Skip to main content
Use OAuth 2.1 + PKCE with OpenID Connect (OIDC) to let users sign in with Whop on your website or app. The returned access tokens let you access data and act on behalf of those users.
OAuth endpoints live at https://api.whop.com/oauth/.

Step 1: Create your OAuth app

Use the Create App endpoint to create an OAuth app programmatically:
Update redirect URIs later with the Update App endpoint.

Step 2: Send users to authorize

In your web or mobile client, use PKCE to securely redirect users to Whop’s OAuth flow.
Call startWhopOAuth to redirect the user:
If the user is not logged in, Whop will prompt for login, then show the consent screen. If the user has already approved your application for the requested scopes, they will be automatically redirected back without needing to confirm twice.
If you provide companyId, tokens are company-scoped for a specific user, meaning you will only have access to resources that that particular user can control on the specified Whop company.

Step 3: Handle the callback and exchange the code

Whop redirects back to your redirect_uri with code and state. Use this function to verify the state, exchange the code for tokens, and retrieve credentials:
On your callback page:

Step 4: Use the tokens

Initialize the Whop SDK with the user’s access token:
View our API Reference to see all available endpoints.

Step 5: Refresh tokens

Access tokens expire after 1 hour. Use the refresh token to get new credentials:
Usage:
Refresh tokens rotate on each use. Always store the new tokens returned from the refresh endpoint. If you provided company_id during authorization, you must provide the same company_id when refreshing.

Step 6: Userinfo and revoke

Get user info

Fetch the authenticated user’s profile using the userinfo endpoint:
The fields returned depend on the scopes granted. openid is required, profile adds name/username/picture, email adds email fields.

Revoke tokens on logout

When a user logs out, revoke their refresh token. Access tokens expire after 1 hour and cannot be server-revoked.
Always revoke tokens when users log out. This invalidates the refresh token immediately, preventing unauthorized access even if the token was compromised.

Error handling

OAuth errors follow the standard format:
Common error codes:
  • invalid_request: missing or invalid parameter.
  • invalid_grant: code or token expired or revoked.
  • invalid_client: unknown client_id.
  • insufficient_scope: token doesn’t have the required scope.
  • rate_limit_exceeded: too many requests (check the Retry-After header).

Next steps

API reference

Every endpoint a granted access token can call.

Accept payments

Pair sign-in with checkout for end-to-end purchase flows.

Listen to webhooks

React to payment, membership, and entry events server-side.

Request permissions

Configure the OAuth scopes your app actually needs.