OAuth endpoints live at
https://api.whop.com/oauth/.Step 1: Create your OAuth app
- API
- Dashboard
Use the Create App endpoint to create an OAuth app programmatically:Update redirect URIs later with the Update App endpoint.
Step 2: Send users to authorize
In your web or mobile client, use PKCE to securely redirect users to Whop’s OAuth flow.startWhopOAuth to redirect the user:
If you provide
companyId, tokens are company-scoped for a specific user,
meaning you will only have access to resources that that particular user can
control on the specified Whop company.Step 3: Handle the callback and exchange the code
Whop redirects back to yourredirect_uri with code and state. Use this function to verify the state, exchange the code for tokens, and retrieve credentials:
Step 4: Use the tokens
Initialize the Whop SDK with the user’s access token:Step 5: Refresh tokens
Access tokens expire after 1 hour. Use the refresh token to get new credentials:Refresh tokens rotate on each use. Always store the new tokens returned from
the refresh endpoint. If you provided
company_id during authorization, you
must provide the same company_id when refreshing.Step 6: Userinfo and revoke
Get user info
Fetch the authenticated user’s profile using the userinfo endpoint:The fields returned depend on the scopes granted.
openid is required,
profile adds name/username/picture, email adds email fields.Revoke tokens on logout
When a user logs out, revoke their refresh token. Access tokens expire after 1 hour and cannot be server-revoked.Error handling
OAuth errors follow the standard format:invalid_request: missing or invalid parameter.invalid_grant: code or token expired or revoked.invalid_client: unknownclient_id.insufficient_scope: token doesn’t have the required scope.rate_limit_exceeded: too many requests (check theRetry-Afterheader).
Next steps
API reference
Every endpoint a granted access token can call.
Accept payments
Pair sign-in with checkout for end-to-end purchase flows.
Listen to webhooks
React to payment, membership, and entry events server-side.
Request permissions
Configure the OAuth scopes your app actually needs.

