diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index b740d3a1..f90e8147 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1,183 +1,71 @@
-# RepTrack – Copilot Instructions
+# RepTrack – Agent Instructions
 
-RepTrack is a full-stack strength-training tracker. The client is React + Vite (TypeScript), the server is FastAPI (Python 3.14+), and the database is PostgreSQL via SQLAlchemy 2.0 + AsyncPG.
+RepTrack is a full-stack strength-training tracker:
 
----
+- `client/`: React 19 + Vite + TypeScript
+- `server/`: FastAPI + SQLAlchemy 2.0 async stack
+- DB: PostgreSQL (AsyncPG)
 
-## Repository Layout
+## Build, Test, and Lint Commands
 
-```
-client/          React + Vite frontend
-server/          FastAPI backend
-config/env/      Environment files (.env.example → .env)
-config/infra/    Docker Compose for dev/prod
-scripts/         Dev bootstrap (dev.sh) and API generation
-```
-
----
+### Root (monorepo)
 
-## Commands
+- Format all: `npm run format`
+- Lint/typecheck all configured checks: `npm run lint`
+- Server typecheck only: `npm run check:py`
 
 ### Server (`cd server`)
 
-| Task                       | Command                                                         |
-| -------------------------- | --------------------------------------------------------------- |
-| Start dev server           | `make dev`                                                      |
-| Run all tests              | `make test`                                                     |
-| Run tests with coverage    | `make cov`                                                      |
-| Run a single test file     | `uv run pytest app/tests/api/auth/test_login.py -v`             |
-| Run a single test function | `uv run pytest app/tests/api/auth/test_login.py::test_login -v` |
-| Type check                 | `make check`                                                    |
-| Generate migration         | `make auto_migration msg="description"`                         |
-| Apply migrations           | `make migrate`                                                  |
-| Verify migrations          | `make check_migrations`                                         |
+- Dev server: `make dev`
+- Typecheck: `make check`
+- Test suite: `make test`
+- Tests with coverage: `make cov`
+- Single test file: `uv run pytest app/tests/api/auth/test_login.py -v`
+- Single test function: `uv run pytest app/tests/api/auth/test_login.py::test_login -v`
+- Alembic check: `make check_migrations`
+- Apply migrations: `make migrate`
 
 ### Client (`cd client`)
 
-| Task                  | Command                |
-| --------------------- | ---------------------- |
-| Start dev server      | `npm run dev`          |
-| Build                 | `npm run build`        |
-| Lint (auto-fix)       | `npm run lint`         |
-| Regenerate API client | `npm run generate-api` |
-
-### Root (monorepo)
-
-| Task              | Command            |
-| ----------------- | ------------------ |
-| Format all        | `npm run format`   |
-| Lint all          | `npm run lint`     |
-| Type check server | `npm run check:py` |
-
----
-
-## Dev Environment
-
-```bash
-cp config/env/.env.example config/env/.env    # fill in values
-./scripts/dev.sh                              # install deps + start Docker Compose
-./scripts/dev.sh -s                           # skip install, just start
-./scripts/dev.sh -o                           # omit client/server containers
-```
+- Dev server: `npm run dev`
+- Build: `npm run build`
+- Lint (auto-fix): `npm run lint`
+- Regenerate OpenAPI client: `npm run generate-api`
 
-Docker Compose runs postgres, adminer, migrations, server (uvicorn), and client (Vite) with hot reload.
+## High-Level Architecture
 
----
+### Server request path
 
-## Architecture
+- `server/app/__init__.py` owns app assembly (`create_app`): logging setup, global exception handlers, `/api` router mounting, Swagger UI install in non-prod-like envs, CORS wrapping.
+- `server/app/main.py` just instantiates and exports `fastapi_app, app`.
+- `server/app/api/router.py` composes domain routers from `server/app/api/endpoints/*.py`.
+- Endpoints are intentionally thin and delegate business logic to `server/app/services/*.py`.
 
-### Server
+### Auth/session architecture across backend + frontend
 
-- **Entry point:** `server/app/main.py` — creates the FastAPI app, registers routers, exception handlers, and lifespan
-- **Routing:** `server/app/api/router.py` composes all routers under `/api`. Each domain lives in `server/app/api/endpoints/{domain}.py`
-- **Services:** `server/app/services/{domain}.py` — business logic, called by endpoints. Keep endpoints thin.
-- **Database models:** `server/app/models/database/{entity}.py` — SQLAlchemy 2.0 declarative models
-- **Schemas:** `server/app/models/schemas/{domain}.py` — Pydantic request/response models
-- **Config:** `server/app/core/config.py` — `Settings` loaded via `pydantic-settings` with `__` as nested delimiter (e.g., `DB__HOST`)
-- **Auth:** HTTP-only JWT cookies (`ACCESS_JWT_KEY`, `REFRESH_JWT_KEY`). `get_current_user` and `get_current_admin` are FastAPI dependencies in `server/app/core/security.py`
-- **Errors:** Custom `HTTPError` subclasses in `server/app/models/errors.py`; raise them directly (e.g., `raise InvalidCredentials()`)
+- Backend auth uses HTTP-only cookies (`access_token`, `refresh_token`) from `auth` endpoints.
+- JWT verification and current-user/admin dependencies are in `server/app/core/dependencies.py` and `server/app/core/security.py`.
+- Frontend API client (`client/src/api/axios.ts`) queues concurrent 401s and performs one refresh-token request, then retries queued calls.
+- `SessionProvider` loads `/api/users/current` to determine authenticated state; `RequireAuth` / `RequireGuest` gate routes in `client/src/AppRoutes.tsx`.
 
-### Client
+### OpenAPI client generation pipeline
 
-- **API client:** Auto-generated from OpenAPI spec via `@hey-api/openapi-ts`. Run `npm run generate-api` after server changes. Do **not** hand-edit `src/api/`.
-- **Auth guards:** `RequireAuth` / `RequireGuest` components wrap routes in `src/router/`
-- **Axios interceptors:** Handle 401 auto-refresh with request queueing (`src/lib/axios.ts`)
-
----
+- Server OpenAPI spec is generated by `scripts/generate_api.sh`.
+- Client generation uses `client/openapi-ts.config.ts` with `@hey-api/openapi-ts`.
+- SDK generation strategy is `byTags` + `operationId` nesting, so endpoint `operation_id` values drive generated method names.
+- Generated files live in `client/src/api/generated/` and should not be hand-edited.
 
 ## Key Conventions
 
-### Endpoints
-
-```python
-api_router = APIRouter(prefix="/auth", tags=["Auth"])
-
-@api_router.post(
-    "/login",
-    operation_id="login", # required — used for OpenAPI client generation
-    status_code=status.HTTP_204_NO_CONTENT,
-    responses={status.HTTP_401_UNAUTHORIZED: ErrorResponseModel},
-)
-async def login_endpoint(
-    req: LoginRequest,
-    db: Annotated[AsyncSession, Depends(get_db)],
-    settings: Annotated[Settings, Depends(get_settings)],
-    res: Response,
-):
-    result = await login(...) # delegate to service
-    res.set_cookie(...)
-```
-
-Always set `operation_id` — it drives the generated TypeScript client method name.
-
-### Schemas
-
-- Response schemas: `{Entity}Public` (e.g., `UserPublic`)
-- Request schemas: `{Action}Request` (e.g., `LoginRequest`, `RegisterRequest`)
-- Convert ORM → schema with `Model.model_validate(orm_obj, from_attributes=True)`
-- Shared field type aliases (`Name`, `Username`, `Password`, `Email`) live in `server/app/models/schemas/types.py`
-
-### Database Models
-
-```python
-class User(Base):
-    __tablename__ = "users"
-
-    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
-    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now())
-    updated_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now(), onupdate=func.now())
-```
-
-- Use SQLAlchemy 2.0 `Mapped` annotations throughout
-- All models include `created_at` / `updated_at` with `server_default=func.now()`
-- Alembic bulk updates must explicitly set `updated_at` (no ORM trigger)
-- Table names: lowercase plural; index names: `ix_{table}_{column}`
-
-### Auth in Routes
-
-```python
-# Authenticated route
-async def endpoint(user: Annotated[UserPublic, Depends(get_current_user)], ...):
-
-# Admin-only route
-async def endpoint(user: Annotated[UserPublic, Depends(get_current_admin)], ...):
-```
-
-### Error Handling
-
-Define errors as `HTTPError` subclasses; raise without arguments:
-
-```python
-class InvalidCredentials(HTTPError):
-    status_code = status.HTTP_401_UNAUTHORIZED
-    code = "invalid_credentials"
-    detail = "Invalid credentials"
-
-raise InvalidCredentials()
-```
-
-### Tests
-
-- Fixtures are in `server/app/tests/fixtures/` and registered in `server/conftest.py`
-- Shared helpers go in `server/app/tests/{scope}/utilities.py`, not per-test-file
-- Module-private helpers and constants are prefixed with `_`
-- Tests use `AsyncClient` from `httpx` against a savepoint-wrapped test DB
-- Test settings use `console` email/GitHub backends; admin credentials: `admin` / `admin@example.com` / `password`
-- `RegisterRequest` rejects usernames that are email addresses (enforced by `@field_validator`)
-- `get_user_by_identifier` resolves login by email OR username
-
----
-
-## Configuration
-
-Settings use Pydantic nested models with `__` as the env delimiter:
-
-```
-DB__HOST, DB__PORT, DB__NAME, DB__USER, DB__PASSWORD
-JWT__SECRET_KEY, JWT__ALGORITHM, JWT__ACCESS_TOKEN_EXPIRE_MINUTES
-ADMIN__USERNAME, ADMIN__EMAIL, ADMIN__PASSWORD
-EMAIL__BACKEND=smtp|local|console|disabled
-GH__BACKEND=api|console
-```
-
-Production requires `EMAIL__BACKEND=smtp` and `GH__BACKEND=api` (validated at startup).
+- Always set explicit `operation_id` on FastAPI endpoints. Missing or unstable IDs cause churn/breakage in generated TS SDK method names.
+- Route handlers keep orchestration only; core business logic belongs in `server/app/services/`.
+- Error handling uses `HTTPError` subclasses in `server/app/models/errors.py`; raise typed errors directly (e.g., `raise InvalidCredentials()`), not ad-hoc `HTTPException` payloads.
+- Settings come from nested env vars with `__` delimiter (see `server/app/core/config.py`, e.g. `DB__HOST`, `JWT__SECRET_KEY`). In prod-like envs, config validators enforce `EMAIL__BACKEND=smtp` and `GH__BACKEND=api`.
+- SQLAlchemy models use `Mapped[...]` + `mapped_column(...)`; models include `created_at`/`updated_at` timestamps. Alembic/bulk updates must set `updated_at` explicitly.
+- Client lint rules enforce wrapper usage over direct imports:
+    - Prefer app override components like `@/components/ui/overrides/button` instead of base shadcn paths.
+    - Prefer `@/` alias imports over deep relative paths.
+    - Prefer `@/lib/notify` over direct `toast` import from `sonner`.
+- Test stack uses pytest + async fixtures with a Postgres Testcontainers instance (`postgres:18`) and savepoint-based rollback per test (`server/app/tests/fixtures/database.py`).
+- Shared test helpers belong in `utilities.py` under the relevant test scope; module-private test helpers/constants are prefixed with `_`.
+- Auth schema rule: usernames cannot be email-shaped strings (`RegisterRequest` validator in `server/app/models/schemas/auth.py`); login accepts username or email identifier.
diff --git a/AGENTS.md b/AGENTS.md
new file mode 120000
index 00000000..02dd1341
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1 @@
+.github/copilot-instructions.md
\ No newline at end of file
diff --git a/README.md b/README.md
index 24b96f4c..5bcb0cf0 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 
 # RepTrack
 
-## Local Development
+## Development
 
 Copy `.env.example` to `.env` & populate variables
 
@@ -27,7 +27,7 @@ Start containers:
 ./scripts/dev.sh
 ```
 
-## Local GitHub Actions Testing
+## Testing GitHub Actions Workflows
 
 Use `act` to run workflows locally for quick validation.
 
@@ -43,13 +43,7 @@ Run a specific job:
 act -j {job-id}
 ```
 
-## Database Conventions
-
-All writes should go through SQLAlchemy
-
-Alembic updates & bulk SQLAlchemy updates must explicitly set `updated_at`
-
-## Shadcn Component Conventions
+## Shadcn Components
 
 shadcn adds components under `client/src/components/ui/`
 
@@ -58,3 +52,15 @@ To ensure custom styles & behavior survive component updates, follow these conve
 - Create custom component overrides under `client/src/components/ui/overrides/`
 - Import override components in app code instead of generated shadcn components
 - Add ESLint rules to prevent direct imports of generated components & point to override paths
+
+## Database
+
+### Conventions
+
+All writes should go through SQLAlchemy
+
+Alembic updates & bulk SQLAlchemy updates must explicitly set `updated_at`
+
+### Database ER Diagram
+
+![diagram](db_erd.png 'Database ER Diagram')
diff --git a/client/eslint.config.js b/client/eslint.config.js
index 8cf2ff68..60b2b9a5 100644
--- a/client/eslint.config.js
+++ b/client/eslint.config.js
@@ -51,6 +51,11 @@ export default defineConfig([
                             message:
                                 'Use Button from @/components/ui/overrides/button',
                         },
+                        {
+                            name: '@/components/ui/tooltip',
+                            message:
+                                'Use Tooltip from @/components/ui/overrides/tooltip',
+                        },
                         {
                             name: 'sonner',
                             importNames: ['toast'],
diff --git a/client/src/api/generated/index.ts b/client/src/api/generated/index.ts
index 67f0b57c..535bad71 100644
--- a/client/src/api/generated/index.ts
+++ b/client/src/api/generated/index.ts
@@ -1,4 +1,4 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
-export { AdminService, AuthService, ExercisesService, FeedbackService, HealthService, MuscleGroupsService, type Options, UserService } from './sdk.gen';
-export type { AccessRequestPublic, AccessRequestStatus, ClientOptions, CreateExerciseData, CreateExerciseError, CreateExerciseErrors, CreateExerciseRequest, CreateExerciseResponse, CreateExerciseResponses, CreateFeedbackData, CreateFeedbackError, CreateFeedbackErrors, CreateFeedbackRequest, CreateFeedbackResponses, DeleteExerciseData, DeleteExerciseError, DeleteExerciseErrors, DeleteExerciseResponse, DeleteExerciseResponses, ErrorResponse, ExercisePublic, FeedbackType, ForgotPasswordData, ForgotPasswordError, ForgotPasswordErrors, ForgotPasswordRequest, ForgotPasswordResponse, ForgotPasswordResponses, GetAccessRequestsData, GetAccessRequestsError, GetAccessRequestsErrors, GetAccessRequestsResponse, GetAccessRequestsResponses, GetCurrentUserData, GetCurrentUserError, GetCurrentUserErrors, GetCurrentUserResponse, GetCurrentUserResponses, GetDbHealthData, GetDbHealthResponse, GetDbHealthResponses, GetExerciseData, GetExerciseError, GetExerciseErrors, GetExerciseResponse, GetExerciseResponses, GetExercisesData, GetExercisesError, GetExercisesErrors, GetExercisesResponse, GetExercisesResponses, GetHealthData, GetHealthResponse, GetHealthResponses, GetMuscleGroupsData, GetMuscleGroupsError, GetMuscleGroupsErrors, GetMuscleGroupsResponse, GetMuscleGroupsResponses, GetUsersData, GetUsersError, GetUsersErrors, GetUsersResponse, GetUsersResponses, HttpValidationError, LoginData, LoginError, LoginErrors, LoginRequest, LoginResponse, LoginResponses, LogoutData, LogoutResponse, LogoutResponses, MuscleGroupPublic, RefreshTokenData, RefreshTokenError, RefreshTokenErrors, RefreshTokenResponse, RefreshTokenResponses, RegisterData, RegisterError, RegisterErrors, RegisterRequest, RegisterResponse, RegisterResponses, RequestAccessData, RequestAccessError, RequestAccessErrors, RequestAccessRequest, RequestAccessResponse, RequestAccessResponses, ResetPasswordData, ResetPasswordError, ResetPasswordErrors, ResetPasswordRequest, ResetPasswordResponse, ResetPasswordResponses, ReviewerPublic, UpdateAccessRequestStatusData, UpdateAccessRequestStatusError, UpdateAccessRequestStatusErrors, UpdateAccessRequestStatusRequest, UpdateAccessRequestStatusResponse, UpdateAccessRequestStatusResponses, UpdateExerciseData, UpdateExerciseError, UpdateExerciseErrors, UpdateExerciseRequest, UpdateExerciseResponse, UpdateExerciseResponses, UserPublic, ValidationError } from './types.gen';
+export { AdminService, AuthService, ExercisesService, FeedbackService, HealthService, MuscleGroupsService, type Options, UserService, WorkoutsService } from './sdk.gen';
+export type { AccessRequestPublic, AccessRequestStatus, ClientOptions, CreateExerciseData, CreateExerciseError, CreateExerciseErrors, CreateExerciseRequest, CreateExerciseResponse, CreateExerciseResponses, CreateFeedbackData, CreateFeedbackError, CreateFeedbackErrors, CreateFeedbackRequest, CreateFeedbackResponses, CreateWorkoutData, CreateWorkoutError, CreateWorkoutErrors, CreateWorkoutRequest, CreateWorkoutResponse, CreateWorkoutResponses, DeleteExerciseData, DeleteExerciseError, DeleteExerciseErrors, DeleteExerciseResponse, DeleteExerciseResponses, DeleteWorkoutData, DeleteWorkoutError, DeleteWorkoutErrors, DeleteWorkoutResponse, DeleteWorkoutResponses, ErrorResponse, ExerciseBase, ExercisePublic, FeedbackType, ForgotPasswordData, ForgotPasswordError, ForgotPasswordErrors, ForgotPasswordRequest, ForgotPasswordResponse, ForgotPasswordResponses, GetAccessRequestsData, GetAccessRequestsError, GetAccessRequestsErrors, GetAccessRequestsResponse, GetAccessRequestsResponses, GetCurrentUserData, GetCurrentUserError, GetCurrentUserErrors, GetCurrentUserResponse, GetCurrentUserResponses, GetDbHealthData, GetDbHealthResponse, GetDbHealthResponses, GetExerciseData, GetExerciseError, GetExerciseErrors, GetExerciseResponse, GetExerciseResponses, GetExercisesData, GetExercisesError, GetExercisesErrors, GetExercisesResponse, GetExercisesResponses, GetHealthData, GetHealthResponse, GetHealthResponses, GetMuscleGroupsData, GetMuscleGroupsError, GetMuscleGroupsErrors, GetMuscleGroupsResponse, GetMuscleGroupsResponses, GetUsersData, GetUsersError, GetUsersErrors, GetUsersResponse, GetUsersResponses, GetWorkoutData, GetWorkoutError, GetWorkoutErrors, GetWorkoutResponse, GetWorkoutResponses, GetWorkoutsData, GetWorkoutsError, GetWorkoutsErrors, GetWorkoutsResponse, GetWorkoutsResponses, HttpValidationError, LoginData, LoginError, LoginErrors, LoginRequest, LoginResponse, LoginResponses, LogoutData, LogoutResponse, LogoutResponses, MuscleGroupPublic, RefreshTokenData, RefreshTokenError, RefreshTokenErrors, RefreshTokenResponse, RefreshTokenResponses, RegisterData, RegisterError, RegisterErrors, RegisterRequest, RegisterResponse, RegisterResponses, RequestAccessData, RequestAccessError, RequestAccessErrors, RequestAccessRequest, RequestAccessResponse, RequestAccessResponses, ResetPasswordData, ResetPasswordError, ResetPasswordErrors, ResetPasswordRequest, ResetPasswordResponse, ResetPasswordResponses, ReviewerPublic, SetPublic, UpdateAccessRequestStatusData, UpdateAccessRequestStatusError, UpdateAccessRequestStatusErrors, UpdateAccessRequestStatusRequest, UpdateAccessRequestStatusResponse, UpdateAccessRequestStatusResponses, UpdateExerciseData, UpdateExerciseError, UpdateExerciseErrors, UpdateExerciseRequest, UpdateExerciseResponse, UpdateExerciseResponses, UpdateWorkoutData, UpdateWorkoutError, UpdateWorkoutErrors, UpdateWorkoutRequest, UpdateWorkoutResponse, UpdateWorkoutResponses, UserPublic, ValidationError, WorkoutBase, WorkoutExercisePublic, WorkoutPublic } from './types.gen';
diff --git a/client/src/api/generated/schemas.gen.ts b/client/src/api/generated/schemas.gen.ts
index 7222dd04..dbe0ed47 100644
--- a/client/src/api/generated/schemas.gen.ts
+++ b/client/src/api/generated/schemas.gen.ts
@@ -155,6 +155,48 @@ export const CreateFeedbackRequestSchema = {
     title: 'CreateFeedbackRequest'
 } as const;
 
+export const CreateWorkoutRequestSchema = {
+    properties: {
+        started_at: {
+            anyOf: [
+                {
+                    type: 'string',
+                    format: 'date-time'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Started At'
+        },
+        ended_at: {
+            anyOf: [
+                {
+                    type: 'string',
+                    format: 'date-time'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Ended At'
+        },
+        notes: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Notes'
+        }
+    },
+    type: 'object',
+    title: 'CreateWorkoutRequest'
+} as const;
+
 export const ErrorResponseSchema = {
     properties: {
         detail: {
@@ -174,7 +216,7 @@ export const ErrorResponseSchema = {
     title: 'ErrorResponse'
 } as const;
 
-export const ExercisePublicSchema = {
+export const ExerciseBaseSchema = {
     properties: {
         id: {
             type: 'integer',
@@ -206,13 +248,6 @@ export const ExercisePublicSchema = {
             ],
             title: 'Description'
         },
-        muscle_groups: {
-            items: {
-                $ref: '#/components/schemas/MuscleGroupPublic'
-            },
-            type: 'array',
-            title: 'Muscle Groups'
-        },
         created_at: {
             type: 'string',
             format: 'date-time',
@@ -230,10 +265,72 @@ export const ExercisePublicSchema = {
         'user_id',
         'name',
         'description',
-        'muscle_groups',
         'created_at',
         'updated_at'
     ],
+    title: 'ExerciseBase'
+} as const;
+
+export const ExercisePublicSchema = {
+    properties: {
+        id: {
+            type: 'integer',
+            title: 'Id'
+        },
+        user_id: {
+            anyOf: [
+                {
+                    type: 'integer'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'User Id'
+        },
+        name: {
+            type: 'string',
+            title: 'Name'
+        },
+        description: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Description'
+        },
+        created_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Created At'
+        },
+        updated_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Updated At'
+        },
+        muscle_groups: {
+            items: {
+                $ref: '#/components/schemas/MuscleGroupPublic'
+            },
+            type: 'array',
+            title: 'Muscle Groups'
+        }
+    },
+    type: 'object',
+    required: [
+        'id',
+        'user_id',
+        'name',
+        'description',
+        'created_at',
+        'updated_at',
+        'muscle_groups'
+    ],
     title: 'ExercisePublic'
 } as const;
 
@@ -444,6 +541,90 @@ export const ReviewerPublicSchema = {
     title: 'ReviewerPublic'
 } as const;
 
+export const SetPublicSchema = {
+    properties: {
+        id: {
+            type: 'integer',
+            title: 'Id'
+        },
+        workout_exercise_id: {
+            type: 'integer',
+            title: 'Workout Exercise Id'
+        },
+        set_number: {
+            type: 'integer',
+            title: 'Set Number'
+        },
+        reps: {
+            anyOf: [
+                {
+                    type: 'integer'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Reps'
+        },
+        weight: {
+            anyOf: [
+                {
+                    type: 'number'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Weight'
+        },
+        unit: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Unit'
+        },
+        notes: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Notes'
+        },
+        created_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Created At'
+        },
+        updated_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Updated At'
+        }
+    },
+    type: 'object',
+    required: [
+        'id',
+        'workout_exercise_id',
+        'set_number',
+        'reps',
+        'weight',
+        'unit',
+        'notes',
+        'created_at',
+        'updated_at'
+    ],
+    title: 'SetPublic'
+} as const;
+
 export const UpdateAccessRequestStatusRequestSchema = {
     properties: {
         status: {
@@ -507,6 +688,48 @@ export const UpdateExerciseRequestSchema = {
     title: 'UpdateExerciseRequest'
 } as const;
 
+export const UpdateWorkoutRequestSchema = {
+    properties: {
+        started_at: {
+            anyOf: [
+                {
+                    type: 'string',
+                    format: 'date-time'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Started At'
+        },
+        ended_at: {
+            anyOf: [
+                {
+                    type: 'string',
+                    format: 'date-time'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Ended At'
+        },
+        notes: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Notes'
+        }
+    },
+    type: 'object',
+    title: 'UpdateWorkoutRequest'
+} as const;
+
 export const UserPublicSchema = {
     properties: {
         id: {
@@ -591,3 +814,200 @@ export const ValidationErrorSchema = {
     ],
     title: 'ValidationError'
 } as const;
+
+export const WorkoutBaseSchema = {
+    properties: {
+        id: {
+            type: 'integer',
+            title: 'Id'
+        },
+        user_id: {
+            type: 'integer',
+            title: 'User Id'
+        },
+        started_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Started At'
+        },
+        ended_at: {
+            anyOf: [
+                {
+                    type: 'string',
+                    format: 'date-time'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Ended At'
+        },
+        notes: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Notes'
+        },
+        created_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Created At'
+        },
+        updated_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Updated At'
+        }
+    },
+    type: 'object',
+    required: [
+        'id',
+        'user_id',
+        'started_at',
+        'ended_at',
+        'notes',
+        'created_at',
+        'updated_at'
+    ],
+    title: 'WorkoutBase'
+} as const;
+
+export const WorkoutExercisePublicSchema = {
+    properties: {
+        id: {
+            type: 'integer',
+            title: 'Id'
+        },
+        workout_id: {
+            type: 'integer',
+            title: 'Workout Id'
+        },
+        exercise_id: {
+            type: 'integer',
+            title: 'Exercise Id'
+        },
+        position: {
+            type: 'integer',
+            title: 'Position'
+        },
+        notes: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Notes'
+        },
+        created_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Created At'
+        },
+        updated_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Updated At'
+        },
+        exercise: {
+            $ref: '#/components/schemas/ExerciseBase'
+        },
+        sets: {
+            items: {
+                $ref: '#/components/schemas/SetPublic'
+            },
+            type: 'array',
+            title: 'Sets'
+        }
+    },
+    type: 'object',
+    required: [
+        'id',
+        'workout_id',
+        'exercise_id',
+        'position',
+        'notes',
+        'created_at',
+        'updated_at',
+        'exercise',
+        'sets'
+    ],
+    title: 'WorkoutExercisePublic'
+} as const;
+
+export const WorkoutPublicSchema = {
+    properties: {
+        id: {
+            type: 'integer',
+            title: 'Id'
+        },
+        user_id: {
+            type: 'integer',
+            title: 'User Id'
+        },
+        started_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Started At'
+        },
+        ended_at: {
+            anyOf: [
+                {
+                    type: 'string',
+                    format: 'date-time'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Ended At'
+        },
+        notes: {
+            anyOf: [
+                {
+                    type: 'string'
+                },
+                {
+                    type: 'null'
+                }
+            ],
+            title: 'Notes'
+        },
+        created_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Created At'
+        },
+        updated_at: {
+            type: 'string',
+            format: 'date-time',
+            title: 'Updated At'
+        },
+        exercises: {
+            items: {
+                $ref: '#/components/schemas/WorkoutExercisePublic'
+            },
+            type: 'array',
+            title: 'Exercises'
+        }
+    },
+    type: 'object',
+    required: [
+        'id',
+        'user_id',
+        'started_at',
+        'ended_at',
+        'notes',
+        'created_at',
+        'updated_at',
+        'exercises'
+    ],
+    title: 'WorkoutPublic'
+} as const;
diff --git a/client/src/api/generated/sdk.gen.ts b/client/src/api/generated/sdk.gen.ts
index 151c2700..9bcb870c 100644
--- a/client/src/api/generated/sdk.gen.ts
+++ b/client/src/api/generated/sdk.gen.ts
@@ -2,7 +2,7 @@
 
 import { type Client, formDataBodySerializer, type Options as Options2, type TDataShape } from './client';
 import { client } from './client.gen';
-import type { CreateExerciseData, CreateExerciseErrors, CreateExerciseResponses, CreateFeedbackData, CreateFeedbackErrors, CreateFeedbackResponses, DeleteExerciseData, DeleteExerciseErrors, DeleteExerciseResponses, ForgotPasswordData, ForgotPasswordErrors, ForgotPasswordResponses, GetAccessRequestsData, GetAccessRequestsErrors, GetAccessRequestsResponses, GetCurrentUserData, GetCurrentUserErrors, GetCurrentUserResponses, GetDbHealthData, GetDbHealthResponses, GetExerciseData, GetExerciseErrors, GetExerciseResponses, GetExercisesData, GetExercisesErrors, GetExercisesResponses, GetHealthData, GetHealthResponses, GetMuscleGroupsData, GetMuscleGroupsErrors, GetMuscleGroupsResponses, GetUsersData, GetUsersErrors, GetUsersResponses, LoginData, LoginErrors, LoginResponses, LogoutData, LogoutResponses, RefreshTokenData, RefreshTokenErrors, RefreshTokenResponses, RegisterData, RegisterErrors, RegisterResponses, RequestAccessData, RequestAccessErrors, RequestAccessResponses, ResetPasswordData, ResetPasswordErrors, ResetPasswordResponses, UpdateAccessRequestStatusData, UpdateAccessRequestStatusErrors, UpdateAccessRequestStatusResponses, UpdateExerciseData, UpdateExerciseErrors, UpdateExerciseResponses } from './types.gen';
+import type { CreateExerciseData, CreateExerciseErrors, CreateExerciseResponses, CreateFeedbackData, CreateFeedbackErrors, CreateFeedbackResponses, CreateWorkoutData, CreateWorkoutErrors, CreateWorkoutResponses, DeleteExerciseData, DeleteExerciseErrors, DeleteExerciseResponses, DeleteWorkoutData, DeleteWorkoutErrors, DeleteWorkoutResponses, ForgotPasswordData, ForgotPasswordErrors, ForgotPasswordResponses, GetAccessRequestsData, GetAccessRequestsErrors, GetAccessRequestsResponses, GetCurrentUserData, GetCurrentUserErrors, GetCurrentUserResponses, GetDbHealthData, GetDbHealthResponses, GetExerciseData, GetExerciseErrors, GetExerciseResponses, GetExercisesData, GetExercisesErrors, GetExercisesResponses, GetHealthData, GetHealthResponses, GetMuscleGroupsData, GetMuscleGroupsErrors, GetMuscleGroupsResponses, GetUsersData, GetUsersErrors, GetUsersResponses, GetWorkoutData, GetWorkoutErrors, GetWorkoutResponses, GetWorkoutsData, GetWorkoutsErrors, GetWorkoutsResponses, LoginData, LoginErrors, LoginResponses, LogoutData, LogoutResponses, RefreshTokenData, RefreshTokenErrors, RefreshTokenResponses, RegisterData, RegisterErrors, RegisterResponses, RequestAccessData, RequestAccessErrors, RequestAccessResponses, ResetPasswordData, ResetPasswordErrors, ResetPasswordResponses, UpdateAccessRequestStatusData, UpdateAccessRequestStatusErrors, UpdateAccessRequestStatusResponses, UpdateExerciseData, UpdateExerciseErrors, UpdateExerciseResponses, UpdateWorkoutData, UpdateWorkoutErrors, UpdateWorkoutResponses } from './types.gen';
 
 export type Options<TData extends TDataShape = TDataShape, ThrowOnError extends boolean = boolean> = Options2<TData, ThrowOnError> & {
     /**
@@ -188,7 +188,6 @@ export class ExercisesService {
      */
     public static createExercise<ThrowOnError extends boolean = false>(options: Options<CreateExerciseData, ThrowOnError>) {
         return (options.client ?? client).post<CreateExerciseResponses, CreateExerciseErrors, ThrowOnError>({
-            responseType: 'json',
             security: [{
                     in: 'cookie',
                     name: 'access_token',
@@ -336,3 +335,90 @@ export class UserService {
         });
     }
 }
+
+export class WorkoutsService {
+    /**
+     * Get Workouts Endpoint
+     */
+    public static getWorkouts<ThrowOnError extends boolean = false>(options?: Options<GetWorkoutsData, ThrowOnError>) {
+        return (options?.client ?? client).get<GetWorkoutsResponses, GetWorkoutsErrors, ThrowOnError>({
+            responseType: 'json',
+            security: [{
+                    in: 'cookie',
+                    name: 'access_token',
+                    type: 'apiKey'
+                }],
+            url: '/api/workouts',
+            ...options
+        });
+    }
+    
+    /**
+     * Create Workout Endpoint
+     */
+    public static createWorkout<ThrowOnError extends boolean = false>(options: Options<CreateWorkoutData, ThrowOnError>) {
+        return (options.client ?? client).post<CreateWorkoutResponses, CreateWorkoutErrors, ThrowOnError>({
+            security: [{
+                    in: 'cookie',
+                    name: 'access_token',
+                    type: 'apiKey'
+                }],
+            url: '/api/workouts',
+            ...options,
+            headers: {
+                'Content-Type': 'application/json',
+                ...options.headers
+            }
+        });
+    }
+    
+    /**
+     * Delete Workout Endpoint
+     */
+    public static deleteWorkout<ThrowOnError extends boolean = false>(options: Options<DeleteWorkoutData, ThrowOnError>) {
+        return (options.client ?? client).delete<DeleteWorkoutResponses, DeleteWorkoutErrors, ThrowOnError>({
+            security: [{
+                    in: 'cookie',
+                    name: 'access_token',
+                    type: 'apiKey'
+                }],
+            url: '/api/workouts/{workout_id}',
+            ...options
+        });
+    }
+    
+    /**
+     * Get Workout Endpoint
+     */
+    public static getWorkout<ThrowOnError extends boolean = false>(options: Options<GetWorkoutData, ThrowOnError>) {
+        return (options.client ?? client).get<GetWorkoutResponses, GetWorkoutErrors, ThrowOnError>({
+            responseType: 'json',
+            security: [{
+                    in: 'cookie',
+                    name: 'access_token',
+                    type: 'apiKey'
+                }],
+            url: '/api/workouts/{workout_id}',
+            ...options
+        });
+    }
+    
+    /**
+     * Update Workout Endpoint
+     */
+    public static updateWorkout<ThrowOnError extends boolean = false>(options: Options<UpdateWorkoutData, ThrowOnError>) {
+        return (options.client ?? client).patch<UpdateWorkoutResponses, UpdateWorkoutErrors, ThrowOnError>({
+            security: [{
+                    in: 'cookie',
+                    name: 'access_token',
+                    type: 'apiKey'
+                }],
+            url: '/api/workouts/{workout_id}',
+            ...options,
+            headers: {
+                'Content-Type': 'application/json',
+                ...options.headers
+            }
+        });
+    }
+}
diff --git a/client/src/api/generated/types.gen.ts b/client/src/api/generated/types.gen.ts
index 204d6ed7..223105ec 100644
--- a/client/src/api/generated/types.gen.ts
+++ b/client/src/api/generated/types.gen.ts
@@ -86,6 +86,24 @@ export type CreateFeedbackRequest = {
     files?: Array<Blob | File>;
 };
 
+/**
+ * CreateWorkoutRequest
+ */
+export type CreateWorkoutRequest = {
+    /**
+     * Started At
+     */
+    started_at?: string | null;
+    /**
+     * Ended At
+     */
+    ended_at?: string | null;
+    /**
+     * Notes
+     */
+    notes?: string | null;
+};
+
 /**
  * ErrorResponse
  */
@@ -101,9 +119,9 @@ export type ErrorResponse = {
 };
 
 /**
- * ExercisePublic
+ * ExerciseBase
  */
-export type ExercisePublic = {
+export type ExerciseBase = {
     /**
      * Id
      */
@@ -121,9 +139,35 @@ export type ExercisePublic = {
      */
     description: string | null;
     /**
-     * Muscle Groups
+     * Created At
      */
-    muscle_groups: Array<MuscleGroupPublic>;
+    created_at: string;
+    /**
+     * Updated At
+     */
+    updated_at: string;
+};
+
+/**
+ * ExercisePublic
+ */
+export type ExercisePublic = {
+    /**
+     * Id
+     */
+    id: number;
+    /**
+     * User Id
+     */
+    user_id: number | null;
+    /**
+     * Name
+     */
+    name: string;
+    /**
+     * Description
+     */
+    description: string | null;
     /**
      * Created At
      */
@@ -132,6 +176,10 @@ export type ExercisePublic = {
      * Updated At
      */
     updated_at: string;
+    /**
+     * Muscle Groups
+     */
+    muscle_groups: Array<MuscleGroupPublic>;
 };
 
 /**
@@ -259,6 +307,48 @@ export type ReviewerPublic = {
     username: string;
 };
 
+/**
+ * SetPublic
+ */
+export type SetPublic = {
+    /**
+     * Id
+     */
+    id: number;
+    /**
+     * Workout Exercise Id
+     */
+    workout_exercise_id: number;
+    /**
+     * Set Number
+     */
+    set_number: number;
+    /**
+     * Reps
+     */
+    reps: number | null;
+    /**
+     * Weight
+     */
+    weight: number | null;
+    /**
+     * Unit
+     */
+    unit: string | null;
+    /**
+     * Notes
+     */
+    notes: string | null;
+    /**
+     * Created At
+     */
+    created_at: string;
+    /**
+     * Updated At
+     */
+    updated_at: string;
+};
+
 /**
  * UpdateAccessRequestStatusRequest
  */
@@ -287,6 +377,24 @@ export type UpdateExerciseRequest = {
     muscle_group_ids?: Array<number> | null;
 };
 
+/**
+ * UpdateWorkoutRequest
+ */
+export type UpdateWorkoutRequest = {
+    /**
+     * Started At
+     */
+    started_at?: string | null;
+    /**
+     * Ended At
+     */
+    ended_at?: string | null;
+    /**
+     * Notes
+     */
+    notes?: string | null;
+};
+
 /**
  * UserPublic
  */
@@ -343,6 +451,117 @@ export type ValidationError = {
     type: string;
 };
 
+/**
+ * WorkoutBase
+ */
+export type WorkoutBase = {
+    /**
+     * Id
+     */
+    id: number;
+    /**
+     * User Id
+     */
+    user_id: number;
+    /**
+     * Started At
+     */
+    started_at: string;
+    /**
+     * Ended At
+     */
+    ended_at: string | null;
+    /**
+     * Notes
+     */
+    notes: string | null;
+    /**
+     * Created At
+     */
+    created_at: string;
+    /**
+     * Updated At
+     */
+    updated_at: string;
+};
+
+/**
+ * WorkoutExercisePublic
+ */
+export type WorkoutExercisePublic = {
+    /**
+     * Id
+     */
+    id: number;
+    /**
+     * Workout Id
+     */
+    workout_id: number;
+    /**
+     * Exercise Id
+     */
+    exercise_id: number;
+    /**
+     * Position
+     */
+    position: number;
+    /**
+     * Notes
+     */
+    notes: string | null;
+    /**
+     * Created At
+     */
+    created_at: string;
+    /**
+     * Updated At
+     */
+    updated_at: string;
+    exercise: ExerciseBase;
+    /**
+     * Sets
+     */
+    sets: Array<SetPublic>;
+};
+
+/**
+ * WorkoutPublic
+ */
+export type WorkoutPublic = {
+    /**
+     * Id
+     */
+    id: number;
+    /**
+     * User Id
+     */
+    user_id: number;
+    /**
+     * Started At
+     */
+    started_at: string;
+    /**
+     * Ended At
+     */
+    ended_at: string | null;
+    /**
+     * Notes
+     */
+    notes: string | null;
+    /**
+     * Created At
+     */
+    created_at: string;
+    /**
+     * Updated At
+     */
+    updated_at: string;
+    /**
+     * Exercises
+     */
+    exercises: Array<WorkoutExercisePublic>;
+};
+
 export type GetAccessRequestsData = {
     body?: never;
     path?: never;
@@ -702,7 +921,7 @@ export type CreateExerciseResponses = {
     /**
      * Successful Response
      */
-    201: ExercisePublic;
+    204: void;
 };
 
 export type CreateExerciseResponse = CreateExerciseResponses[keyof CreateExerciseResponses];
@@ -947,3 +1166,173 @@ export type GetCurrentUserResponses = {
 };
 
 export type GetCurrentUserResponse = GetCurrentUserResponses[keyof GetCurrentUserResponses];
+
+export type GetWorkoutsData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/api/workouts';
+};
+
+export type GetWorkoutsErrors = {
+    /**
+     * Unauthorized
+     */
+    401: ErrorResponse;
+};
+
+export type GetWorkoutsError = GetWorkoutsErrors[keyof GetWorkoutsErrors];
+
+export type GetWorkoutsResponses = {
+    /**
+     * Response Getworkouts
+     *
+     * Successful Response
+     */
+    200: Array<WorkoutBase>;
+};
+
+export type GetWorkoutsResponse = GetWorkoutsResponses[keyof GetWorkoutsResponses];
+
+export type CreateWorkoutData = {
+    body: CreateWorkoutRequest;
+    path?: never;
+    query?: never;
+    url: '/api/workouts';
+};
+
+export type CreateWorkoutErrors = {
+    /**
+     * Unauthorized
+     */
+    401: ErrorResponse;
+    /**
+     * Validation Error
+     */
+    422: HttpValidationError;
+};
+
+export type CreateWorkoutError = CreateWorkoutErrors[keyof CreateWorkoutErrors];
+
+export type CreateWorkoutResponses = {
+    /**
+     * Successful Response
+     */
+    204: void;
+};
+
+export type CreateWorkoutResponse = CreateWorkoutResponses[keyof CreateWorkoutResponses];
+
+export type DeleteWorkoutData = {
+    body?: never;
+    path: {
+        /**
+         * Workout Id
+         */
+        workout_id: number;
+    };
+    query?: never;
+    url: '/api/workouts/{workout_id}';
+};
+
+export type DeleteWorkoutErrors = {
+    /**
+     * Unauthorized
+     */
+    401: ErrorResponse;
+    /**
+     * Not Found
+     */
+    404: ErrorResponse;
+    /**
+     * Validation Error
+     */
+    422: HttpValidationError;
+};
+
+export type DeleteWorkoutError = DeleteWorkoutErrors[keyof DeleteWorkoutErrors];
+
+export type DeleteWorkoutResponses = {
+    /**
+     * Successful Response
+     */
+    204: void;
+};
+
+export type DeleteWorkoutResponse = DeleteWorkoutResponses[keyof DeleteWorkoutResponses];
+
+export type GetWorkoutData = {
+    body?: never;
+    path: {
+        /**
+         * Workout Id
+         */
+        workout_id: number;
+    };
+    query?: never;
+    url: '/api/workouts/{workout_id}';
+};
+
+export type GetWorkoutErrors = {
+    /**
+     * Unauthorized
+     */
+    401: ErrorResponse;
+    /**
+     * Not Found
+     */
+    404: ErrorResponse;
+    /**
+     * Validation Error
+     */
+    422: HttpValidationError;
+};
+
+export type GetWorkoutError = GetWorkoutErrors[keyof GetWorkoutErrors];
+
+export type GetWorkoutResponses = {
+    /**
+     * Successful Response
+     */
+    200: WorkoutPublic;
+};
+
+export type GetWorkoutResponse = GetWorkoutResponses[keyof GetWorkoutResponses];
+
+export type UpdateWorkoutData = {
+    body: UpdateWorkoutRequest;
+    path: {
+        /**
+         * Workout Id
+         */
+        workout_id: number;
+    };
+    query?: never;
+    url: '/api/workouts/{workout_id}';
+};
+
+export type UpdateWorkoutErrors = {
+    /**
+     * Unauthorized
+     */
+    401: ErrorResponse;
+    /**
+     * Not Found
+     */
+    404: ErrorResponse;
+    /**
+     * Validation Error
+     */
+    422: HttpValidationError;
+};
+
+export type UpdateWorkoutError = UpdateWorkoutErrors[keyof UpdateWorkoutErrors];
+
+export type UpdateWorkoutResponses = {
+    /**
+     * Successful Response
+     */
+    204: void;
+};
+
+export type UpdateWorkoutResponse = UpdateWorkoutResponses[keyof UpdateWorkoutResponses];
diff --git a/client/src/api/generated/zod.gen.ts b/client/src/api/generated/zod.gen.ts
index ba17b547..c7851bd9 100644
--- a/client/src/api/generated/zod.gen.ts
+++ b/client/src/api/generated/zod.gen.ts
@@ -20,6 +20,15 @@ export const zCreateExerciseRequest = z.object({
     muscle_group_ids: z.array(z.int()).optional()
 });
 
+/**
+ * CreateWorkoutRequest
+ */
+export const zCreateWorkoutRequest = z.object({
+    started_at: z.iso.datetime().nullish(),
+    ended_at: z.iso.datetime().nullish(),
+    notes: z.string().nullish()
+});
+
 /**
  * ErrorResponse
  */
@@ -28,6 +37,18 @@ export const zErrorResponse = z.object({
     code: z.string()
 });
 
+/**
+ * ExerciseBase
+ */
+export const zExerciseBase = z.object({
+    id: z.int(),
+    user_id: z.int().nullable(),
+    name: z.string(),
+    description: z.string().nullable(),
+    created_at: z.iso.datetime(),
+    updated_at: z.iso.datetime()
+});
+
 /**
  * FeedbackType
  */
@@ -77,9 +98,9 @@ export const zExercisePublic = z.object({
     user_id: z.int().nullable(),
     name: z.string(),
     description: z.string().nullable(),
-    muscle_groups: z.array(zMuscleGroupPublic),
     created_at: z.iso.datetime(),
-    updated_at: z.iso.datetime()
+    updated_at: z.iso.datetime(),
+    muscle_groups: z.array(zMuscleGroupPublic)
 });
 
 /**
@@ -131,6 +152,21 @@ export const zAccessRequestPublic = z.object({
     updated_at: z.iso.datetime()
 });
 
+/**
+ * SetPublic
+ */
+export const zSetPublic = z.object({
+    id: z.int(),
+    workout_exercise_id: z.int(),
+    set_number: z.int(),
+    reps: z.int().nullable(),
+    weight: z.number().nullable(),
+    unit: z.string().nullable(),
+    notes: z.string().nullable(),
+    created_at: z.iso.datetime(),
+    updated_at: z.iso.datetime()
+});
+
 /**
  * UpdateAccessRequestStatusRequest
  */
@@ -147,6 +183,15 @@ export const zUpdateExerciseRequest = z.object({
     muscle_group_ids: z.array(z.int()).nullish()
 });
 
+/**
+ * UpdateWorkoutRequest
+ */
+export const zUpdateWorkoutRequest = z.object({
+    started_at: z.iso.datetime().nullish(),
+    ended_at: z.iso.datetime().nullish(),
+    notes: z.string().nullish()
+});
+
 /**
  * UserPublic
  */
@@ -177,6 +222,48 @@ export const zHttpValidationError = z.object({
     detail: z.array(zValidationError).optional()
 });
 
+/**
+ * WorkoutBase
+ */
+export const zWorkoutBase = z.object({
+    id: z.int(),
+    user_id: z.int(),
+    started_at: z.iso.datetime(),
+    ended_at: z.iso.datetime().nullable(),
+    notes: z.string().nullable(),
+    created_at: z.iso.datetime(),
+    updated_at: z.iso.datetime()
+});
+
+/**
+ * WorkoutExercisePublic
+ */
+export const zWorkoutExercisePublic = z.object({
+    id: z.int(),
+    workout_id: z.int(),
+    exercise_id: z.int(),
+    position: z.int(),
+    notes: z.string().nullable(),
+    created_at: z.iso.datetime(),
+    updated_at: z.iso.datetime(),
+    exercise: zExerciseBase,
+    sets: z.array(zSetPublic)
+});
+
+/**
+ * WorkoutPublic
+ */
+export const zWorkoutPublic = z.object({
+    id: z.int(),
+    user_id: z.int(),
+    started_at: z.iso.datetime(),
+    ended_at: z.iso.datetime().nullable(),
+    notes: z.string().nullable(),
+    created_at: z.iso.datetime(),
+    updated_at: z.iso.datetime(),
+    exercises: z.array(zWorkoutExercisePublic)
+});
+
 export const zGetAccessRequestsData = z.object({
     body: z.never().optional(),
     path: z.never().optional(),
@@ -317,7 +404,7 @@ export const zCreateExerciseData = z.object({
 /**
  * Successful Response
  */
-export const zCreateExerciseResponse = zExercisePublic;
+export const zCreateExerciseResponse = z.void();
 
 export const zDeleteExerciseData = z.object({
     body: z.never().optional(),
@@ -413,3 +500,66 @@ export const zGetCurrentUserData = z.object({
  * Successful Response
  */
 export const zGetCurrentUserResponse = zUserPublic;
+
+export const zGetWorkoutsData = z.object({
+    body: z.never().optional(),
+    path: z.never().optional(),
+    query: z.never().optional()
+});
+
+/**
+ * Response Getworkouts
+ *
+ * Successful Response
+ */
+export const zGetWorkoutsResponse = z.array(zWorkoutBase);
+
+export const zCreateWorkoutData = z.object({
+    body: zCreateWorkoutRequest,
+    path: z.never().optional(),
+    query: z.never().optional()
+});
+
+/**
+ * Successful Response
+ */
+export const zCreateWorkoutResponse = z.void();
+
+export const zDeleteWorkoutData = z.object({
+    body: z.never().optional(),
+    path: z.object({
+        workout_id: z.int()
+    }),
+    query: z.never().optional()
+});
+
+/**
+ * Successful Response
+ */
+export const zDeleteWorkoutResponse = z.void();
+
+export const zGetWorkoutData = z.object({
+    body: z.never().optional(),
+    path: z.object({
+        workout_id: z.int()
+    }),
+    query: z.never().optional()
+});
+
+/**
+ * Successful Response
+ */
+export const zGetWorkoutResponse = zWorkoutPublic;
+
+export const zUpdateWorkoutData = z.object({
+    body: zUpdateWorkoutRequest,
+    path: z.object({
+        workout_id: z.int()
+    }),
+    query: z.never().optional()
+});
+
+/**
+ * Successful Response
+ */
+export const zUpdateWorkoutResponse = z.void();
diff --git a/client/src/components/FeedbackFormDialog.tsx b/client/src/components/FeedbackFormDialog.tsx
index 156a47d2..f0a74fad 100644
--- a/client/src/components/FeedbackFormDialog.tsx
+++ b/client/src/components/FeedbackFormDialog.tsx
@@ -1,5 +1,6 @@
 import { FeedbackService } from '@/api/generated'
 import { zCreateFeedbackRequest } from '@/api/generated/zod.gen'
+import { Field } from '@/components/forms/Field'
 import {
     Dialog,
     DialogClose,
@@ -11,7 +12,6 @@ import {
     DialogTrigger,
 } from '@/components/ui/dialog'
 import { Input } from '@/components/ui/input'
-import { Label } from '@/components/ui/label'
 import { Button } from '@/components/ui/overrides/button'
 import { Textarea } from '@/components/ui/textarea'
 import { handleApiError } from '@/lib/http'
@@ -135,8 +135,11 @@ export function FeedbackFormDialog() {
                         void handleSubmit(onSubmit)(e)
                     }}
                 >
-                    <div className="space-y-1">
-                        <Label htmlFor="title">Title</Label>
+                    <Field
+                        label="Title"
+                        htmlFor="title"
+                        error={errors.title?.message}
+                    >
                         <Input
                             id="title"
                             placeholder={'Enter a brief title...'}
@@ -144,14 +147,12 @@ export function FeedbackFormDialog() {
                             className={errors.title ? 'border-destructive' : ''}
                             {...register('title')}
                         />
-                        {errors.title && (
-                            <p className="text-sm text-destructive">
-                                {errors.title.message}
-                            </p>
-                        )}
-                    </div>
-                    <div className="space-y-1">
-                        <Label htmlFor="description">Description</Label>
+                    </Field>
+                    <Field
+                        label="Description"
+                        htmlFor="description"
+                        error={errors.description?.message}
+                    >
                         <Textarea
                             id="description"
                             placeholder={
@@ -166,14 +167,8 @@ export function FeedbackFormDialog() {
                             {...register('description')}
                             rows={4}
                         />
-                        {errors.description && (
-                            <p className="text-sm text-destructive">
-                                {errors.description.message}
-                            </p>
-                        )}
-                    </div>
-                    <div className="space-y-1">
-                        <Label htmlFor="files">Attach files (optional)</Label>
+                    </Field>
+                    <Field label="Attach files (optional)" htmlFor="files">
                         <Input
                             id="files"
                             type="file"
@@ -188,7 +183,7 @@ export function FeedbackFormDialog() {
                                 {files.length > 1 ? 's' : ''} selected
                             </p>
                         )}
-                    </div>
+                    </Field>
                 </form>
                 <DialogFooter>
                     <DialogClose asChild>
diff --git a/client/src/components/data-table/DataTableTruncatedCell.tsx b/client/src/components/data-table/DataTableTruncatedCell.tsx
index 636b5881..597bbc28 100644
--- a/client/src/components/data-table/DataTableTruncatedCell.tsx
+++ b/client/src/components/data-table/DataTableTruncatedCell.tsx
@@ -2,7 +2,7 @@ import {
     Tooltip,
     TooltipContent,
     TooltipTrigger,
-} from '@/components/ui/tooltip'
+} from '@/components/ui/overrides/tooltip'
 import { cn } from '@/lib/utils'
 import { useRef, useState } from 'react'
 
diff --git a/client/src/components/exercises/ExerciseFormDialog.tsx b/client/src/components/exercises/ExerciseFormDialog.tsx
index a3b34a99..060ed1f1 100644
--- a/client/src/components/exercises/ExerciseFormDialog.tsx
+++ b/client/src/components/exercises/ExerciseFormDialog.tsx
@@ -7,6 +7,7 @@ import {
     zCreateExerciseRequest,
     zUpdateExerciseRequest,
 } from '@/api/generated/zod.gen'
+import { Field } from '@/components/forms/Field'
 import { Checkbox } from '@/components/ui/checkbox'
 import {
     Dialog,
@@ -18,13 +19,12 @@ import {
     DialogTitle,
 } from '@/components/ui/dialog'
 import { Input } from '@/components/ui/input'
-import { Label } from '@/components/ui/label'
 import { Button } from '@/components/ui/overrides/button'
 import { handleApiError } from '@/lib/http'
 import { notify } from '@/lib/notify'
 import { capitalizeWords } from '@/lib/text'
 import { zodResolver } from '@hookform/resolvers/zod'
-import { useEffect, type ReactNode } from 'react'
+import { useEffect } from 'react'
 import { useForm } from 'react-hook-form'
 import { z } from 'zod'
 
@@ -43,23 +43,6 @@ const defaultUpdateExerciseFormValues: UpdateExerciseForm = {
     muscle_group_ids: [],
 }
 
-interface FieldProps {
-    label: string
-    htmlFor: string
-    error?: string
-    children: ReactNode
-}
-
-function Field({ label, htmlFor, error, children }: FieldProps) {
-    return (
-        <div className="space-y-1">
-            <Label htmlFor={htmlFor}>{label}</Label>
-            {children}
-            {error && <p className="text-sm text-destructive">{error}</p>}
-        </div>
-    )
-}
-
 interface ExerciseFormDialogProps {
     open: boolean
     mode: 'create' | 'edit'
@@ -244,13 +227,6 @@ export function ExerciseFormDialog({
             if (error) {
                 await handleApiError(error, {
                     httpErrorHandlers: {
-                        exercise_update_not_allowed: async () => {
-                            notify.error(
-                                'You cannot update this exercise. Reloading data'
-                            )
-                            closeDialog()
-                            await onReloadExercises()
-                        },
                         exercise_not_found: async () => {
                             notify.error('Exercise not found. Reloading data')
                             closeDialog()
@@ -344,8 +320,10 @@ export function ExerciseFormDialog({
                                 : registerEdit('description'))}
                         />
                     </Field>
-                    <div className="space-y-1">
-                        <Label>Muscle Groups</Label>
+                    <Field
+                        label="Muscle Groups"
+                        error={errors.muscle_group_ids?.message}
+                    >
                         <div className="max-h-50 space-y-2 overflow-y-auto rounded-md border p-3">
                             {muscleGroups.map((group) => {
                                 const checked = selectedMuscleGroupIds.includes(
@@ -379,7 +357,7 @@ export function ExerciseFormDialog({
                                 )
                             })}
                         </div>
-                    </div>
+                    </Field>
                 </form>
                 <DialogFooter>
                     <DialogClose asChild>
diff --git a/client/src/components/exercises/ExercisesTable.tsx b/client/src/components/exercises/ExercisesTable.tsx
index 9ed765bc..605a3f7a 100644
--- a/client/src/components/exercises/ExercisesTable.tsx
+++ b/client/src/components/exercises/ExercisesTable.tsx
@@ -202,7 +202,7 @@ export function ExercisesTable({
                     )}
                     <DataTableTruncatedCell
                         value={row.original.name}
-                        className="max-w-48"
+                        className="max-w-40 min-w-25"
                     />
                 </div>
             ),
@@ -217,7 +217,7 @@ export function ExercisesTable({
                 row.original.description ? (
                     <DataTableTruncatedCell
                         value={row.original.description}
-                        className="max-w-64"
+                        className="max-w-60 min-w-25"
                     />
                 ) : (
                     '—'
@@ -241,7 +241,7 @@ export function ExercisesTable({
                 return names.length ? (
                     <DataTableTruncatedCell
                         value={names.join(', ')}
-                        className="max-w-48"
+                        className="max-w-100 min-w-25"
                     />
                 ) : (
                     '—'
@@ -267,20 +267,12 @@ export function ExercisesTable({
             accessorKey: 'updated_at',
             meta: { viewLabel: 'Updated At' },
             header: ({ column }) => (
-                <DataTableColumnHeader
-                    column={column}
-                    title="Updated At"
-                    className="justify-center"
-                />
+                <DataTableColumnHeader column={column} title="Updated At" />
             ),
             cell: ({ row }) =>
-                row.original.user_id !== null ? (
-                    <div className="text-center">
-                        {new Date(row.original.updated_at).toLocaleString()}
-                    </div>
-                ) : (
-                    <div className="text-center">—</div>
-                ),
+                row.original.user_id !== null
+                    ? new Date(row.original.updated_at).toLocaleString()
+                    : '—',
             enableHiding: true,
         },
     ]
diff --git a/client/src/components/forms/Field.tsx b/client/src/components/forms/Field.tsx
new file mode 100644
index 00000000..c0bd3abf
--- /dev/null
+++ b/client/src/components/forms/Field.tsx
@@ -0,0 +1,19 @@
+import { Label } from '@/components/ui/label'
+import type { ReactNode } from 'react'
+
+export interface FieldProps {
+    label: string
+    htmlFor?: string
+    error?: string
+    children: ReactNode
+}
+
+export function Field({ label, htmlFor, error, children }: FieldProps) {
+    return (
+        <div className="space-y-1">
+            <Label htmlFor={htmlFor}>{label}</Label>
+            {children}
+            {error && <p className="text-sm text-destructive">{error}</p>}
+        </div>
+    )
+}
diff --git a/client/src/components/ui/overrides/tooltip.tsx b/client/src/components/ui/overrides/tooltip.tsx
new file mode 100644
index 00000000..92b6b102
--- /dev/null
+++ b/client/src/components/ui/overrides/tooltip.tsx
@@ -0,0 +1,24 @@
+import * as React from 'react'
+
+import {
+    Tooltip as UITooltip,
+    TooltipContent as UITooltipContent,
+    TooltipProvider as UITooltipProvider,
+    TooltipTrigger as UITooltipTrigger,
+} from '@/components/ui/tooltip'
+import { cn } from '@/lib/utils'
+
+type UITooltipContentProps = React.ComponentProps<typeof UITooltipContent>
+
+type TooltipContentProps = UITooltipContentProps
+
+function TooltipContent({ className, ...props }: TooltipContentProps) {
+    return <UITooltipContent className={cn('max-w-xs', className)} {...props} />
+}
+
+const Tooltip = UITooltip
+const TooltipProvider = UITooltipProvider
+const TooltipTrigger = UITooltipTrigger
+
+export { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger }
+export type { TooltipContentProps }
diff --git a/client/src/main.tsx b/client/src/main.tsx
index ec0c6468..a6f8264d 100644
--- a/client/src/main.tsx
+++ b/client/src/main.tsx
@@ -2,7 +2,7 @@ import { configureApiClient } from '@/api/axios'
 import { App } from '@/App'
 import { AppRoutes } from '@/AppRoutes'
 import { SessionProvider } from '@/auth/SessionProvider'
-import { TooltipProvider } from '@/components/ui/tooltip'
+import { TooltipProvider } from '@/components/ui/overrides/tooltip'
 import { env } from '@/config/env'
 import '@/index.css'
 import { ThemeProvider } from 'next-themes'
diff --git a/client/src/pages/ForgotPassword.tsx b/client/src/pages/ForgotPassword.tsx
index 80d20884..4bea07d9 100644
--- a/client/src/pages/ForgotPassword.tsx
+++ b/client/src/pages/ForgotPassword.tsx
@@ -1,5 +1,6 @@
 import { AuthService } from '@/api/generated'
 import { zForgotPasswordRequest } from '@/api/generated/zod.gen'
+import { Field } from '@/components/forms/Field'
 import {
     Card,
     CardContent,
@@ -8,7 +9,6 @@ import {
     CardTitle,
 } from '@/components/ui/card'
 import { Input } from '@/components/ui/input'
-import { Label } from '@/components/ui/label'
 import { Button } from '@/components/ui/overrides/button'
 import { handleApiError } from '@/lib/http'
 import { notify } from '@/lib/notify'
@@ -61,8 +61,11 @@ export function ForgotPassword() {
                             void handleSubmit(onSubmit)(e)
                         }}
                     >
-                        <div className="space-y-1">
-                            <Label htmlFor="email">Email</Label>
+                        <Field
+                            label="Email"
+                            htmlFor="email"
+                            error={errors.email?.message}
+                        >
                             <Input
                                 id="email"
                                 type="email"
@@ -73,12 +76,7 @@ export function ForgotPassword() {
                                 }
                                 {...register('email')}
                             />
-                            {errors.email && (
-                                <p className="text-sm text-destructive">
-                                    {errors.email.message}
-                                </p>
-                            )}
-                        </div>
+                        </Field>
                     </form>
                 </CardContent>
                 <CardFooter className="flex flex-col gap-3">
diff --git a/client/src/pages/Login.tsx b/client/src/pages/Login.tsx
index 3f590c53..1778289c 100644
--- a/client/src/pages/Login.tsx
+++ b/client/src/pages/Login.tsx
@@ -1,6 +1,7 @@
 import { AuthService } from '@/api/generated'
 import { zLoginRequest } from '@/api/generated/zod.gen'
 import { useSession } from '@/auth/session'
+import { Field } from '@/components/forms/Field'
 import {
     Card,
     CardContent,
@@ -9,7 +10,6 @@ import {
     CardTitle,
 } from '@/components/ui/card'
 import { Input } from '@/components/ui/input'
-import { Label } from '@/components/ui/label'
 import { Button } from '@/components/ui/overrides/button'
 import { handleApiError } from '@/lib/http'
 import { notify } from '@/lib/notify'
@@ -92,10 +92,11 @@ export function Login() {
                             void handleSubmit(onSubmit)(e)
                         }}
                     >
-                        <div className="space-y-1">
-                            <Label htmlFor="identifier">
-                                Username or Email
-                            </Label>
+                        <Field
+                            label="Username or Email"
+                            htmlFor="identifier"
+                            error={errors.identifier?.message}
+                        >
                             <Input
                                 id="identifier"
                                 autoComplete="username"
@@ -107,14 +108,12 @@ export function Login() {
                                 }
                                 {...register('identifier')}
                             />
-                            {errors.identifier && (
-                                <p className="text-sm text-destructive">
-                                    {errors.identifier.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="password">Password</Label>
+                        </Field>
+                        <Field
+                            label="Password"
+                            htmlFor="password"
+                            error={errors.password?.message}
+                        >
                             <Input
                                 id="password"
                                 type="password"
@@ -125,12 +124,7 @@ export function Login() {
                                 }
                                 {...register('password')}
                             />
-                            {errors.password && (
-                                <p className="text-sm text-destructive">
-                                    {errors.password.message}
-                                </p>
-                            )}
-                        </div>
+                        </Field>
                     </form>
                 </CardContent>
                 <CardFooter className="flex flex-col gap-3">
diff --git a/client/src/pages/Register.tsx b/client/src/pages/Register.tsx
index 8f2cab74..fd447b37 100644
--- a/client/src/pages/Register.tsx
+++ b/client/src/pages/Register.tsx
@@ -1,5 +1,6 @@
 import { AuthService } from '@/api/generated'
 import { zRegisterRequest } from '@/api/generated/zod.gen'
+import { Field } from '@/components/forms/Field'
 import {
     Card,
     CardContent,
@@ -8,7 +9,6 @@ import {
     CardTitle,
 } from '@/components/ui/card'
 import { Input } from '@/components/ui/input'
-import { Label } from '@/components/ui/label'
 import { Button } from '@/components/ui/overrides/button'
 import { handleApiError } from '@/lib/http'
 import { notify } from '@/lib/notify'
@@ -91,8 +91,11 @@ export function Register() {
                             void handleSubmit(onSubmit)(e)
                         }}
                     >
-                        <div className="space-y-1">
-                            <Label htmlFor="token">Token</Label>
+                        <Field
+                            label="Token"
+                            htmlFor="token"
+                            error={errors.token?.message}
+                        >
                             <Input
                                 id="token"
                                 disabled={tokenSet}
@@ -102,14 +105,12 @@ export function Register() {
                                 }
                                 {...register('token')}
                             />
-                            {errors.token && (
-                                <p className="text-sm text-destructive">
-                                    {errors.token.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="username">Username</Label>
+                        </Field>
+                        <Field
+                            label="Username"
+                            htmlFor="username"
+                            error={errors.username?.message}
+                        >
                             <Input
                                 id="username"
                                 autoComplete="username"
@@ -119,14 +120,12 @@ export function Register() {
                                 }
                                 {...register('username')}
                             />
-                            {errors.username && (
-                                <p className="text-sm text-destructive">
-                                    {errors.username.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="password">Password</Label>
+                        </Field>
+                        <Field
+                            label="Password"
+                            htmlFor="password"
+                            error={errors.password?.message}
+                        >
                             <Input
                                 id="password"
                                 type="password"
@@ -137,16 +136,12 @@ export function Register() {
                                 }
                                 {...register('password')}
                             />
-                            {errors.password && (
-                                <p className="text-sm text-destructive">
-                                    {errors.password.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="confirmPassword">
-                                Confirm Password
-                            </Label>
+                        </Field>
+                        <Field
+                            label="Confirm Password"
+                            htmlFor="confirmPassword"
+                            error={errors.confirmPassword?.message}
+                        >
                             <Input
                                 id="confirmPassword"
                                 type="password"
@@ -159,12 +154,7 @@ export function Register() {
                                 }
                                 {...register('confirmPassword')}
                             />
-                            {errors.confirmPassword && (
-                                <p className="text-sm text-destructive">
-                                    {errors.confirmPassword.message}
-                                </p>
-                            )}
-                        </div>
+                        </Field>
                     </form>
                 </CardContent>
                 <CardFooter className="flex flex-col gap-3">
diff --git a/client/src/pages/RequestAccess.tsx b/client/src/pages/RequestAccess.tsx
index 7c01b312..b9fb67b1 100644
--- a/client/src/pages/RequestAccess.tsx
+++ b/client/src/pages/RequestAccess.tsx
@@ -1,5 +1,6 @@
 import { AuthService } from '@/api/generated'
 import { zRequestAccessRequest } from '@/api/generated/zod.gen'
+import { Field } from '@/components/forms/Field'
 import {
     Card,
     CardContent,
@@ -8,7 +9,6 @@ import {
     CardTitle,
 } from '@/components/ui/card'
 import { Input } from '@/components/ui/input'
-import { Label } from '@/components/ui/label'
 import { Button } from '@/components/ui/overrides/button'
 import { handleApiError } from '@/lib/http'
 import { notify } from '@/lib/notify'
@@ -75,8 +75,11 @@ export function RequestAccess() {
                             void handleSubmit(onSubmit)(e)
                         }}
                     >
-                        <div className="space-y-1">
-                            <Label htmlFor="first_name">First name</Label>
+                        <Field
+                            label="First name"
+                            htmlFor="first_name"
+                            error={errors.first_name?.message}
+                        >
                             <Input
                                 id="first_name"
                                 autoComplete="given-name"
@@ -88,14 +91,12 @@ export function RequestAccess() {
                                 }
                                 {...register('first_name')}
                             />
-                            {errors.first_name && (
-                                <p className="text-sm text-destructive">
-                                    {errors.first_name.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="last_name">Last name</Label>
+                        </Field>
+                        <Field
+                            label="Last name"
+                            htmlFor="last_name"
+                            error={errors.last_name?.message}
+                        >
                             <Input
                                 id="last_name"
                                 autoComplete="family-name"
@@ -105,14 +106,12 @@ export function RequestAccess() {
                                 }
                                 {...register('last_name')}
                             />
-                            {errors.last_name && (
-                                <p className="text-sm text-destructive">
-                                    {errors.last_name.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="email">Email</Label>
+                        </Field>
+                        <Field
+                            label="Email"
+                            htmlFor="email"
+                            error={errors.email?.message}
+                        >
                             <Input
                                 id="email"
                                 type="email"
@@ -123,12 +122,7 @@ export function RequestAccess() {
                                 }
                                 {...register('email')}
                             />
-                            {errors.email && (
-                                <p className="text-sm text-destructive">
-                                    {errors.email.message}
-                                </p>
-                            )}
-                        </div>
+                        </Field>
                     </form>
                 </CardContent>
                 <CardFooter className="flex flex-col gap-3">
diff --git a/client/src/pages/ResetPassword.tsx b/client/src/pages/ResetPassword.tsx
index 995a5801..a58f088a 100644
--- a/client/src/pages/ResetPassword.tsx
+++ b/client/src/pages/ResetPassword.tsx
@@ -1,5 +1,6 @@
 import { AuthService } from '@/api/generated'
 import { zResetPasswordRequest } from '@/api/generated/zod.gen'
+import { Field } from '@/components/forms/Field'
 import {
     Card,
     CardContent,
@@ -8,7 +9,6 @@ import {
     CardTitle,
 } from '@/components/ui/card'
 import { Input } from '@/components/ui/input'
-import { Label } from '@/components/ui/label'
 import { Button } from '@/components/ui/overrides/button'
 import { handleApiError } from '@/lib/http'
 import { notify } from '@/lib/notify'
@@ -86,8 +86,11 @@ export function ResetPassword() {
                             void handleSubmit(onSubmit)(e)
                         }}
                     >
-                        <div className="space-y-1">
-                            <Label htmlFor="token">Token</Label>
+                        <Field
+                            label="Token"
+                            htmlFor="token"
+                            error={errors.token?.message}
+                        >
                             <Input
                                 id="token"
                                 autoComplete="off"
@@ -98,14 +101,12 @@ export function ResetPassword() {
                                 }
                                 {...register('token')}
                             />
-                            {errors.token && (
-                                <p className="text-sm text-destructive">
-                                    {errors.token.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="password">New Password</Label>
+                        </Field>
+                        <Field
+                            label="New Password"
+                            htmlFor="password"
+                            error={errors.password?.message}
+                        >
                             <Input
                                 id="password"
                                 type="password"
@@ -116,16 +117,12 @@ export function ResetPassword() {
                                 }
                                 {...register('password')}
                             />
-                            {errors.password && (
-                                <p className="text-sm text-destructive">
-                                    {errors.password.message}
-                                </p>
-                            )}
-                        </div>
-                        <div className="space-y-1">
-                            <Label htmlFor="confirmPassword">
-                                Confirm Password
-                            </Label>
+                        </Field>
+                        <Field
+                            label="Confirm Password"
+                            htmlFor="confirmPassword"
+                            error={errors.confirmPassword?.message}
+                        >
                             <Input
                                 id="confirmPassword"
                                 type="password"
@@ -138,12 +135,7 @@ export function ResetPassword() {
                                 }
                                 {...register('confirmPassword')}
                             />
-                            {errors.confirmPassword && (
-                                <p className="text-sm text-destructive">
-                                    {errors.confirmPassword.message}
-                                </p>
-                            )}
-                        </div>
+                        </Field>
                     </form>
                 </CardContent>
                 <CardFooter className="flex flex-col gap-3">
diff --git a/db_erd.png b/db_erd.png
new file mode 100644
index 00000000..689c1aab
Binary files /dev/null and b/db_erd.png differ
diff --git a/server/app/api/endpoints/exercise.py b/server/app/api/endpoints/exercise.py
index eac77cff..c8a54cf0 100644
--- a/server/app/api/endpoints/exercise.py
+++ b/server/app/api/endpoints/exercise.py
@@ -29,7 +29,7 @@
 @api_router.post(
     "",
     operation_id="createExercise",
-    status_code=status.HTTP_201_CREATED,
+    status_code=status.HTTP_204_NO_CONTENT,
     responses={
         status.HTTP_401_UNAUTHORIZED: ErrorResponseModel,
         status.HTTP_404_NOT_FOUND: ErrorResponseModel,
@@ -40,8 +40,8 @@ async def create_exercise_endpoint(
     req: CreateExerciseRequest,
     user: Annotated[UserPublic, Depends(get_current_user)],
     db: Annotated[AsyncSession, Depends(get_db)],
-) -> ExercisePublic:
-    return await create_exercise(user.id, req, db)
+):
+    await create_exercise(user.id, req, db)
 
 
 @api_router.get(
diff --git a/server/app/api/endpoints/workout.py b/server/app/api/endpoints/workout.py
new file mode 100644
index 00000000..1ae3eee1
--- /dev/null
+++ b/server/app/api/endpoints/workout.py
@@ -0,0 +1,106 @@
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, status
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.dependencies import get_current_user, get_db
+from app.models.schemas.errors import ErrorResponseModel
+from app.models.schemas.user import UserPublic
+from app.models.schemas.workout import (
+    CreateWorkoutRequest,
+    UpdateWorkoutRequest,
+    WorkoutBase,
+    WorkoutPublic,
+)
+from app.services.workout import (
+    create_workout,
+    delete_workout,
+    get_workout,
+    get_workouts,
+    update_workout,
+)
+
+api_router = APIRouter(
+    prefix="/workouts",
+    tags=["Workouts"],
+    dependencies=[Depends(get_current_user)],
+)
+
+
+@api_router.post(
+    "",
+    operation_id="createWorkout",
+    status_code=status.HTTP_204_NO_CONTENT,
+    responses={
+        status.HTTP_401_UNAUTHORIZED: ErrorResponseModel,
+    },
+)
+async def create_workout_endpoint(
+    req: CreateWorkoutRequest,
+    user: Annotated[UserPublic, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    await create_workout(user.id, req, db)
+
+
+@api_router.get(
+    "",
+    operation_id="getWorkouts",
+    responses={status.HTTP_401_UNAUTHORIZED: ErrorResponseModel},
+)
+async def get_workouts_endpoint(
+    user: Annotated[UserPublic, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+) -> list[WorkoutBase]:
+    return await get_workouts(user.id, db)
+
+
+@api_router.get(
+    "/{workout_id}",
+    operation_id="getWorkout",
+    responses={
+        status.HTTP_401_UNAUTHORIZED: ErrorResponseModel,
+        status.HTTP_404_NOT_FOUND: ErrorResponseModel,
+    },
+)
+async def get_workout_endpoint(
+    workout_id: int,
+    user: Annotated[UserPublic, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+) -> WorkoutPublic:
+    return await get_workout(workout_id, user.id, db)
+
+
+@api_router.patch(
+    "/{workout_id}",
+    operation_id="updateWorkout",
+    status_code=status.HTTP_204_NO_CONTENT,
+    responses={
+        status.HTTP_401_UNAUTHORIZED: ErrorResponseModel,
+        status.HTTP_404_NOT_FOUND: ErrorResponseModel,
+    },
+)
+async def update_workout_endpoint(
+    workout_id: int,
+    req: UpdateWorkoutRequest,
+    user: Annotated[UserPublic, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    await update_workout(workout_id, user.id, req, db)
+
+
+@api_router.delete(
+    "/{workout_id}",
+    operation_id="deleteWorkout",
+    status_code=status.HTTP_204_NO_CONTENT,
+    responses={
+        status.HTTP_401_UNAUTHORIZED: ErrorResponseModel,
+        status.HTTP_404_NOT_FOUND: ErrorResponseModel,
+    },
+)
+async def delete_workout_endpoint(
+    workout_id: int,
+    user: Annotated[UserPublic, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    await delete_workout(workout_id, user.id, db)
diff --git a/server/app/api/router.py b/server/app/api/router.py
index a1899184..330d3f04 100644
--- a/server/app/api/router.py
+++ b/server/app/api/router.py
@@ -7,6 +7,7 @@
 from .endpoints.health import api_router as health_router
 from .endpoints.muscle_group import api_router as muscle_group_router
 from .endpoints.user import api_router as user_router
+from .endpoints.workout import api_router as workout_router
 
 api_router = APIRouter()
 api_router.include_router(admin_router)
@@ -16,3 +17,4 @@
 api_router.include_router(health_router)
 api_router.include_router(muscle_group_router)
 api_router.include_router(user_router)
+api_router.include_router(workout_router)
diff --git a/server/app/core/dependencies.py b/server/app/core/dependencies.py
index 05493469..dbfd018d 100644
--- a/server/app/core/dependencies.py
+++ b/server/app/core/dependencies.py
@@ -11,7 +11,7 @@
 from app.core.security import ACCESS_JWT_KEY, REFRESH_JWT_KEY, verify_jwt
 from app.models.errors import InsufficientPermissions, InvalidCredentials
 from app.models.schemas.user import UserPublic
-from app.services.user import get_user_by_username
+from app.services.user import get_user_by_username, to_user_public
 
 logger = logging.getLogger(__name__)
 
@@ -56,7 +56,7 @@ async def get_current_user(
     if not user:
         raise InvalidCredentials()
 
-    return UserPublic.model_validate(user, from_attributes=True)
+    return to_user_public(user)
 
 
 async def get_current_admin(
diff --git a/server/app/migrations/versions/2025_12_15_1709-1e1a6b37847d_update_models_for_auth.py b/server/app/migrations/versions/2025_12_15_1709-1e1a6b37847d_update_models_for_auth.py
index 57e52830..0ed16728 100644
--- a/server/app/migrations/versions/2025_12_15_1709-1e1a6b37847d_update_models_for_auth.py
+++ b/server/app/migrations/versions/2025_12_15_1709-1e1a6b37847d_update_models_for_auth.py
@@ -18,7 +18,6 @@
 
 
 def upgrade() -> None:
-    """Upgrade schema."""
     op.create_table(
         "access_requests",
         sa.Column("id", sa.Integer(), autoincrement=True, nullable=False),
diff --git a/server/app/models/database/exercise.py b/server/app/models/database/exercise.py
index 000715c5..853f4965 100644
--- a/server/app/models/database/exercise.py
+++ b/server/app/models/database/exercise.py
@@ -13,7 +13,10 @@
 class Exercise(Base):
     __tablename__ = "exercises"
     __table_args__ = (
-        Index("ix_exercises_user_id", "user_id"),
+        Index(
+            "ix_exercises_user_id",
+            "user_id",
+        ),
         UniqueConstraint(
             "user_id",
             "name",
diff --git a/server/app/models/database/set.py b/server/app/models/database/set.py
index 596406fb..5c264efc 100644
--- a/server/app/models/database/set.py
+++ b/server/app/models/database/set.py
@@ -1,4 +1,5 @@
 from datetime import datetime
+from typing import TYPE_CHECKING
 
 from sqlalchemy import (
     TEXT,
@@ -12,10 +13,13 @@
     UniqueConstraint,
     func,
 )
-from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from app.core.database import Base
 
+if TYPE_CHECKING:
+    from app.models.database.workout_exercise import WorkoutExercise
+
 
 class Set(Base):
     __tablename__ = "sets"
@@ -69,3 +73,8 @@ class Set(Base):
         onupdate=func.now(),
         nullable=False,
     )
+
+    workout_exercise: Mapped[WorkoutExercise] = relationship(
+        "WorkoutExercise",
+        back_populates="sets",
+    )
diff --git a/server/app/models/database/workout.py b/server/app/models/database/workout.py
index 49183514..6492ca07 100644
--- a/server/app/models/database/workout.py
+++ b/server/app/models/database/workout.py
@@ -1,16 +1,26 @@
 from datetime import datetime
+from typing import TYPE_CHECKING
 
 from sqlalchemy import TEXT, DateTime, ForeignKey, Index, func
-from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from app.core.database import Base
 
+if TYPE_CHECKING:
+    from app.models.database.workout_exercise import WorkoutExercise
+
 
 class Workout(Base):
     __tablename__ = "workouts"
     __table_args__ = (
-        Index("ix_workouts_user_id", "user_id"),
-        Index("ix_workouts_started_at", "started_at"),
+        Index(
+            "ix_workouts_user_id",
+            "user_id",
+        ),
+        Index(
+            "ix_workouts_started_at",
+            "started_at",
+        ),
     )
 
     id: Mapped[int] = mapped_column(
@@ -42,3 +52,11 @@ class Workout(Base):
         onupdate=func.now(),
         nullable=False,
     )
+
+    exercises: Mapped[list[WorkoutExercise]] = relationship(
+        "WorkoutExercise",
+        back_populates="workout",
+        cascade="all, delete-orphan",
+        passive_deletes=True,
+        order_by="WorkoutExercise.position",
+    )
diff --git a/server/app/models/database/workout_exercise.py b/server/app/models/database/workout_exercise.py
index c80dec5e..08a3e8f3 100644
--- a/server/app/models/database/workout_exercise.py
+++ b/server/app/models/database/workout_exercise.py
@@ -1,4 +1,5 @@
 from datetime import datetime
+from typing import TYPE_CHECKING
 
 from sqlalchemy import (
     TEXT,
@@ -10,20 +11,36 @@
     UniqueConstraint,
     func,
 )
-from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from app.core.database import Base
 
+if TYPE_CHECKING:
+    from app.models.database.exercise import Exercise
+    from app.models.database.set import Set
+    from app.models.database.workout import Workout
+
 
 class WorkoutExercise(Base):
     __tablename__ = "workout_exercises"
     __table_args__ = (
-        Index("ix_workout_exercises_workout_id", "workout_id"),
-        Index("ix_workout_exercises_exercise_id", "exercise_id"),
+        Index(
+            "ix_workout_exercises_workout_id",
+            "workout_id",
+        ),
+        Index(
+            "ix_workout_exercises_exercise_id",
+            "exercise_id",
+        ),
         UniqueConstraint(
-            "workout_id", "position", name="uq_workout_exercises_workout_position"
+            "workout_id",
+            "position",
+            name="uq_workout_exercises_workout_position",
+        ),
+        CheckConstraint(
+            "position > 0",
+            name="ck_workout_exercises_position_positive",
         ),
-        CheckConstraint("position > 0", name="ck_workout_exercises_position_positive"),
     )
 
     id: Mapped[int] = mapped_column(
@@ -56,3 +73,18 @@ class WorkoutExercise(Base):
         onupdate=func.now(),
         nullable=False,
     )
+
+    workout: Mapped[Workout] = relationship(
+        "Workout",
+        back_populates="exercises",
+    )
+    exercise: Mapped[Exercise] = relationship(
+        "Exercise",
+    )
+    sets: Mapped[list[Set]] = relationship(
+        "Set",
+        back_populates="workout_exercise",
+        cascade="all, delete-orphan",
+        passive_deletes=True,
+        order_by="Set.set_number",
+    )
diff --git a/server/app/models/errors.py b/server/app/models/errors.py
index f80d97c7..af70108e 100644
--- a/server/app/models/errors.py
+++ b/server/app/models/errors.py
@@ -55,12 +55,6 @@ class AccessRequestRejected(HTTPError):
     detail = "Existing access request rejected"
 
 
-class ExerciseUpdateNotAllowed(HTTPError):
-    status_code = status.HTTP_403_FORBIDDEN
-    code = "exercise_update_not_allowed"
-    detail = "You do not have permission to update this exercise"
-
-
 class AccessRequestNotFound(HTTPError):
     status_code = status.HTTP_404_NOT_FOUND
     code = "access_request_not_found"
@@ -101,3 +95,9 @@ class ExerciseNameConflict(HTTPError):
     status_code = status.HTTP_409_CONFLICT
     code = "exercise_name_conflict"
     detail = "Exercise with this name already exists"
+
+
+class WorkoutNotFound(HTTPError):
+    status_code = status.HTTP_404_NOT_FOUND
+    code = "workout_not_found"
+    detail = "Workout not found"
diff --git a/server/app/models/schemas/exercise.py b/server/app/models/schemas/exercise.py
index a89ecef4..6226b91d 100644
--- a/server/app/models/schemas/exercise.py
+++ b/server/app/models/schemas/exercise.py
@@ -6,16 +6,19 @@
 from .types import ExerciseName
 
 
-class ExercisePublic(BaseModel):
+class ExerciseBase(BaseModel):
     id: int
     user_id: int | None
     name: str
     description: str | None
-    muscle_groups: list[MuscleGroupPublic]
     created_at: datetime
     updated_at: datetime
 
 
+class ExercisePublic(ExerciseBase):
+    muscle_groups: list[MuscleGroupPublic]
+
+
 class CreateExerciseRequest(BaseModel):
     name: ExerciseName
     description: str | None = None
diff --git a/server/app/models/schemas/set.py b/server/app/models/schemas/set.py
new file mode 100644
index 00000000..44845ecd
--- /dev/null
+++ b/server/app/models/schemas/set.py
@@ -0,0 +1,15 @@
+from datetime import datetime
+
+from pydantic import BaseModel
+
+
+class SetPublic(BaseModel):
+    id: int
+    workout_exercise_id: int
+    set_number: int
+    reps: int | None
+    weight: float | None
+    unit: str | None
+    notes: str | None
+    created_at: datetime
+    updated_at: datetime
diff --git a/server/app/models/schemas/workout.py b/server/app/models/schemas/workout.py
new file mode 100644
index 00000000..ce054bd8
--- /dev/null
+++ b/server/app/models/schemas/workout.py
@@ -0,0 +1,31 @@
+from datetime import datetime
+
+from pydantic import BaseModel
+
+from .workout_exercise import WorkoutExercisePublic
+
+
+class WorkoutBase(BaseModel):
+    id: int
+    user_id: int
+    started_at: datetime
+    ended_at: datetime | None
+    notes: str | None
+    created_at: datetime
+    updated_at: datetime
+
+
+class WorkoutPublic(WorkoutBase):
+    exercises: list[WorkoutExercisePublic]
+
+
+class CreateWorkoutRequest(BaseModel):
+    started_at: datetime | None = None
+    ended_at: datetime | None = None
+    notes: str | None = None
+
+
+class UpdateWorkoutRequest(BaseModel):
+    started_at: datetime | None = None
+    ended_at: datetime | None = None
+    notes: str | None = None
diff --git a/server/app/models/schemas/workout_exercise.py b/server/app/models/schemas/workout_exercise.py
new file mode 100644
index 00000000..675b1895
--- /dev/null
+++ b/server/app/models/schemas/workout_exercise.py
@@ -0,0 +1,19 @@
+from datetime import datetime
+
+from pydantic import BaseModel
+
+from app.models.schemas.exercise import ExerciseBase
+from app.models.schemas.set import SetPublic
+
+
+class WorkoutExercisePublic(BaseModel):
+    id: int
+    workout_id: int
+    exercise_id: int
+    position: int
+    notes: str | None
+    created_at: datetime
+    updated_at: datetime
+
+    exercise: ExerciseBase
+    sets: list[SetPublic]
diff --git a/server/app/services/access_request.py b/server/app/services/access_request.py
index 4b16e848..4eeaae7f 100644
--- a/server/app/services/access_request.py
+++ b/server/app/services/access_request.py
@@ -6,6 +6,7 @@
 
 from app.models.database.access_request import AccessRequest
 from app.models.enums import AccessRequestStatus
+from app.models.schemas.access_request import AccessRequestPublic
 
 STATUS_PRIORITY = case(
     (AccessRequest.status == AccessRequestStatus.PENDING, 1),
@@ -14,6 +15,10 @@
 )
 
 
+def to_access_request_public(access_request: AccessRequest) -> AccessRequestPublic:
+    return AccessRequestPublic.model_validate(access_request, from_attributes=True)
+
+
 async def get_latest_access_request_by_email(
     email: str, db: AsyncSession
 ) -> AccessRequest | None:
diff --git a/server/app/services/admin.py b/server/app/services/admin.py
index ecd57dc2..4beebdf3 100644
--- a/server/app/services/admin.py
+++ b/server/app/services/admin.py
@@ -14,9 +14,10 @@
 from app.services.access_request import (
     get_access_request_by_id,
     get_access_requests_with_reviewer,
+    to_access_request_public,
 )
 from app.services.email import EmailService
-from app.services.user import get_users_ordered_by_username
+from app.services.user import get_users_ordered_by_username, to_user_public
 
 logger = logging.getLogger(__name__)
 
@@ -25,9 +26,7 @@ async def get_access_requests(db: AsyncSession) -> list[AccessRequestPublic]:
     logger.info("Getting access requests")
 
     requests = await get_access_requests_with_reviewer(db)
-    return [
-        AccessRequestPublic.model_validate(r, from_attributes=True) for r in requests
-    ]
+    return [to_access_request_public(r) for r in requests]
 
 
 async def update_access_request_status(
@@ -79,4 +78,4 @@ async def get_users(db: AsyncSession) -> list[UserPublic]:
     logger.info("Getting users")
 
     users = await get_users_ordered_by_username(db)
-    return [UserPublic.model_validate(user, from_attributes=True) for user in users]
+    return [to_user_public(user) for user in users]
diff --git a/server/app/services/exercise.py b/server/app/services/exercise.py
index a1a2069c..67976215 100644
--- a/server/app/services/exercise.py
+++ b/server/app/services/exercise.py
@@ -12,16 +12,15 @@
 from app.models.errors import (
     ExerciseNameConflict,
     ExerciseNotFound,
-    ExerciseUpdateNotAllowed,
     MuscleGroupNotFound,
 )
 from app.models.schemas.exercise import (
     CreateExerciseRequest,
+    ExerciseBase,
     ExercisePublic,
-    MuscleGroupPublic,
     UpdateExerciseRequest,
 )
-from app.services.muscle_group import get_muscle_groups_by_ids
+from app.services.muscle_group import get_muscle_groups_by_ids, to_muscle_group_public
 
 logger = logging.getLogger(__name__)
 
@@ -43,7 +42,27 @@ async def _get_exercises_with_muscle_groups(
     return result.scalars().all()
 
 
-def _to_exercise_public(exercise: Exercise) -> ExercisePublic:
+async def _get_owned_exercise(
+    exercise_id: int,
+    user_id: int,
+    db: AsyncSession,
+) -> Exercise:
+    result = await db.execute(
+        select(Exercise).where(
+            Exercise.id == exercise_id,
+        )
+    )
+    exercise = result.scalar_one_or_none()
+    if not exercise or user_id != exercise.user_id:
+        raise ExerciseNotFound()
+    return exercise
+
+
+def to_exercise_base(exercise: Exercise) -> ExerciseBase:
+    return ExerciseBase.model_validate(exercise, from_attributes=True)
+
+
+def to_exercise_public(exercise: Exercise) -> ExercisePublic:
     sorted_muscle_groups = sorted(
         exercise.muscle_groups,
         key=lambda emg: emg.muscle_group.name,
@@ -53,12 +72,11 @@ def _to_exercise_public(exercise: Exercise) -> ExercisePublic:
         user_id=exercise.user_id,
         name=exercise.name,
         description=exercise.description,
-        muscle_groups=[
-            MuscleGroupPublic.model_validate(emg.muscle_group, from_attributes=True)
-            for emg in sorted_muscle_groups
-        ],
         created_at=exercise.created_at,
         updated_at=exercise.updated_at,
+        muscle_groups=[
+            to_muscle_group_public(emg.muscle_group) for emg in sorted_muscle_groups
+        ],
     )
 
 
@@ -66,7 +84,7 @@ async def create_exercise(
     user_id: int,
     req: CreateExerciseRequest,
     db: AsyncSession,
-) -> ExercisePublic:
+) -> None:
     logger.info(f"Creating exercise '{req.name}' for user {user_id}")
 
     muscle_groups = await get_muscle_groups_by_ids(req.muscle_group_ids, db)
@@ -96,12 +114,6 @@ async def create_exercise(
 
     await db.commit()
 
-    exercises = await _get_exercises_with_muscle_groups(
-        db,
-        Exercise.id == exercise.id,
-    )
-    return _to_exercise_public(exercises[0])
-
 
 async def get_exercises(
     user_id: int,
@@ -113,7 +125,7 @@ async def get_exercises(
         db,
         (Exercise.user_id.is_(None)) | (Exercise.user_id == user_id),
     )
-    return [_to_exercise_public(e) for e in exercises]
+    return [to_exercise_public(e) for e in exercises]
 
 
 async def get_exercise(
@@ -130,7 +142,7 @@ async def get_exercise(
     )
     if not exercises:
         raise ExerciseNotFound()
-    return _to_exercise_public(exercises[0])
+    return to_exercise_public(exercises[0])
 
 
 async def update_exercise(
@@ -141,25 +153,21 @@ async def update_exercise(
 ) -> None:
     logger.info(f"Updating exercise {exercise_id} for user {user_id}")
 
-    result = await db.execute(
-        select(Exercise).where(Exercise.id == exercise_id),
-    )
-    exercise = result.scalar_one_or_none()
-
-    if not exercise:
-        raise ExerciseNotFound()
-    if exercise.user_id != user_id:
-        raise ExerciseUpdateNotAllowed()
+    exercise = await _get_owned_exercise(exercise_id, user_id, db)
 
-    if req.name is None and req.description is None and req.muscle_group_ids is None:
+    if not req.model_fields_set:
         logger.info("No changes provided, skipping update")
         return
 
-    if req.name is not None:
+    if "name" in req.model_fields_set:
+        assert req.name is not None
         exercise.name = req.name
-    if req.description is not None:
+
+    if "description" in req.model_fields_set:
         exercise.description = req.description
-    if req.muscle_group_ids is not None:
+
+    if "muscle_group_ids" in req.model_fields_set:
+        assert req.muscle_group_ids is not None
         muscle_groups = await get_muscle_groups_by_ids(req.muscle_group_ids, db)
         if len(muscle_groups) != len(req.muscle_group_ids):
             raise MuscleGroupNotFound()
@@ -181,18 +189,13 @@ async def update_exercise(
         raise ExerciseNameConflict()
 
 
-async def delete_exercise(exercise_id: int, user_id: int, db: AsyncSession) -> None:
+async def delete_exercise(
+    exercise_id: int,
+    user_id: int,
+    db: AsyncSession,
+) -> None:
     logger.info(f"Deleting exercise {exercise_id} for user {user_id}")
 
-    result = await db.execute(
-        select(Exercise).where(Exercise.id == exercise_id),
-    )
-    exercise = result.scalar_one_or_none()
-
-    if not exercise:
-        raise ExerciseNotFound()
-    if exercise.user_id != user_id:
-        raise ExerciseUpdateNotAllowed()
-
+    exercise = await _get_owned_exercise(exercise_id, user_id, db)
     await db.delete(exercise)
     await db.commit()
diff --git a/server/app/services/muscle_group.py b/server/app/services/muscle_group.py
index 3a0fb6ee..cebb7ca1 100644
--- a/server/app/services/muscle_group.py
+++ b/server/app/services/muscle_group.py
@@ -5,15 +5,16 @@
 from app.models.schemas.muscle_group import MuscleGroupPublic
 
 
+def to_muscle_group_public(muscle_group: MuscleGroup) -> MuscleGroupPublic:
+    return MuscleGroupPublic.model_validate(muscle_group, from_attributes=True)
+
+
 async def get_muscle_groups_ordered_by_name(
     db: AsyncSession,
 ) -> list[MuscleGroupPublic]:
     result = await db.execute(select(MuscleGroup).order_by(MuscleGroup.name.asc()))
     muscle_groups = result.scalars().all()
-    return [
-        MuscleGroupPublic.model_validate(mg, from_attributes=True)
-        for mg in muscle_groups
-    ]
+    return [to_muscle_group_public(mg) for mg in muscle_groups]
 
 
 async def get_muscle_groups_by_ids(
diff --git a/server/app/services/set.py b/server/app/services/set.py
new file mode 100644
index 00000000..07fec8af
--- /dev/null
+++ b/server/app/services/set.py
@@ -0,0 +1,6 @@
+from app.models.database.set import Set
+from app.models.schemas.set import SetPublic
+
+
+def to_set_public(set_: Set) -> SetPublic:
+    return SetPublic.model_validate(set_, from_attributes=True)
diff --git a/server/app/services/user.py b/server/app/services/user.py
index d5fc374b..f37aa084 100644
--- a/server/app/services/user.py
+++ b/server/app/services/user.py
@@ -5,6 +5,11 @@
 
 from app.models.database.user import User
 from app.models.schemas.types import is_email_identifier
+from app.models.schemas.user import UserPublic
+
+
+def to_user_public(user: User) -> UserPublic:
+    return UserPublic.model_validate(user, from_attributes=True)
 
 
 async def get_admin_users(db: AsyncSession) -> Sequence[User]:
diff --git a/server/app/services/workout.py b/server/app/services/workout.py
new file mode 100644
index 00000000..93d09833
--- /dev/null
+++ b/server/app/services/workout.py
@@ -0,0 +1,159 @@
+import logging
+from collections.abc import Sequence
+from datetime import UTC, datetime
+from typing import Any
+
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy.orm import selectinload
+
+from app.models.database.workout import Workout
+from app.models.database.workout_exercise import WorkoutExercise
+from app.models.errors import WorkoutNotFound
+from app.models.schemas.workout import (
+    CreateWorkoutRequest,
+    UpdateWorkoutRequest,
+    WorkoutBase,
+    WorkoutPublic,
+)
+from app.services.workout_exercise import to_workout_exercise_public
+
+logger = logging.getLogger(__name__)
+
+
+async def _get_workouts(
+    db: AsyncSession,
+    base: bool,
+    *where_clauses: Any,
+) -> Sequence[Workout]:
+    query = select(Workout)
+    if not base:
+        query = query.options(
+            selectinload(Workout.exercises).selectinload(WorkoutExercise.exercise),
+            selectinload(Workout.exercises).selectinload(WorkoutExercise.sets),
+        )
+    result = await db.execute(
+        query.where(*where_clauses).order_by(Workout.started_at.desc())
+    )
+    return result.scalars().all()
+
+
+async def _get_owned_workout(
+    workout_id: int,
+    user_id: int,
+    db: AsyncSession,
+) -> Workout:
+    result = await db.execute(
+        select(Workout).where(
+            Workout.id == workout_id,
+        ),
+    )
+    workout = result.scalar_one_or_none()
+    if not workout or workout.user_id != user_id:
+        raise WorkoutNotFound()
+    return workout
+
+
+def to_workout_base(workout: Workout) -> WorkoutBase:
+    return WorkoutBase.model_validate(workout, from_attributes=True)
+
+
+def to_workout_public(workout: Workout) -> WorkoutPublic:
+    return WorkoutPublic(
+        id=workout.id,
+        user_id=workout.user_id,
+        started_at=workout.started_at,
+        ended_at=workout.ended_at,
+        notes=workout.notes,
+        created_at=workout.created_at,
+        updated_at=workout.updated_at,
+        exercises=[to_workout_exercise_public(we) for we in workout.exercises],
+    )
+
+
+async def create_workout(
+    user_id: int,
+    req: CreateWorkoutRequest,
+    db: AsyncSession,
+) -> None:
+    logger.info(f"Creating workout for user {user_id}")
+
+    workout = Workout(
+        user_id=user_id,
+        started_at=req.started_at or datetime.now(UTC),
+        ended_at=req.ended_at,
+        notes=req.notes,
+    )
+    db.add(workout)
+    await db.commit()
+
+
+async def get_workouts(
+    user_id: int,
+    db: AsyncSession,
+) -> list[WorkoutBase]:
+    logger.info(f"Getting workouts for user {user_id}")
+
+    workouts = await _get_workouts(
+        db,
+        True,
+        Workout.user_id == user_id,
+    )
+    return [to_workout_base(w) for w in workouts]
+
+
+async def get_workout(
+    workout_id: int,
+    user_id: int,
+    db: AsyncSession,
+) -> WorkoutPublic:
+    logger.info(f"Getting workout {workout_id} for user {user_id}")
+
+    workouts = await _get_workouts(
+        db,
+        False,
+        Workout.id == workout_id,
+        Workout.user_id == user_id,
+    )
+    if not workouts:
+        raise WorkoutNotFound()
+    return to_workout_public(workouts[0])
+
+
+async def update_workout(
+    workout_id: int,
+    user_id: int,
+    req: UpdateWorkoutRequest,
+    db: AsyncSession,
+) -> None:
+    logger.info(f"Updating workout {workout_id} for user {user_id}")
+
+    workout = await _get_owned_workout(workout_id, user_id, db)
+
+    if not req.model_fields_set:
+        logger.info("No changes provided, skipping update")
+        return
+
+    if "started_at" in req.model_fields_set:
+        assert req.started_at is not None
+        workout.started_at = req.started_at
+
+    if "ended_at" in req.model_fields_set:
+        workout.ended_at = req.ended_at
+
+    if "notes" in req.model_fields_set:
+        workout.notes = req.notes
+
+    await db.commit()
+
+
+async def delete_workout(
+    workout_id: int,
+    user_id: int,
+    db: AsyncSession,
+) -> None:
+    logger.info(f"Deleting workout {workout_id} for user {user_id}")
+
+    workout = await _get_owned_workout(workout_id, user_id, db)
+    await db.delete(workout)
+    await db.commit()
diff --git a/server/app/services/workout_exercise.py b/server/app/services/workout_exercise.py
new file mode 100644
index 00000000..dea7a04f
--- /dev/null
+++ b/server/app/services/workout_exercise.py
@@ -0,0 +1,20 @@
+from app.models.database.workout_exercise import WorkoutExercise
+from app.models.schemas.workout_exercise import WorkoutExercisePublic
+from app.services.exercise import to_exercise_base
+from app.services.set import to_set_public
+
+
+def to_workout_exercise_public(
+    workout_exercise: WorkoutExercise,
+) -> WorkoutExercisePublic:
+    return WorkoutExercisePublic(
+        id=workout_exercise.id,
+        workout_id=workout_exercise.workout_id,
+        exercise_id=workout_exercise.exercise_id,
+        position=workout_exercise.position,
+        notes=workout_exercise.notes,
+        created_at=workout_exercise.created_at,
+        updated_at=workout_exercise.updated_at,
+        exercise=to_exercise_base(workout_exercise.exercise),
+        sets=[to_set_public(s) for s in workout_exercise.sets],
+    )
diff --git a/server/app/tests/api/exercises/test_create_exercise.py b/server/app/tests/api/exercises/test_create_exercise.py
index 64d0ef3e..eade6784 100644
--- a/server/app/tests/api/exercises/test_create_exercise.py
+++ b/server/app/tests/api/exercises/test_create_exercise.py
@@ -4,7 +4,6 @@
 
 from app.core.config import Settings
 from app.models.errors import ExerciseNameConflict, MuscleGroupNotFound
-from app.models.schemas.exercise import ExercisePublic
 from app.tests.api.exercises.utilities import get_muscle_group_id
 
 from ..utilities import HttpMethod, login_admin, make_http_request
@@ -28,7 +27,7 @@ async def _make_request(
     )
 
 
-# 201
+# 204
 async def test_create_exercise(
     client: AsyncClient,
     session: AsyncSession,
@@ -44,15 +43,7 @@ async def test_create_exercise(
         muscle_group_ids=[muscle_group_id],
     )
 
-    assert resp.status_code == status.HTTP_201_CREATED
-
-    body = resp.json()
-    ExercisePublic.model_validate(body)
-    assert body["name"] == "Overhead Press"
-    assert body["description"] == "Pressing movement for shoulders"
-    assert body["user_id"] is not None
-    assert len(body["muscle_groups"]) == 1
-    assert body["muscle_groups"][0]["id"] == muscle_group_id
+    assert resp.status_code == status.HTTP_204_NO_CONTENT
 
 
 # 401
diff --git a/server/app/tests/api/exercises/test_delete_exercise.py b/server/app/tests/api/exercises/test_delete_exercise.py
index 1023dadd..b4a27cab 100644
--- a/server/app/tests/api/exercises/test_delete_exercise.py
+++ b/server/app/tests/api/exercises/test_delete_exercise.py
@@ -3,7 +3,7 @@
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.core.config import Settings
-from app.models.errors import ExerciseNotFound, ExerciseUpdateNotAllowed
+from app.models.errors import ExerciseNotFound
 from app.tests.api.exercises.utilities import (
     create_exercise_via_api,
     create_system_exercise,
@@ -26,10 +26,11 @@ async def _make_request(
 # 204
 async def test_delete_exercise(
     client: AsyncClient,
+    session: AsyncSession,
     settings: Settings,
 ):
     await login_admin(client, settings)
-    created = await create_exercise_via_api(client, name="Exercise")
+    created = await create_exercise_via_api(client, session, name="Exercise")
 
     resp = await _make_request(client, created.id)
 
@@ -46,31 +47,33 @@ async def test_delete_exercise_not_logged_in(
     resp = await _make_request(client, system_ex.id)
 
     assert resp.status_code == status.HTTP_401_UNAUTHORIZED
+    body = resp.json()
+    assert body["detail"] == "Not authenticated"
 
 
-# 403
-async def test_delete_exercise_not_allowed(
+# 404
+async def test_delete_exercise_not_found(
     client: AsyncClient,
-    session: AsyncSession,
     settings: Settings,
 ):
     await login_admin(client, settings)
-    system_ex = await create_system_exercise(session, name="System Exercise")
 
-    resp = await _make_request(client, system_ex.id)
+    resp = await _make_request(client, 99999)
 
-    assert resp.status_code == ExerciseUpdateNotAllowed.status_code
-    body = resp.json()
-    assert body["detail"] == ExerciseUpdateNotAllowed.detail
+    assert resp.status_code == ExerciseNotFound.status_code
 
 
 # 404
-async def test_delete_exercise_not_found(
+async def test_delete_exercise_not_allowed(
     client: AsyncClient,
+    session: AsyncSession,
     settings: Settings,
 ):
     await login_admin(client, settings)
+    system_ex = await create_system_exercise(session, name="System Exercise")
 
-    resp = await _make_request(client, 99999)
+    resp = await _make_request(client, system_ex.id)
 
     assert resp.status_code == ExerciseNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == ExerciseNotFound.detail
diff --git a/server/app/tests/api/exercises/test_get_exercise.py b/server/app/tests/api/exercises/test_get_exercise.py
index a30a5be8..5c9cb1ca 100644
--- a/server/app/tests/api/exercises/test_get_exercise.py
+++ b/server/app/tests/api/exercises/test_get_exercise.py
@@ -21,10 +21,11 @@ async def _make_request(client: AsyncClient, exercise_id: int):
 # 200
 async def test_get_exercise(
     client: AsyncClient,
+    session: AsyncSession,
     settings: Settings,
 ):
     await login_admin(client, settings)
-    created = await create_exercise_via_api(client, name="Bench Press")
+    created = await create_exercise_via_api(client, session, name="Bench Press")
 
     resp = await _make_request(client, created.id)
 
@@ -52,20 +53,6 @@ async def test_get_exercise_system_exercise(
     assert body["user_id"] is None
 
 
-# 404
-async def test_get_exercise_not_found(
-    client: AsyncClient,
-    settings: Settings,
-):
-    await login_admin(client, settings)
-
-    resp = await _make_request(client, 99999)
-
-    assert resp.status_code == ExerciseNotFound.status_code
-    body = resp.json()
-    assert body["detail"] == ExerciseNotFound.detail
-
-
 # 401
 async def test_get_exercise_not_logged_in(
     client: AsyncClient,
@@ -78,3 +65,17 @@ async def test_get_exercise_not_logged_in(
     assert resp.status_code == status.HTTP_401_UNAUTHORIZED
     body = resp.json()
     assert body["detail"] == "Not authenticated"
+
+
+# 404
+async def test_get_exercise_not_found(
+    client: AsyncClient,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+
+    resp = await _make_request(client, 99999)
+
+    assert resp.status_code == ExerciseNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == ExerciseNotFound.detail
diff --git a/server/app/tests/api/exercises/test_get_exercises.py b/server/app/tests/api/exercises/test_get_exercises.py
index 90c1f100..7126f7b0 100644
--- a/server/app/tests/api/exercises/test_get_exercises.py
+++ b/server/app/tests/api/exercises/test_get_exercises.py
@@ -8,10 +8,9 @@
     create_exercise,
     create_exercise_via_api,
     create_system_exercise,
-    create_user,
 )
 
-from ..utilities import HttpMethod, login_admin, make_http_request
+from ..utilities import HttpMethod, create_user, login_admin, make_http_request
 
 
 async def _make_request(client: AsyncClient):
@@ -22,16 +21,17 @@ async def _make_request(client: AsyncClient):
     )
 
 
+# 200
 async def test_get_exercises(
     client: AsyncClient,
     session: AsyncSession,
     settings: Settings,
 ):
     await login_admin(client, settings)
-    user = await create_user(session, username="user", password="password")
+    user = await create_user(session)
 
     await create_system_exercise(session, name="System Exercise")
-    await create_exercise_via_api(client, name="User Exercise")
+    await create_exercise_via_api(client, session, name="User Exercise")
     await create_exercise(
         session,
         name="Another User's Exercise",
diff --git a/server/app/tests/api/exercises/test_update_exercise.py b/server/app/tests/api/exercises/test_update_exercise.py
index f1fcf7a8..218eb6a9 100644
--- a/server/app/tests/api/exercises/test_update_exercise.py
+++ b/server/app/tests/api/exercises/test_update_exercise.py
@@ -8,7 +8,6 @@
 from app.models.errors import (
     ExerciseNameConflict,
     ExerciseNotFound,
-    ExerciseUpdateNotAllowed,
     MuscleGroupNotFound,
 )
 from app.tests.api.exercises.utilities import (
@@ -50,7 +49,7 @@ async def test_update_exercise(
     settings: Settings,
 ):
     await login_admin(client, settings)
-    created = await create_exercise_via_api(client, name="Old Name")
+    created = await create_exercise_via_api(client, session, name="Old Name")
     muscle_group_id = await get_muscle_group_id(session, name="chest")
 
     resp = await _make_request(
@@ -74,22 +73,8 @@ async def test_update_exercise_not_logged_in(
     resp = await _make_request(client, system_ex.id, name="Renamed")
 
     assert resp.status_code == status.HTTP_401_UNAUTHORIZED
-
-
-# 403
-async def test_update_exercise_not_allowed(
-    client: AsyncClient,
-    session: AsyncSession,
-    settings: Settings,
-):
-    await login_admin(client, settings)
-    system_ex = await create_system_exercise(session, name="System Row")
-
-    resp = await _make_request(client, system_ex.id, name="Attempted Rename")
-
-    assert resp.status_code == ExerciseUpdateNotAllowed.status_code
     body = resp.json()
-    assert body["detail"] == ExerciseUpdateNotAllowed.detail
+    assert body["detail"] == "Not authenticated"
 
 
 # 404
@@ -109,10 +94,11 @@ async def test_update_exercise_not_found(
 # 404
 async def test_update_exercise_muscle_group_not_found(
     client: AsyncClient,
+    session: AsyncSession,
     settings: Settings,
 ):
     await login_admin(client, settings)
-    created = await create_exercise_via_api(client, name="Flye")
+    created = await create_exercise_via_api(client, session, name="Flye")
 
     resp = await _make_request(client, created.id, muscle_group_ids=[99999])
 
@@ -121,15 +107,32 @@ async def test_update_exercise_muscle_group_not_found(
     assert body["detail"] == MuscleGroupNotFound.detail
 
 
+# 404
+async def test_update_exercise_not_allowed(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    system_ex = await create_system_exercise(session, name="System Row")
+
+    resp = await _make_request(client, system_ex.id, name="Attempted Rename")
+
+    assert resp.status_code == ExerciseNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == ExerciseNotFound.detail
+
+
 # 409
 async def test_update_exercise_name_conflict(
     client: AsyncClient,
+    session: AsyncSession,
     settings: Settings,
 ):
     await login_admin(client, settings)
 
-    await create_exercise_via_api(client, name="Taken Name")
-    other = await create_exercise_via_api(client, name="To Rename")
+    await create_exercise_via_api(client, session, name="Taken Name")
+    other = await create_exercise_via_api(client, session, name="To Rename")
 
     resp = await _make_request(client, other.id, name="Taken Name")
 
diff --git a/server/app/tests/api/exercises/utilities.py b/server/app/tests/api/exercises/utilities.py
index 4e4f9a9b..53f7caa2 100644
--- a/server/app/tests/api/exercises/utilities.py
+++ b/server/app/tests/api/exercises/utilities.py
@@ -2,11 +2,13 @@
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from app.core.security import PASSWORD_HASH
 from app.models.database.exercise import Exercise
 from app.models.database.muscle_group import MuscleGroup
-from app.models.database.user import User
 from app.models.schemas.exercise import ExercisePublic
+from app.services.exercise import (
+    _get_exercises_with_muscle_groups,  # pyright: ignore[reportPrivateUsage]
+    to_exercise_public,
+)
 
 from ..utilities import HttpMethod, make_http_request
 
@@ -19,31 +21,14 @@ async def get_muscle_group_id(session: AsyncSession, name: str) -> int:
     return muscle_group.id
 
 
-async def create_user(
-    session: AsyncSession,
-    username: str,
-    password: str,
-) -> User:
-    user = User(
-        username=username,
-        email=f"{username}@example.com",
-        first_name=username.capitalize(),
-        last_name="Test",
-        password_hash=PASSWORD_HASH.hash(password),
-        is_admin=False,
-    )
-    session.add(user)
-    await session.commit()
-    return user
-
-
 async def create_exercise_via_api(
     client: AsyncClient,
+    session: AsyncSession,
     name: str,
     description: str | None = None,
     muscle_group_ids: list[int] | None = None,
 ) -> ExercisePublic:
-    resp = await make_http_request(
+    await make_http_request(
         client,
         method=HttpMethod.POST,
         endpoint="/api/exercises",
@@ -53,7 +38,11 @@ async def create_exercise_via_api(
             "muscle_group_ids": muscle_group_ids or [],
         },
     )
-    return ExercisePublic.model_validate(resp.json())
+    exercises = await _get_exercises_with_muscle_groups(
+        session,
+        Exercise.name == name,
+    )
+    return to_exercise_public(exercises[0])
 
 
 async def create_system_exercise(
diff --git a/server/app/tests/api/utilities.py b/server/app/tests/api/utilities.py
index f42b7962..6f21b150 100644
--- a/server/app/tests/api/utilities.py
+++ b/server/app/tests/api/utilities.py
@@ -7,6 +7,7 @@
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.core.config import Settings
+from app.core.security import PASSWORD_HASH
 from app.models.database.user import User
 
 logger = logging.getLogger(__name__)
@@ -80,3 +81,21 @@ async def get_admin(session: AsyncSession, settings: Settings) -> User:
         select(User).where(User.username == settings.admin.username)
     )
     return result.scalar_one()
+
+
+async def create_user(
+    session: AsyncSession,
+    username: str = "user",
+    password: str = "password",
+) -> User:
+    user = User(
+        username=username,
+        email=f"{username}@example.com",
+        first_name=username.capitalize(),
+        last_name="Test",
+        password_hash=PASSWORD_HASH.hash(password),
+        is_admin=False,
+    )
+    session.add(user)
+    await session.commit()
+    return user
diff --git a/server/app/tests/api/workouts/__init__.py b/server/app/tests/api/workouts/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/server/app/tests/api/workouts/test_create_workout.py b/server/app/tests/api/workouts/test_create_workout.py
new file mode 100644
index 00000000..c7933c0d
--- /dev/null
+++ b/server/app/tests/api/workouts/test_create_workout.py
@@ -0,0 +1,52 @@
+from datetime import datetime
+
+from fastapi import status
+from httpx import AsyncClient
+
+from app.core.config import Settings
+
+from ..utilities import HttpMethod, login_admin, make_http_request
+
+
+async def _make_request(
+    client: AsyncClient,
+    started_at: datetime | None = None,
+    ended_at: datetime | None = None,
+    notes: str | None = None,
+):
+    return await make_http_request(
+        client,
+        method=HttpMethod.POST,
+        endpoint="/api/workouts",
+        json={
+            "started_at": started_at.isoformat() if started_at else None,
+            "ended_at": ended_at.isoformat() if ended_at else None,
+            "notes": notes,
+        },
+    )
+
+
+# 204
+async def test_create_workout(
+    client: AsyncClient,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+
+    resp = await _make_request(
+        client,
+        started_at=datetime.now(),
+        ended_at=datetime.now(),
+        notes="Leg day",
+    )
+
+    assert resp.status_code == status.HTTP_204_NO_CONTENT
+
+
+# 401
+async def test_create_workout_not_logged_in(client: AsyncClient):
+    resp = await _make_request(client)
+
+    assert resp.status_code == status.HTTP_401_UNAUTHORIZED
+    body = resp.json()
+    assert body["detail"] == "Not authenticated"
diff --git a/server/app/tests/api/workouts/test_delete_workout.py b/server/app/tests/api/workouts/test_delete_workout.py
new file mode 100644
index 00000000..ea81b4a2
--- /dev/null
+++ b/server/app/tests/api/workouts/test_delete_workout.py
@@ -0,0 +1,89 @@
+from fastapi import status
+from httpx import AsyncClient
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.config import Settings
+from app.models.errors import WorkoutNotFound
+
+from ..utilities import (
+    HttpMethod,
+    create_user,
+    get_admin,
+    login_admin,
+    make_http_request,
+)
+from .utilities import create_workout
+
+
+async def _make_request(
+    client: AsyncClient,
+    workout_id: int,
+):
+    return await make_http_request(
+        client,
+        method=HttpMethod.DELETE,
+        endpoint=f"/api/workouts/{workout_id}",
+    )
+
+
+# 204
+async def test_delete_workout(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    admin = await get_admin(session, settings)
+    workout = await create_workout(session, user_id=admin.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == status.HTTP_204_NO_CONTENT
+
+
+# 401
+async def test_delete_workout_not_logged_in(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    admin = await get_admin(session, settings)
+    workout = await create_workout(session, user_id=admin.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == status.HTTP_401_UNAUTHORIZED
+    body = resp.json()
+    assert body["detail"] == "Not authenticated"
+
+
+# 404
+async def test_delete_workout_not_found(
+    client: AsyncClient,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+
+    resp = await _make_request(client, 99999)
+
+    assert resp.status_code == WorkoutNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == WorkoutNotFound.detail
+
+
+# 404
+async def test_delete_workout_not_allowed(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    user = await create_user(session)
+
+    workout = await create_workout(session, user_id=user.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == WorkoutNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == WorkoutNotFound.detail
diff --git a/server/app/tests/api/workouts/test_get_workout.py b/server/app/tests/api/workouts/test_get_workout.py
new file mode 100644
index 00000000..bddc59a0
--- /dev/null
+++ b/server/app/tests/api/workouts/test_get_workout.py
@@ -0,0 +1,93 @@
+from fastapi import status
+from httpx import AsyncClient
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.config import Settings
+from app.models.errors import WorkoutNotFound
+from app.models.schemas.workout import WorkoutBase
+
+from ..utilities import (
+    HttpMethod,
+    create_user,
+    get_admin,
+    login_admin,
+    make_http_request,
+)
+from .utilities import create_workout
+
+
+async def _make_request(client: AsyncClient, workout_id: int):
+    return await make_http_request(
+        client,
+        method=HttpMethod.GET,
+        endpoint=f"/api/workouts/{workout_id}",
+    )
+
+
+# 200
+async def test_get_workout(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    admin = await get_admin(session, settings)
+
+    workout = await create_workout(session, user_id=admin.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == status.HTTP_200_OK
+    body = resp.json()
+    workout = WorkoutBase.model_validate(body)  # pyright: ignore[reportUnknownVariableType]
+    assert workout.id == workout.id
+    assert workout.user_id == admin.id
+
+
+# 401
+async def test_get_workout_not_logged_in(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    admin = await get_admin(session, settings)
+    workout = await create_workout(session, user_id=admin.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == status.HTTP_401_UNAUTHORIZED
+    body = resp.json()
+    assert body["detail"] == "Not authenticated"
+
+
+# 404
+async def test_get_workout_not_found(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+
+    resp = await _make_request(client, workout_id=9999)
+
+    assert resp.status_code == WorkoutNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == WorkoutNotFound.detail
+
+
+# 404
+async def test_get_workout_not_allowed(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    user = await create_user(session)
+
+    workout = await create_workout(session, user_id=user.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == WorkoutNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == WorkoutNotFound.detail
diff --git a/server/app/tests/api/workouts/test_get_workouts.py b/server/app/tests/api/workouts/test_get_workouts.py
new file mode 100644
index 00000000..84e5c94e
--- /dev/null
+++ b/server/app/tests/api/workouts/test_get_workouts.py
@@ -0,0 +1,55 @@
+from fastapi import status
+from httpx import AsyncClient
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.config import Settings
+from app.models.schemas.workout import WorkoutBase
+
+from ..utilities import (
+    HttpMethod,
+    create_user,
+    get_admin,
+    login_admin,
+    make_http_request,
+)
+from .utilities import create_workout
+
+
+async def _make_request(client: AsyncClient):
+    return await make_http_request(
+        client,
+        method=HttpMethod.GET,
+        endpoint="/api/workouts",
+    )
+
+
+# 200
+async def test_get_workouts(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    admin = await get_admin(session, settings)
+    user = await create_user(session)
+
+    admin_workout = await create_workout(session, user_id=admin.id)
+    user_workout = await create_workout(session, user_id=user.id)
+
+    resp = await _make_request(client)
+
+    assert resp.status_code == status.HTTP_200_OK
+    body = resp.json()
+    assert isinstance(body, list)
+    ids = [WorkoutBase.model_validate(w).id for w in body]  # pyright: ignore[reportUnknownVariableType]
+    assert admin_workout.id in ids
+    assert user_workout.id not in ids
+
+
+# 401
+async def test_get_workouts_not_logged_in(client: AsyncClient):
+    resp = await _make_request(client)
+
+    assert resp.status_code == status.HTTP_401_UNAUTHORIZED
+    body = resp.json()
+    assert body["detail"] == "Not authenticated"
diff --git a/server/app/tests/api/workouts/test_update_workout.py b/server/app/tests/api/workouts/test_update_workout.py
new file mode 100644
index 00000000..8b35b280
--- /dev/null
+++ b/server/app/tests/api/workouts/test_update_workout.py
@@ -0,0 +1,111 @@
+from datetime import datetime
+from typing import Any
+
+from fastapi import status
+from httpx import AsyncClient
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.config import Settings
+from app.models.errors import WorkoutNotFound
+
+from ..utilities import (
+    HttpMethod,
+    create_user,
+    get_admin,
+    login_admin,
+    make_http_request,
+)
+from .utilities import create_workout
+
+
+async def _make_request(
+    client: AsyncClient,
+    workout_id: int,
+    notes: str | None = None,
+    started_at: datetime | None = None,
+    ended_at: datetime | None = None,
+):
+    payload: dict[str, Any] = {}
+    if started_at is not None:
+        payload["started_at"] = started_at.isoformat()
+    if ended_at is not None:
+        payload["ended_at"] = ended_at.isoformat()
+    if notes is not None:
+        payload["notes"] = notes
+
+    return await make_http_request(
+        client,
+        method=HttpMethod.PATCH,
+        endpoint=f"/api/workouts/{workout_id}",
+        json=payload,
+    )
+
+
+# 204
+async def test_update_workout(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    admin = await get_admin(session, settings)
+    workout = await create_workout(session, user_id=admin.id)
+
+    resp = await _make_request(
+        client,
+        workout.id,
+        started_at=datetime.now(),
+        ended_at=datetime.now(),
+        notes="Updated notes",
+    )
+
+    assert resp.status_code == status.HTTP_204_NO_CONTENT
+
+
+# 401
+async def test_update_workout_not_logged_in(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    admin = await get_admin(session, settings)
+    workout = await create_workout(session, user_id=admin.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == status.HTTP_401_UNAUTHORIZED
+    body = resp.json()
+    assert body["detail"] == "Not authenticated"
+
+
+# 404
+async def test_update_workout_not_found(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+
+    resp = await _make_request(client, workout_id=9999)
+
+    assert resp.status_code == WorkoutNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == WorkoutNotFound.detail
+
+
+# 404
+async def test_update_workout_not_allowed(
+    client: AsyncClient,
+    session: AsyncSession,
+    settings: Settings,
+):
+    await login_admin(client, settings)
+    user = await create_user(session)
+
+    workout = await create_workout(session, user_id=user.id)
+
+    resp = await _make_request(client, workout.id)
+
+    assert resp.status_code == WorkoutNotFound.status_code
+    body = resp.json()
+    assert body["detail"] == WorkoutNotFound.detail
diff --git a/server/app/tests/api/workouts/utilities.py b/server/app/tests/api/workouts/utilities.py
new file mode 100644
index 00000000..080f4f25
--- /dev/null
+++ b/server/app/tests/api/workouts/utilities.py
@@ -0,0 +1,108 @@
+from datetime import datetime
+
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.database.workout import Workout
+
+
+async def create_workout(
+    session: AsyncSession,
+    user_id: int,
+    started_at: datetime = datetime.now(),
+    ended_at: datetime | None = None,
+    notes: str | None = None,
+) -> Workout:
+    workout = Workout(
+        user_id=user_id,
+        started_at=started_at,
+        ended_at=ended_at,
+        notes=notes,
+    )
+    session.add(workout)
+    await session.commit()
+    await session.refresh(workout)
+    return workout
+
+
+# async def create_workout_exercise(
+#     session: AsyncSession,
+#     workout_id: int,
+#     exercise_id: int,
+#     position: int = 1,
+#     notes: str | None = None,
+# ) -> WorkoutExercise:
+#     workout_exercise = WorkoutExercise(
+#         workout_id=workout_id,
+#         exercise_id=exercise_id,
+#         position=position,
+#         notes=notes,
+#     )
+#     session.add(workout_exercise)
+#     await session.commit()
+#     return workout_exercise
+
+
+# async def create_set(
+#     session: AsyncSession,
+#     workout_exercise_id: int,
+#     set_number: int = 1,
+#     reps: int | None = None,
+#     weight: float | None = None,
+#     unit: str | None = None,
+#     notes: str | None = None,
+# ) -> Set:
+#     set_ = Set(
+#         workout_exercise_id=workout_exercise_id,
+#         set_number=set_number,
+#         reps=reps,
+#         weight=weight,
+#         unit=unit,
+#         notes=notes,
+#     )
+#     session.add(set_)
+#     await session.commit()
+#     return set_
+
+
+# async def create_workout_via_api(
+#     client: AsyncClient,
+#     started_at: str | None = None,
+#     ended_at: str | None = None,
+#     notes: str | None = None,
+# ) -> WorkoutPublic:
+#     resp = await make_http_request(
+#         client,
+#         method=HttpMethod.POST,
+#         endpoint="/api/workouts",
+#         json={
+#             "started_at": started_at,
+#             "ended_at": ended_at,
+#             "notes": notes,
+#         },
+#     )
+#     return WorkoutPublic.model_validate(resp.json())
+
+
+# async def add_workout_exercise_via_api(
+#     client: AsyncClient,
+#     workout_id: int,
+#     exercise_id: int,
+#     notes: str | None = None,
+# ) -> WorkoutExercisePublic:
+#     resp = await make_http_request(
+#         client,
+#         method=HttpMethod.POST,
+#         endpoint=f"/api/workouts/{workout_id}/exercises",
+#         json={
+#             "exercise_id": exercise_id,
+#             "notes": notes,
+#         },
+#     )
+#     return WorkoutExercisePublic.model_validate(resp.json())
+
+
+# async def get_workout_exercise_count(session: AsyncSession, workout_id: int) -> int:
+#     result = await session.execute(
+#         select(WorkoutExercise).where(WorkoutExercise.workout_id == workout_id)
+#     )
+#     return len(result.scalars().all())
diff --git a/server/app/tests/core/dependencies/test_get_current_admin.py b/server/app/tests/core/dependencies/test_get_current_admin.py
index 6eaebd51..3b7ffe9c 100644
--- a/server/app/tests/core/dependencies/test_get_current_admin.py
+++ b/server/app/tests/core/dependencies/test_get_current_admin.py
@@ -7,6 +7,7 @@
 from app.models.database.user import User
 from app.models.errors import InsufficientPermissions
 from app.models.schemas.user import UserPublic
+from app.services.user import to_user_public
 
 
 async def _get_admin(session: AsyncSession, settings: Settings) -> UserPublic:
@@ -14,7 +15,7 @@ async def _get_admin(session: AsyncSession, settings: Settings) -> UserPublic:
         select(User).where(User.username == settings.admin.username)
     )
     admin = result.scalar_one()
-    adminPublic = UserPublic.model_validate(admin, from_attributes=True)
+    adminPublic = to_user_public(admin)
     return adminPublic
 
 
diff --git a/server/app/tests/fixtures/overrides.py b/server/app/tests/fixtures/overrides.py
index 75317748..25a2bda6 100644
--- a/server/app/tests/fixtures/overrides.py
+++ b/server/app/tests/fixtures/overrides.py
@@ -1,4 +1,3 @@
-import logging
 from collections.abc import Callable
 from typing import Any
 
@@ -7,8 +6,6 @@
 from app.core.config import EmailSettings, Settings
 from app.services.email import EmailService, get_email_service
 
-logger = logging.getLogger(__name__)
-
 
 @pytest.fixture
 def override_settings(settings: Settings) -> Callable[[dict[str, Any]], Settings]:
diff --git a/server/app/tests/services/access_request/test_to_access_request_public.py b/server/app/tests/services/access_request/test_to_access_request_public.py
new file mode 100644
index 00000000..074ebb5b
--- /dev/null
+++ b/server/app/tests/services/access_request/test_to_access_request_public.py
@@ -0,0 +1,33 @@
+from datetime import UTC, datetime
+
+from app.models.database.access_request import AccessRequest
+from app.models.enums import AccessRequestStatus
+from app.models.schemas.access_request import AccessRequestPublic
+from app.services.access_request import to_access_request_public
+
+
+def test_to_access_request_public() -> None:
+    created_at = datetime(2026, 1, 1, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 2, tzinfo=UTC)
+    access_req = AccessRequest(
+        id=1,
+        email="user@example.com",
+        first_name="John",
+        last_name="Doe",
+        status=AccessRequestStatus.PENDING,
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+
+    result = to_access_request_public(access_req)
+
+    assert isinstance(result, AccessRequestPublic)
+    assert result.id == 1
+    assert result.email == "user@example.com"
+    assert result.first_name == "John"
+    assert result.last_name == "Doe"
+    assert result.status == AccessRequestStatus.PENDING
+    assert result.reviewed_at is None
+    assert result.reviewer is None
+    assert result.created_at == created_at
+    assert result.updated_at == updated_at
diff --git a/server/app/tests/services/exercise/test_create_exercise.py b/server/app/tests/services/exercise/test_create_exercise.py
index aae8833d..05a62430 100644
--- a/server/app/tests/services/exercise/test_create_exercise.py
+++ b/server/app/tests/services/exercise/test_create_exercise.py
@@ -1,18 +1,23 @@
 import pytest
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from app.models.database.exercise import Exercise
 from app.models.errors import ExerciseNameConflict, MuscleGroupNotFound
 from app.models.schemas.exercise import CreateExerciseRequest
-from app.services.exercise import create_exercise
+from app.services.exercise import (
+    _get_exercises_with_muscle_groups,  # pyright: ignore[reportPrivateUsage]
+    create_exercise,
+)
 
-from .utilities import create_user, get_muscle_group_id
+from ..utilities import create_user
+from .utilities import get_muscle_group_id
 
 
 async def test_create_exercise(session: AsyncSession):
     user = await create_user(session)
     muscle_group_id = await get_muscle_group_id(session, name="chest")
 
-    result = await create_exercise(
+    await create_exercise(
         user.id,
         CreateExerciseRequest(
             name="Incline Bench",
@@ -22,12 +27,17 @@ async def test_create_exercise(session: AsyncSession):
         session,
     )
 
-    assert result.user_id == user.id
-    assert result.name == "Incline Bench"
-    assert result.description == "Upper chest press"
-    assert [muscle_group.id for muscle_group in result.muscle_groups] == [
-        muscle_group_id
-    ]
+    exercises = await _get_exercises_with_muscle_groups(
+        session,
+        Exercise.name == "Incline Bench",
+    )
+    exercise = exercises[0] if exercises else None
+
+    assert exercise is not None
+    assert exercise.user_id == user.id
+    assert exercise.name == "Incline Bench"
+    assert exercise.description == "Upper chest press"
+    assert [mg.muscle_group_id for mg in exercise.muscle_groups] == [muscle_group_id]
 
 
 async def test_create_exercise_muscle_group_not_found(session: AsyncSession):
diff --git a/server/app/tests/services/exercise/test_delete_exercise.py b/server/app/tests/services/exercise/test_delete_exercise.py
index b95744df..3350470e 100644
--- a/server/app/tests/services/exercise/test_delete_exercise.py
+++ b/server/app/tests/services/exercise/test_delete_exercise.py
@@ -4,10 +4,11 @@
 
 from app.models.database.exercise import Exercise
 from app.models.database.exercise_muscle_group import ExerciseMuscleGroup
-from app.models.errors import ExerciseNotFound, ExerciseUpdateNotAllowed
+from app.models.errors import ExerciseNotFound
 from app.services.exercise import delete_exercise
 
-from .utilities import create_exercise, create_user, get_muscle_group_id
+from ..utilities import create_user
+from .utilities import create_exercise, get_muscle_group_id
 
 
 async def test_delete_exercise(session: AsyncSession):
@@ -52,5 +53,5 @@ async def test_delete_exercise_not_allowed(session: AsyncSession):
         user_id=user.id,
     )
 
-    with pytest.raises(ExerciseUpdateNotAllowed):
+    with pytest.raises(ExerciseNotFound):
         await delete_exercise(exercise.id, user_2.id, session)
diff --git a/server/app/tests/services/exercise/test_get_exercise.py b/server/app/tests/services/exercise/test_get_exercise.py
index 009cc596..45bd5578 100644
--- a/server/app/tests/services/exercise/test_get_exercise.py
+++ b/server/app/tests/services/exercise/test_get_exercise.py
@@ -4,7 +4,8 @@
 from app.models.errors import ExerciseNotFound
 from app.services.exercise import get_exercise
 
-from .utilities import create_exercise, create_user
+from ..utilities import create_user
+from .utilities import create_exercise
 
 
 async def test_get_exercise(session: AsyncSession):
@@ -39,3 +40,16 @@ async def test_get_exercise_not_found(session: AsyncSession):
 
     with pytest.raises(ExerciseNotFound):
         await get_exercise(99999, user.id, session)
+
+
+async def test_get_exercise_other_user(session: AsyncSession):
+    owner = await create_user(session, username="owner")
+    other = await create_user(session, username="other")
+    exercise = await create_exercise(
+        session,
+        name="Other Exercise",
+        user_id=owner.id,
+    )
+
+    with pytest.raises(ExerciseNotFound):
+        await get_exercise(exercise.id, other.id, session)
diff --git a/server/app/tests/services/exercise/test_get_exercises.py b/server/app/tests/services/exercise/test_get_exercises.py
index 1d22ebed..ddccc1b4 100644
--- a/server/app/tests/services/exercise/test_get_exercises.py
+++ b/server/app/tests/services/exercise/test_get_exercises.py
@@ -2,7 +2,8 @@
 
 from app.services.exercise import get_exercises
 
-from .utilities import clear_exercises, create_exercise, create_user
+from ..utilities import create_user
+from .utilities import clear_exercises, create_exercise
 
 
 async def test_get_exercises(session: AsyncSession):
diff --git a/server/app/tests/services/exercise/test_get_exercises_with_muscle_groups.py b/server/app/tests/services/exercise/test_get_exercises_with_muscle_groups.py
index 5c9cce60..ccad6112 100644
--- a/server/app/tests/services/exercise/test_get_exercises_with_muscle_groups.py
+++ b/server/app/tests/services/exercise/test_get_exercises_with_muscle_groups.py
@@ -1,5 +1,3 @@
-import logging
-
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.models.database.exercise import Exercise
@@ -7,14 +5,8 @@
     _get_exercises_with_muscle_groups,  # pyright: ignore[reportPrivateUsage]
 )
 
-from .utilities import (
-    clear_exercises,
-    create_exercise,
-    create_user,
-    get_muscle_group_id,
-)
-
-logger = logging.getLogger(__name__)
+from ..utilities import create_user
+from .utilities import clear_exercises, create_exercise, get_muscle_group_id
 
 
 async def test_get_exercises_with_muscle_groups_no_where_clause(
diff --git a/server/app/tests/services/exercise/test_get_owned_exercise.py b/server/app/tests/services/exercise/test_get_owned_exercise.py
new file mode 100644
index 00000000..6f527d72
--- /dev/null
+++ b/server/app/tests/services/exercise/test_get_owned_exercise.py
@@ -0,0 +1,46 @@
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.errors import ExerciseNotFound
+from app.services.exercise import (
+    _get_owned_exercise,  # pyright: ignore[reportPrivateUsage]
+)
+
+from ..utilities import create_user
+from .utilities import create_exercise
+
+
+async def test_get_owned_exercise(session: AsyncSession):
+    user = await create_user(session)
+    exercise = await create_exercise(
+        session,
+        name="Owned Exercise",
+        user_id=user.id,
+    )
+
+    result = await _get_owned_exercise(exercise.id, user.id, session)
+
+    assert result.id == exercise.id
+    assert result.user_id == user.id
+
+
+async def test_get_owned_exercise_not_found(
+    session: AsyncSession,
+):
+    user = await create_user(session)
+
+    with pytest.raises(ExerciseNotFound):
+        await _get_owned_exercise(99999, user.id, session)
+
+
+async def test_get_owned_exercise_other_user(session: AsyncSession):
+    owner = await create_user(session, username="owner")
+    other = await create_user(session, username="other")
+    exercise = await create_exercise(
+        session,
+        name="Other Exercise",
+        user_id=owner.id,
+    )
+
+    with pytest.raises(ExerciseNotFound):
+        await _get_owned_exercise(exercise.id, other.id, session)
diff --git a/server/app/tests/services/exercise/test_to_exercise_base.py b/server/app/tests/services/exercise/test_to_exercise_base.py
new file mode 100644
index 00000000..6550c4eb
--- /dev/null
+++ b/server/app/tests/services/exercise/test_to_exercise_base.py
@@ -0,0 +1,28 @@
+from datetime import UTC, datetime
+
+from app.models.database.exercise import Exercise
+from app.models.schemas.exercise import ExerciseBase
+from app.services.exercise import to_exercise_base
+
+
+def test_to_exercise_base() -> None:
+    created_at = datetime(2026, 1, 1, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 2, tzinfo=UTC)
+    exercise = Exercise(
+        id=1,
+        user_id=2,
+        name="Bench Press",
+        description="Flat bench",
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+
+    result = to_exercise_base(exercise)
+
+    assert isinstance(result, ExerciseBase)
+    assert result.id == 1
+    assert result.user_id == 2
+    assert result.name == "Bench Press"
+    assert result.description == "Flat bench"
+    assert result.created_at == created_at
+    assert result.updated_at == updated_at
diff --git a/server/app/tests/services/exercise/test_to_exercise_public.py b/server/app/tests/services/exercise/test_to_exercise_public.py
index 6feeed23..2cc07b09 100644
--- a/server/app/tests/services/exercise/test_to_exercise_public.py
+++ b/server/app/tests/services/exercise/test_to_exercise_public.py
@@ -5,9 +5,7 @@
 from app.models.database.muscle_group import MuscleGroup
 from app.models.schemas.exercise import ExercisePublic
 from app.models.schemas.muscle_group import MuscleGroupPublic
-from app.services.exercise import (
-    _to_exercise_public,  # pyright: ignore[reportPrivateUsage]
-)
+from app.services.exercise import to_exercise_public
 
 
 def test_to_exercise_public_no_muscle_groups() -> None:
@@ -22,16 +20,16 @@ def test_to_exercise_public_no_muscle_groups() -> None:
         updated_at=updated_at,
     )
 
-    result = _to_exercise_public(exercise)
+    result = to_exercise_public(exercise)
 
     assert isinstance(result, ExercisePublic)
     assert result.id == 1
     assert result.user_id == 2
     assert result.name == "Bench Press"
     assert result.description == "Flat bench"
-    assert result.muscle_groups == []
     assert result.created_at == created_at
     assert result.updated_at == updated_at
+    assert result.muscle_groups == []
 
 
 def test_to_exercise_public_with_muscle_groups() -> None:
@@ -51,7 +49,7 @@ def test_to_exercise_public_with_muscle_groups() -> None:
         ExerciseMuscleGroup(exercise_id=11, muscle_group_id=2, muscle_group=triceps),
     ]
 
-    result = _to_exercise_public(exercise)
+    result = to_exercise_public(exercise)
 
     assert len(result.muscle_groups) == 2
 
@@ -83,7 +81,7 @@ def test_to_exercise_public_muscle_groups_ordering() -> None:
         ExerciseMuscleGroup(exercise_id=12, muscle_group_id=4, muscle_group=arms),
     ]
 
-    result = _to_exercise_public(exercise)
+    result = to_exercise_public(exercise)
 
     assert [muscle_group.name for muscle_group in result.muscle_groups] == [
         "arms",
diff --git a/server/app/tests/services/exercise/test_update_exercise.py b/server/app/tests/services/exercise/test_update_exercise.py
index db27dd09..c6f94f99 100644
--- a/server/app/tests/services/exercise/test_update_exercise.py
+++ b/server/app/tests/services/exercise/test_update_exercise.py
@@ -4,13 +4,13 @@
 from app.models.errors import (
     ExerciseNameConflict,
     ExerciseNotFound,
-    ExerciseUpdateNotAllowed,
     MuscleGroupNotFound,
 )
 from app.models.schemas.exercise import UpdateExerciseRequest
 from app.services.exercise import get_exercise, update_exercise
 
-from .utilities import create_exercise, create_user, get_muscle_group_id
+from ..utilities import create_user
+from .utilities import create_exercise, get_muscle_group_id
 
 
 async def test_update_exercise(session: AsyncSession):
@@ -33,11 +33,11 @@ async def test_update_exercise(session: AsyncSession):
         session,
     )
 
-    result = await get_exercise(exercise.id, user.id, session)
+    exercise = await get_exercise(exercise.id, user.id, session)
 
-    assert result.name == "Incline Bench"
-    assert result.description == "Updated description"
-    assert [muscle_group.id for muscle_group in result.muscle_groups] == [
+    assert exercise.name == "Incline Bench"
+    assert exercise.description == "Updated description"
+    assert [muscle_group.id for muscle_group in exercise.muscle_groups] == [
         muscle_group_id
     ]
 
@@ -64,7 +64,7 @@ async def test_update_exercise_not_allowed(session: AsyncSession):
         user_id=user.id,
     )
 
-    with pytest.raises(ExerciseUpdateNotAllowed):
+    with pytest.raises(ExerciseNotFound):
         await update_exercise(
             exercise.id,
             user_2.id,
@@ -88,11 +88,11 @@ async def test_update_exercise_no_changes(session: AsyncSession):
         session,
     )
 
-    result = await get_exercise(exercise.id, user.id, session)
+    exercise = await get_exercise(exercise.id, user.id, session)
 
-    assert result.name == "Bench"
-    assert result.description is None
-    assert len(result.muscle_groups) == 0
+    assert exercise.name == "Bench"
+    assert exercise.description is None
+    assert len(exercise.muscle_groups) == 0
 
 
 async def test_update_exercise_no_name(session: AsyncSession):
@@ -110,6 +110,12 @@ async def test_update_exercise_no_name(session: AsyncSession):
         session,
     )
 
+    exercise = await get_exercise(exercise.id, user.id, session)
+
+    assert exercise.name == "Bench"
+    assert exercise.description == "Updated description"
+    assert len(exercise.muscle_groups) == 0
+
 
 async def test_update_exercise_no_description(session: AsyncSession):
     user = await create_user(session)
@@ -126,6 +132,35 @@ async def test_update_exercise_no_description(session: AsyncSession):
         session,
     )
 
+    exercise = await get_exercise(exercise.id, user.id, session)
+
+    assert exercise.name == "Incline Bench"
+    assert exercise.description is None
+    assert len(exercise.muscle_groups) == 0
+
+
+async def test_update_exercise_null_values(session: AsyncSession):
+    user = await create_user(session)
+    exercise = await create_exercise(
+        session,
+        name="Bench",
+        user_id=user.id,
+        description="Initial description",
+    )
+
+    await update_exercise(
+        exercise.id,
+        user.id,
+        UpdateExerciseRequest(description=None),
+        session,
+    )
+
+    exercise = await get_exercise(exercise.id, user.id, session)
+
+    assert exercise.name == "Bench"
+    assert exercise.description is None
+    assert len(exercise.muscle_groups) == 0
+
 
 async def test_update_exercise_muscle_group_not_found(session: AsyncSession):
     user = await create_user(session)
diff --git a/server/app/tests/services/exercise/utilities.py b/server/app/tests/services/exercise/utilities.py
index 6a16e137..4d9060c7 100644
--- a/server/app/tests/services/exercise/utilities.py
+++ b/server/app/tests/services/exercise/utilities.py
@@ -4,21 +4,6 @@
 from app.models.database.exercise import Exercise
 from app.models.database.exercise_muscle_group import ExerciseMuscleGroup
 from app.models.database.muscle_group import MuscleGroup
-from app.models.database.user import User
-
-
-async def create_user(session: AsyncSession, *, username: str = "user") -> User:
-    user = User(
-        username=username,
-        email=f"{username}@example.com",
-        first_name="Test",
-        last_name="User",
-        password_hash="hash",
-        is_admin=False,
-    )
-    session.add(user)
-    await session.commit()
-    return user
 
 
 async def create_exercise(
@@ -29,8 +14,8 @@ async def create_exercise(
     muscle_group_ids: list[int] | None = None,
 ) -> Exercise:
     exercise = Exercise(
-        name=name,
         user_id=user_id,
+        name=name,
         description=description,
     )
     session.add(exercise)
diff --git a/server/app/tests/services/user/test_to_user_public.py b/server/app/tests/services/user/test_to_user_public.py
new file mode 100644
index 00000000..b75b5240
--- /dev/null
+++ b/server/app/tests/services/user/test_to_user_public.py
@@ -0,0 +1,33 @@
+from datetime import UTC, datetime
+
+from app.models.database.user import User
+from app.models.schemas.user import UserPublic
+from app.services.user import to_user_public
+
+
+def test_to_user_public() -> None:
+    created_at = datetime(2026, 1, 1, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 2, tzinfo=UTC)
+    user = User(
+        id=1,
+        username="testuser",
+        email="testuser@example.com",
+        first_name="Test",
+        last_name="User",
+        password_hash="hashedpassword",
+        is_admin=False,
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+
+    result = to_user_public(user)
+
+    assert isinstance(result, UserPublic)
+    assert result.id == 1
+    assert result.username == "testuser"
+    assert result.email == "testuser@example.com"
+    assert result.first_name == "Test"
+    assert result.last_name == "User"
+    assert result.is_admin is False
+    assert result.created_at == created_at
+    assert result.updated_at == updated_at
diff --git a/server/app/tests/services/utilities.py b/server/app/tests/services/utilities.py
index 69f3f73f..2dafc536 100644
--- a/server/app/tests/services/utilities.py
+++ b/server/app/tests/services/utilities.py
@@ -4,6 +4,7 @@
 from app.core.config import Settings
 from app.models.database.user import User
 from app.models.schemas.user import UserPublic
+from app.services.user import to_user_public
 
 
 async def get_admin_user_public(
@@ -14,4 +15,18 @@ async def get_admin_user_public(
     )
     admin = result.scalar_one()
 
-    return UserPublic.model_validate(admin, from_attributes=True)
+    return to_user_public(admin)
+
+
+async def create_user(session: AsyncSession, username: str = "user") -> User:
+    user = User(
+        username=username,
+        email=f"{username}@example.com",
+        first_name="Test",
+        last_name="User",
+        password_hash="hash",
+        is_admin=False,
+    )
+    session.add(user)
+    await session.commit()
+    return user
diff --git a/server/app/tests/services/workout/__init__.py b/server/app/tests/services/workout/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/server/app/tests/services/workout/test__get_workouts.py b/server/app/tests/services/workout/test__get_workouts.py
new file mode 100644
index 00000000..0493e3ed
--- /dev/null
+++ b/server/app/tests/services/workout/test__get_workouts.py
@@ -0,0 +1,92 @@
+from datetime import datetime, timedelta
+
+import pytest
+from sqlalchemy.exc import MissingGreenlet
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.database.workout import Workout
+from app.services.workout import _get_workouts  # pyright: ignore[reportPrivateUsage]
+
+from ..utilities import create_user
+from .utilities import create_workout
+
+
+async def test_get_workouts_base(
+    session: AsyncSession,
+):
+    user = await create_user(session)
+    workout = await create_workout(session, user.id)
+
+    result = await _get_workouts(session, True)
+
+    assert len(result) == 1
+    assert workout in result
+    with pytest.raises(MissingGreenlet):
+        _ = result[0].exercises
+
+
+async def test_get_workouts_public(
+    session: AsyncSession,
+):
+    user = await create_user(session)
+    workout = await create_workout(session, user.id)
+
+    result = await _get_workouts(session, False)
+
+    assert len(result) == 1
+    assert workout in result
+    assert result[0].exercises == workout.exercises
+
+
+async def test_get_workouts_no_where_clause(
+    session: AsyncSession,
+):
+    user_1 = await create_user(session, "user_1")
+    user_2 = await create_user(session, "user_2")
+
+    workout_1 = await create_workout(session, user_1.id)
+    workout_2 = await create_workout(session, user_2.id)
+
+    result = await _get_workouts(session, True)
+
+    assert len(result) == 2
+    assert workout_1 in result
+    assert workout_2 in result
+
+
+async def test_get_workouts_with_where_clause(
+    session: AsyncSession,
+):
+    user_1 = await create_user(session, "user_1")
+    user_2 = await create_user(session, "user_2")
+
+    workout_1 = await create_workout(session, user_1.id)
+    workout_2 = await create_workout(session, user_2.id)
+
+    result = await _get_workouts(session, True, Workout.user_id == user_1.id)
+
+    assert len(result) == 1
+    assert workout_1 in result
+    assert workout_2 not in result
+
+
+async def test_get_workouts_ordering(
+    session: AsyncSession,
+):
+    user_1 = await create_user(session, "user_1")
+    user_2 = await create_user(session, "user_2")
+
+    await create_workout(
+        session,
+        user_1.id,
+        started_at=datetime.now(),
+    )
+    await create_workout(
+        session,
+        user_2.id,
+        started_at=datetime.now() + timedelta(minutes=5),
+    )
+
+    result = await _get_workouts(session, True)
+
+    assert result == sorted(result, key=lambda w: w.started_at, reverse=True)
diff --git a/server/app/tests/services/workout/test_create_workout.py b/server/app/tests/services/workout/test_create_workout.py
new file mode 100644
index 00000000..419d98ae
--- /dev/null
+++ b/server/app/tests/services/workout/test_create_workout.py
@@ -0,0 +1,36 @@
+from datetime import UTC, datetime
+
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.database.workout import Workout
+from app.models.schemas.workout import CreateWorkoutRequest
+from app.services.workout import (
+    _get_workouts,  # pyright: ignore[reportPrivateUsage]
+    create_workout,
+)
+
+from ..utilities import create_user
+
+
+async def test_create_workout(session: AsyncSession):
+    user = await create_user(session)
+    started_at = datetime(2024, 1, 1, tzinfo=UTC)
+    ended_at = datetime(2024, 1, 1, 1, tzinfo=UTC)
+    await create_workout(
+        user.id,
+        CreateWorkoutRequest(
+            started_at=started_at,
+            ended_at=ended_at,
+            notes="Test workout",
+        ),
+        session,
+    )
+
+    workouts = await _get_workouts(session, False, Workout.user_id == user.id)
+    workout = workouts[0] if workouts else None
+
+    assert workout is not None
+    assert workout.user_id == user.id
+    assert workout.started_at == started_at
+    assert workout.ended_at == ended_at
+    assert workout.notes == "Test workout"
diff --git a/server/app/tests/services/workout/test_delete_workout.py b/server/app/tests/services/workout/test_delete_workout.py
new file mode 100644
index 00000000..a1b3d6f8
--- /dev/null
+++ b/server/app/tests/services/workout/test_delete_workout.py
@@ -0,0 +1,39 @@
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.database.workout import Workout
+from app.models.errors import WorkoutNotFound
+from app.services.workout import (
+    _get_workouts,  # pyright: ignore[reportPrivateUsage]
+    delete_workout,
+)
+
+from ..utilities import create_user
+from .utilities import create_workout
+
+
+async def test_delete_workout(session: AsyncSession):
+    user = await create_user(session)
+    workout = await create_workout(session, user.id)
+
+    await delete_workout(workout.id, user.id, session)
+
+    workouts = await _get_workouts(session, True, Workout.id == workout.id)
+    assert workouts == []
+
+
+async def test_delete_workout_not_found(session: AsyncSession):
+    user = await create_user(session)
+
+    with pytest.raises(WorkoutNotFound):
+        await delete_workout(99999, user.id, session)
+
+
+async def test_delete_workout_not_allowed(session: AsyncSession):
+    user = await create_user(session)
+    user_2 = await create_user(session, username="user_2")
+
+    workout = await create_workout(session, user.id)
+
+    with pytest.raises(WorkoutNotFound):
+        await delete_workout(workout.id, user_2.id, session)
diff --git a/server/app/tests/services/workout/test_get_owned_workout.py b/server/app/tests/services/workout/test_get_owned_workout.py
new file mode 100644
index 00000000..2cff5de2
--- /dev/null
+++ b/server/app/tests/services/workout/test_get_owned_workout.py
@@ -0,0 +1,40 @@
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.errors import WorkoutNotFound
+from app.services.workout import (
+    _get_owned_workout,  # pyright: ignore[reportPrivateUsage]
+)
+
+from ..utilities import create_user
+from .utilities import create_workout
+
+
+async def test_get_owned_workouts(
+    session: AsyncSession,
+):
+    user = await create_user(session)
+    workout = await create_workout(session, user.id)
+
+    result = await _get_owned_workout(workout.id, user.id, session)
+
+    assert result == workout
+
+
+async def test_get_owned_workout_not_found(
+    session: AsyncSession,
+):
+    with pytest.raises(WorkoutNotFound):
+        await _get_owned_workout(999, 1, session)
+
+
+async def test_get_owned_workout_not_owned(
+    session: AsyncSession,
+):
+    user_1 = await create_user(session, "user_1")
+    user_2 = await create_user(session, "user_2")
+
+    workout = await create_workout(session, user_1.id)
+
+    with pytest.raises(WorkoutNotFound):
+        await _get_owned_workout(workout.id, user_2.id, session)
diff --git a/server/app/tests/services/workout/test_get_workout.py b/server/app/tests/services/workout/test_get_workout.py
new file mode 100644
index 00000000..d1984aca
--- /dev/null
+++ b/server/app/tests/services/workout/test_get_workout.py
@@ -0,0 +1,38 @@
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.errors import WorkoutNotFound
+from app.services.workout import get_workout
+
+from ..utilities import create_user
+from .utilities import create_workout
+
+
+async def test_get_workout(session: AsyncSession):
+    user = await create_user(session)
+    workout = await create_workout(
+        session,
+        user_id=user.id,
+        notes="Test workout",
+    )
+
+    result = await get_workout(workout.id, user.id, session)
+
+    assert result.id == workout.id
+    assert result.notes == "Test workout"
+
+
+async def test_get_workout_not_found(session: AsyncSession):
+    user = await create_user(session)
+
+    with pytest.raises(WorkoutNotFound):
+        await get_workout(999, user.id, session)
+
+
+async def test_get_workout_other_user(session: AsyncSession):
+    user = await create_user(session)
+    user_2 = await create_user(session, username="user_2")
+    workout = await create_workout(session, user.id)
+
+    with pytest.raises(WorkoutNotFound):
+        await get_workout(workout.id, user_2.id, session)
diff --git a/server/app/tests/services/workout/test_get_workouts.py b/server/app/tests/services/workout/test_get_workouts.py
new file mode 100644
index 00000000..90f37586
--- /dev/null
+++ b/server/app/tests/services/workout/test_get_workouts.py
@@ -0,0 +1,22 @@
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.services.workout import get_workouts
+
+from ..utilities import create_user
+from .utilities import create_workout
+
+
+async def test_get_workouts(
+    session: AsyncSession,
+):
+    user_1 = await create_user(session, username="user_1")
+    user_2 = await create_user(session, username="user_2")
+
+    workout_1 = await create_workout(session, user_1.id)
+    await create_workout(session, user_2.id)
+
+    result = await get_workouts(user_1.id, session)
+
+    assert len(result) == 1
+    assert result[0].id == workout_1.id
+    assert result[0].notes == workout_1.notes
diff --git a/server/app/tests/services/workout/test_to_workout_base.py b/server/app/tests/services/workout/test_to_workout_base.py
new file mode 100644
index 00000000..500277a0
--- /dev/null
+++ b/server/app/tests/services/workout/test_to_workout_base.py
@@ -0,0 +1,32 @@
+from datetime import UTC, datetime
+
+from app.models.database.workout import Workout
+from app.models.schemas.workout import WorkoutBase
+from app.services.workout import to_workout_base
+
+
+def test_to_workout_base() -> None:
+    created_at = datetime(2026, 1, 1, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 2, tzinfo=UTC)
+    started_at = datetime(2026, 1, 3, tzinfo=UTC)
+    ended_at = datetime(2026, 1, 4, tzinfo=UTC)
+    workout = Workout(
+        id=1,
+        user_id=2,
+        started_at=started_at,
+        ended_at=ended_at,
+        notes="Test workout",
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+
+    result = to_workout_base(workout)
+
+    assert isinstance(result, WorkoutBase)
+    assert result.id == 1
+    assert result.user_id == 2
+    assert result.started_at == started_at
+    assert result.ended_at == ended_at
+    assert result.notes == "Test workout"
+    assert result.created_at == created_at
+    assert result.updated_at == updated_at
diff --git a/server/app/tests/services/workout/test_to_workout_public.py b/server/app/tests/services/workout/test_to_workout_public.py
new file mode 100644
index 00000000..69b2ce3c
--- /dev/null
+++ b/server/app/tests/services/workout/test_to_workout_public.py
@@ -0,0 +1,80 @@
+from datetime import UTC, datetime
+
+from app.models.database.exercise import Exercise
+from app.models.database.workout import Workout
+from app.models.database.workout_exercise import WorkoutExercise
+from app.models.schemas.workout import WorkoutPublic
+from app.models.schemas.workout_exercise import WorkoutExercisePublic
+from app.services.workout import to_workout_public
+
+
+def test_to_workout_public_no_exercises() -> None:
+    created_at = datetime(2026, 1, 1, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 2, tzinfo=UTC)
+    started_at = datetime(2026, 1, 3, tzinfo=UTC)
+    ended_at = datetime(2026, 1, 4, tzinfo=UTC)
+    workout = Workout(
+        id=1,
+        user_id=2,
+        started_at=started_at,
+        ended_at=ended_at,
+        notes="Test workout",
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+
+    result = to_workout_public(workout)
+
+    assert isinstance(result, WorkoutPublic)
+    assert result.id == 1
+    assert result.user_id == 2
+    assert result.started_at == started_at
+    assert result.ended_at == ended_at
+    assert result.notes == "Test workout"
+    assert result.created_at == created_at
+    assert result.updated_at == updated_at
+    assert result.exercises == []
+
+
+def test_to_workout_public_with_exercises() -> None:
+    workout = Workout(
+        id=1,
+        user_id=2,
+        started_at=datetime(2026, 1, 3, tzinfo=UTC),
+        ended_at=datetime(2026, 1, 4, tzinfo=UTC),
+        notes="Test workout",
+        created_at=datetime(2026, 1, 1, tzinfo=UTC),
+        updated_at=datetime(2026, 1, 2, tzinfo=UTC),
+    )
+    exercise = Exercise(
+        id=22,
+        user_id=None,
+        name="Bench Press",
+        description="Flat bench",
+        created_at=datetime(2026, 1, 1, tzinfo=UTC),
+        updated_at=datetime(2026, 1, 2, tzinfo=UTC),
+    )
+    created_at = datetime(2026, 1, 5, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 6, tzinfo=UTC)
+    workout.exercises = [
+        WorkoutExercise(
+            id=11,
+            workout_id=1,
+            exercise_id=22,
+            position=1,
+            exercise=exercise,
+            created_at=created_at,
+            updated_at=updated_at,
+        )
+    ]
+
+    result = to_workout_public(workout)
+
+    assert len(result.exercises) == 1
+    assert isinstance(result.exercises[0], WorkoutExercisePublic)
+    assert result.exercises[0].id == 11
+    assert result.exercises[0].workout_id == 1
+    assert result.exercises[0].exercise_id == 22
+    assert result.exercises[0].position == 1
+    assert result.exercises[0].created_at == created_at
+    assert result.exercises[0].updated_at == updated_at
diff --git a/server/app/tests/services/workout/test_update_workout.py b/server/app/tests/services/workout/test_update_workout.py
new file mode 100644
index 00000000..33a525a8
--- /dev/null
+++ b/server/app/tests/services/workout/test_update_workout.py
@@ -0,0 +1,197 @@
+from datetime import UTC, datetime
+
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.errors import WorkoutNotFound
+from app.models.schemas.workout import UpdateWorkoutRequest
+from app.services.workout import get_workout, update_workout
+
+from ..utilities import create_user
+from .utilities import create_workout
+
+
+async def test_update_workout(session: AsyncSession):
+    user = await create_user(session)
+    workout = await create_workout(session, user_id=user.id)
+
+    started_at = datetime(2024, 1, 1, tzinfo=UTC)
+    ended_at = datetime(2024, 1, 1, 1, tzinfo=UTC)
+    await update_workout(
+        workout.id,
+        user.id,
+        UpdateWorkoutRequest(
+            started_at=started_at,
+            ended_at=ended_at,
+            notes="Updated notes",
+        ),
+        session,
+    )
+
+    assert workout.started_at == started_at
+    assert workout.ended_at == ended_at
+    assert workout.notes == "Updated notes"
+
+
+async def test_update_workout_not_found(session: AsyncSession):
+    user = await create_user(session)
+
+    with pytest.raises(WorkoutNotFound):
+        await update_workout(
+            99999,
+            user.id,
+            UpdateWorkoutRequest(),
+            session,
+        )
+
+
+async def test_update_workout_not_allowed(session: AsyncSession):
+    user = await create_user(session)
+    user_2 = await create_user(session, username="user_2")
+    workout = await create_workout(session, user_id=user.id)
+
+    with pytest.raises(WorkoutNotFound):
+        await update_workout(
+            workout.id,
+            user_2.id,
+            UpdateWorkoutRequest(),
+            session,
+        )
+
+
+async def test_update_workout_no_changes(session: AsyncSession):
+    user = await create_user(session)
+    started_at = datetime(2024, 1, 1, tzinfo=UTC)
+    ended_at = datetime(2024, 1, 1, 1, tzinfo=UTC)
+    workout = await create_workout(
+        session,
+        user_id=user.id,
+        started_at=started_at,
+        ended_at=ended_at,
+        notes="Test workout",
+    )
+
+    await update_workout(
+        workout.id,
+        user.id,
+        UpdateWorkoutRequest(),
+        session,
+    )
+
+    workout = await get_workout(workout.id, user.id, session)
+
+    assert workout.started_at == started_at
+    assert workout.ended_at == ended_at
+    assert workout.notes == "Test workout"
+
+
+async def test_update_workout_no_started_at(session: AsyncSession):
+    user = await create_user(session)
+    started_at = datetime(2024, 1, 1, tzinfo=UTC)
+    workout = await create_workout(
+        session,
+        user_id=user.id,
+        started_at=started_at,
+        notes="Test workout",
+    )
+
+    new_ended_at = datetime(2024, 1, 1, 1, tzinfo=UTC)
+    await update_workout(
+        workout.id,
+        user.id,
+        UpdateWorkoutRequest(
+            ended_at=new_ended_at,
+            notes="Test workout updated",
+        ),
+        session,
+    )
+
+    workout = await get_workout(workout.id, user.id, session)
+
+    assert workout.started_at == started_at
+    assert workout.ended_at == new_ended_at
+    assert workout.notes == "Test workout updated"
+
+
+async def test_update_workout_no_ended_at(session: AsyncSession):
+    user = await create_user(session)
+    ended_at = datetime(2024, 1, 1, tzinfo=UTC)
+    workout = await create_workout(
+        session,
+        user_id=user.id,
+        ended_at=ended_at,
+        notes="Test workout",
+    )
+
+    new_started_at = datetime(2024, 1, 1, 1, tzinfo=UTC)
+    await update_workout(
+        workout.id,
+        user.id,
+        UpdateWorkoutRequest(
+            started_at=new_started_at,
+            notes="Test workout updated",
+        ),
+        session,
+    )
+
+    workout = await get_workout(workout.id, user.id, session)
+
+    assert workout.started_at == new_started_at
+    assert workout.ended_at == ended_at
+    assert workout.notes == "Test workout updated"
+
+
+async def test_update_workout_no_notes(session: AsyncSession):
+    user = await create_user(session)
+    workout = await create_workout(
+        session,
+        user_id=user.id,
+        notes="Test workout",
+    )
+
+    new_started_at = datetime(2024, 1, 1, tzinfo=UTC)
+    new_ended_at = datetime(2024, 1, 1, 1, tzinfo=UTC)
+    await update_workout(
+        workout.id,
+        user.id,
+        UpdateWorkoutRequest(
+            started_at=new_started_at,
+            ended_at=new_ended_at,
+        ),
+        session,
+    )
+
+    workout = await get_workout(workout.id, user.id, session)
+
+    assert workout.started_at == new_started_at
+    assert workout.ended_at == new_ended_at
+    assert workout.notes == "Test workout"
+
+
+async def test_update_workout_null_values(session: AsyncSession):
+    user = await create_user(session)
+    started_at = datetime(2024, 1, 1, tzinfo=UTC)
+    ended_at = datetime(2024, 1, 1, 1, tzinfo=UTC)
+    workout = await create_workout(
+        session,
+        user_id=user.id,
+        started_at=started_at,
+        ended_at=ended_at,
+        notes="Test workout",
+    )
+
+    await update_workout(
+        workout.id,
+        user.id,
+        UpdateWorkoutRequest(
+            ended_at=None,
+            notes=None,
+        ),
+        session,
+    )
+
+    workout = await get_workout(workout.id, user.id, session)
+
+    assert workout.started_at == started_at
+    assert workout.ended_at is None
+    assert workout.notes is None
diff --git a/server/app/tests/services/workout/utilities.py b/server/app/tests/services/workout/utilities.py
new file mode 100644
index 00000000..e3d6395e
--- /dev/null
+++ b/server/app/tests/services/workout/utilities.py
@@ -0,0 +1,24 @@
+from datetime import UTC, datetime
+
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.database.workout import Workout
+
+
+async def create_workout(
+    session: AsyncSession,
+    user_id: int,
+    started_at: datetime | None = None,
+    ended_at: datetime | None = None,
+    notes: str | None = None,
+) -> Workout:
+    workout = Workout(
+        user_id=user_id,
+        started_at=started_at or datetime.now(UTC),
+        ended_at=ended_at,
+        notes=notes,
+    )
+    session.add(workout)
+    await session.commit()
+    await session.refresh(workout)
+    return workout
diff --git a/server/app/tests/services/workout_exercise/test_to_workout_exercise_public.py b/server/app/tests/services/workout_exercise/test_to_workout_exercise_public.py
new file mode 100644
index 00000000..d7d6307d
--- /dev/null
+++ b/server/app/tests/services/workout_exercise/test_to_workout_exercise_public.py
@@ -0,0 +1,124 @@
+from datetime import UTC, datetime
+
+from app.models.database.exercise import Exercise
+from app.models.database.set import Set
+from app.models.database.workout_exercise import WorkoutExercise
+from app.models.schemas.exercise import ExerciseBase
+from app.models.schemas.set import SetPublic
+from app.models.schemas.workout_exercise import WorkoutExercisePublic
+from app.services.workout_exercise import to_workout_exercise_public
+
+
+def test_to_workout_exercise_public_no_sets() -> None:
+    created_at = datetime(2026, 1, 1, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 2, tzinfo=UTC)
+    workout_exercise = WorkoutExercise(
+        id=1,
+        workout_id=2,
+        exercise_id=3,
+        position=4,
+        notes="Test notes",
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+    workout_exercise.exercise = Exercise(
+        id=3,
+        user_id=None,
+        name="Squat",
+        description="Barbell squat",
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+
+    result = to_workout_exercise_public(workout_exercise)
+
+    assert isinstance(result, WorkoutExercisePublic)
+    assert result.id == 1
+    assert result.workout_id == 2
+    assert result.exercise_id == 3
+    assert result.position == 4
+    assert result.notes == "Test notes"
+    assert result.created_at == created_at
+    assert result.updated_at == updated_at
+
+    exercise = result.exercise
+    assert isinstance(exercise, ExerciseBase)
+    assert exercise.id == 3
+    assert exercise.user_id is None
+    assert exercise.name == "Squat"
+    assert exercise.description == "Barbell squat"
+    assert exercise.created_at == created_at
+    assert exercise.updated_at == updated_at
+
+
+def test_to_workout_exercise_public_with_sets() -> None:
+    created_at = datetime(2026, 1, 1, tzinfo=UTC)
+    updated_at = datetime(2026, 1, 2, tzinfo=UTC)
+    workout_exercise = WorkoutExercise(
+        id=1,
+        workout_id=2,
+        exercise_id=3,
+        position=4,
+        notes="Test notes",
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+    workout_exercise.exercise = Exercise(
+        id=3,
+        user_id=None,
+        name="Squat",
+        description="Barbell squat",
+        created_at=created_at,
+        updated_at=updated_at,
+    )
+    workout_exercise.sets = [
+        Set(
+            id=5,
+            workout_exercise_id=1,
+            set_number=1,
+            reps=10,
+            weight=100.0,
+            unit="kg",
+            notes="Set 1 notes",
+            created_at=created_at,
+            updated_at=updated_at,
+        ),
+        Set(
+            id=6,
+            workout_exercise_id=1,
+            set_number=2,
+            reps=12,
+            weight=80.0,
+            unit="kg",
+            notes="Set 2 notes",
+            created_at=created_at,
+            updated_at=updated_at,
+        ),
+    ]
+
+    result = to_workout_exercise_public(workout_exercise)
+
+    sets = result.sets
+    assert len(sets) == 2
+
+    assert isinstance(sets[0], SetPublic)
+    assert sets[0].id == 5
+    assert sets[0].workout_exercise_id == 1
+    assert sets[0].set_number == 1
+    assert sets[0].reps == 10
+    assert sets[0].weight == 100.0
+    assert sets[0].unit == "kg"
+    assert sets[0].notes == "Set 1 notes"
+    assert sets[0].created_at == created_at
+    assert sets[0].updated_at == updated_at
+
+    assert isinstance(sets[1], SetPublic)
+    assert sets[1].id == 6
+    assert sets[1].workout_exercise_id == 1
+    assert sets[1].set_number == 2
+    assert sets[1].reps == 12
+    assert sets[1].weight == 80.0
+    assert sets[1].unit == "kg"
+    assert sets[1].notes == "Set 2 notes"
+    assert sets[1].created_at == created_at
+    assert sets[1].updated_at == updated_at