Skip to main content
Apps use permissions to access company data and act on behalf of users. Every API call requires the matching permission. You declare the ones you need in your app’s settings, creators approve them at install, and your SDK calls succeed only when those permissions are granted.
Find the required permissions for any endpoint in the API reference. Each operation page lists them under “Required permissions.”

Required vs optional permissions

You can mark each permission as required or optional. The choice changes the install experience for creators.
TypeCreator can disable at install?Use when
RequiredNoThe app cannot function without this scope
OptionalYesThe scope powers a side feature, not the core flow (e.g. analytics opt-in)
Optional permissions are good for opt-in functionality. If a creator declines an optional permission, your app should still work, just without that feature.

Set up permissions

The permissions flow is required even for testing on your own company. Same flow on install or self-test, so you catch missing scopes early.
1

Open your app's permissions tab

  1. Go to the Developer dashboard.
  2. Select or create an app.
  3. Click the Permissions tab.
Permissions Settings
2

Add the permissions you need

Click Add permissions, select what your app needs, and confirm.Cross-reference the API endpoints you plan to call and add every permission they require.
3

Configure each permission

For each one:
  1. Write a short justification explaining why the app needs it. Creators see this at install.
  2. Mark it required or optional.
Permissions Justification
4

Save

Save Permissions Settings
5

Install on a test company

Visit your direct install link: https://whop.com/apps/app_xxxxxxxxx/install.Pick a company, review the permission prompt, and approve.
Permissions Prompt

Update permissions later

Permissions can change as the app evolves. When you add a new one:
  • Existing installs see a Re-approve button next to your app.
  • API calls that need the new permission fail until each creator re-approves.
When you add a permission, re-approve on your own test company too. New scopes don’t carry over until you accept them in Authorized apps.
Creators can manage granted permissions any time at Dashboard → Settings → Authorized apps.

FAQ

Up to 100 per app.
Each endpoint in the API reference lists its required permissions inline.
SDK Reference Permissions
Yes. You can request additional permissions and the creator will be asked to re-approve them.
Keep in mind that until the permissions are re-approved, API requests requiring the newly requested permissions will fail. Make sure to handle these errors gracefully in your code.
When developing your app, make sure you re-approve the permissions yourself in your Authorized apps settings.See Configure your permissions for more information.

Next steps

Authentication

Verify the user behind a request and check their access level.

Listen to webhooks

Receive payment, membership, and entry events. Webhooks need their own webhook_receive:* scopes.

Build app views

Set up dashboard views, experiences, and discover listings.

Run a local dev proxy

Match the production iframe + cookie setup on localhost.