Below is instructions on how to add Whop OAuth to your website!
First set your Redirect URL on your Whop Dashboard
Make the request
Next build your OAuth URL that you will link your users to log in from.
Below are the query parameters you can pass:
| PARAMETER | DESCRIPTION | Required or optional? |
|---|---|---|
client_id | The unique identifier provided to your application, found in your application settings. | Required |
redirect_uri | The URL for the authorize response redirect. If provided, this must exactly match one of the comma-separated redirect_uri values in your application settings. To protect yourself from certain forms of man-in-the-middle attacks, the live mode redirect_uri must use a secure HTTPS connection. Defaults to the redirect_uri in your application settings if not provided. | Required |
scope | This is only needed if you are building a custom experience. It will represent the company ID you want to authenticate on behalf of (ex: biz_xxxxxx) | Optional |
state | An arbitrary string value weβll pass back to you, useful for CSRF protection. | Optional |
Handle the response
The userβs browser is redirected back to your configured redirect URI or the value you passed in the redirect_uri parameter. When successful, you receive the following query parameters:
| PARAMETER | DESCRIPTION |
|---|---|
code | An authorization code you can use in the next call to get an access token for your user. This can only be used once and expires in 5 minutes. |
scope | The same scope that was passed with the original request |
state | The value of the state parameter you provided on the initial GET request. |
Complete the connection and get the user token
POST https://data.whop.com/api/v3/oauth/token
Used both for turning an authorization_code into an account connection, and for getting a new access token using a refresh_token.
Request
Make this call using your secret API key as a client_secret POST parameter:
curl https://data.whop.com/api/v3/oauth/token \
-d "grant_type"="authorization_code" \
-d "code"="CODE FROM ABOVE" \
-d "client_id"="YOUR CLIENT ID" \
-d "client_secret"="YOUR CLIENT SECRET" \
-d "redirect_uri"="YOUR REDIRECT URL"
Per OAuth v2, this endpoint isnβt idempotent. Consuming an authorization code more than once revokes the account connection.
| PARAMETER | DESCRIPTION |
|---|---|
grant_type | authorization_code when turning an authorization code into an access token, or refresh_token when using a refresh token to get a new access token. |
code or refresh_token | The value of the code or refresh_token, depending on the grant_type. |
scope Optional | The same scope that was passed with the original request. If using a refresh token, this scope must have been requested at first |
client_id | Your client ID |
client_secret | Your client secret |
Response
| Parameter | Description |
|---|---|
access_token | The access tokens to make on behalf of the user |
scope | The scope granted to the access token, depending on the scope of the authorization code and scope parameter. |
token_type | Always has a value of bearer. |
refresh_token | Can be used to obtain a new access token when this one expires |
expires_in | Seconds until this token expires |