purchase so the buyer can update payment details or cancel the recurring subscription.

Create a SetupIntent for adding a saved card to the viewer's account. The client mounts Stripe Elements in setup mode against the returned clientSecret; on success the card is attached to the viewer's Stripe Customer and listed by Me.paymentMethods.

Persist a freshly-attached PaymentMethod into the local cache so subsequent reads of Me.paymentMethods don't need a Stripe call. Called by the client right after confirmSetup resolves; idempotent with the payment_method.attached webhook backstop.

Mark one of the viewer's saved cards as the default. Updates the Stripe Customer's invoice_settings.default_payment_method, which is the auto-charge fallback for paid waitlist promotion (and any future off-session charge surface).

Detach one of the viewer's saved cards. Returns a friendly error when the card backs an active membership subscription — the caller should swap the subscription's payment method via the billing portal first.

Prepare an in-app billing recovery attempt for a membership subscription. Returns the latest invoice confirmation secret for Stripe Elements when the invoice still needs payment or authentication.

Finish an in-app billing recovery attempt after Stripe Elements confirms the latest invoice payment. Webhooks remain the source of truth for clearing the local billing issue.

Schedule a membership subscription to cancel at the end of the current billing period.

Undo a pending end-of-period cancellation for a membership subscription.

Redeem a gift card code for the given business. Creates or transfers the balance to the authenticated user's participant record.

Update the authenticated user's profile. All arguments are optional; only fields that are provided are applied. Pass avatar: null to remove the avatar, or socialLinks: [] to clear all social links.

Send a verification code and link to the requested email address. Confirming either swaps the user's email to the new address. Always returns success regardless of whether the target email is already in use (anti-enumeration).

Confirm a pending email change with the 6-digit code sent to the new address. The user must still be signed in to the account requesting the change.

Create a new business owned by the given user. Surfaced on the public (account-subdomain) schema so the post-signup Create a business flow can run before the operator has a business subdomain to call the business-scoped variant against.

Register interest in Sessions supporting a country it can't yet onboard. Surfaced on the create-business country picker ("Request another country…"). country is free-form (the whole point is unsupported countries); region and note are optional. The request is logged as an internal country-request signal (and the caller's detected location is attached server-side). Always succeeds for any non-empty country.

Add a business, staff member (instructor), or activity to the authenticated user's favorites. Idempotent — adding an existing favorite is a no-op.

Remove a business, staff member, or activity from the authenticated user's favorites. Idempotent — removing a favorite that isn't set is a no-op.

Leave a star rating (1–5) and an optional written review for a business or one of its staff members. The viewer must be a verified attendee: a confirmed registration for one of the business's sessions is required, and for a staff review, a session that staff member was assigned to. At most one live review per target — submitting again when one already exists returns a $.target error (edit the existing review instead).

Update the rating and/or written body of a review the viewer authored.

Delete a review the viewer authored. Soft-deletes the row, freeing the viewer to review the same target again later.

Set the signed-in viewer's own email-marketing consent for a business they participate in. grant records an affirmative opt-in and freezes the compliant disclosure the viewer was shown (only allowed while the business is collecting consent); withdraw unsubscribes. Recorded as an immutable ledger event with source = participant.

Set the preview branch to route requests to. Pass null (or omit) to clear the pinned preview and route to the main worker. Writes (or augments) the debug claim on the auth cookie; clients reload to pick up the new routing.

End the current observer session and restore the admin's own session. Available wherever an observer session is honored (e.g. the user's own go / account view) so the admin can stop observing from any of them.

Generate a CSV of the viewer's product purchases (across every participant linked to their account) and persist it as a downloadable {@link UserExport}. The optional filters mirror the account purchases list — substring search, product types, and businesses.

Generate a CSV of every review the viewer has written and persist it as a downloadable {@link UserExport}. Reviews carry no list filters.

Generate a CSV of the viewer's session registrations and persist it as a downloadable {@link UserExport}. The optional filters mirror the account schedule list — time window, businesses, activity types, and substring search; business scopes the export to a single business.