The validate token method, only checks if the user has a valid token, therefore it should not be used for customer turnstile release. That is exclusively to verify if the user has a valid TotalPass acces and do not guarantee a real customer access.

In "valid" cases, api returns HTTP 204 no content, otherwise api returns HTTP 4** status and their respective motivations.

OBS:

The field "service_provider_code" represents the "gym", so you have to provide the gym code to validate user access.

OBS2:

If the Gym has only one plan, the "service_provider_plan_code" field is optional in payload construction, but when the Gym had more then one plan, the "service_provider_plan_code" field becomes required field.