Answers to commonly asked questions about Whop's API

Can I encrypt my API calls?

Yes. Calling any endpoints using the scheme https means your API traffic will be encrypted in transit. https uses TLS (previously SSL) protocol to encrypt traffic. All of Whop's SDKs by default make encrypted API calls by calling endpoints at https. If you are making your own requests through cURL or a library like requests, as long as you are are calling endpoints at https://api.whop.io/api/... your calls will be encrypted.

What is the difference between the bearer token and the client ID?

See below for when you should use your bearer token vs. your client ID.
When making calls from your backend and authenticating with bearer token, you should pass a header to your request like:

curl https://api.whop.com/api/v1/licenses/ABC-123  
    -H "Authorization: Bearer {Bearer Token}"
import requests
endpoint = "https://api.whop.com/api/v1/licenses/ABC-123"
headers = {"Authorization": "Bearer <Bearer Token>"}

print(requests.get(endpoint, headers=headers).json())
$.ajax({
   url: 'https://api.whop.com/api/v1/licenses/ABC-123',
   type: 'GET',
   contentType: 'application/json'
   headers: {
      'Authorization': 'Bearer <Bearer token>'
   },
   success: function (result) {
       // If successful, what to do with the response payload.
       console.log(result);
   },
   error: function (error) {
       // If error, what to do with the error payload.
       console.log(error);
   }
});

When making calls from the frontend and authenticating with your client ID, you should pass a header to your request like:

curl https://api.whop.com/api/v1/licenses/ABC-123  
    -H "Authorization: {clientID}"
$.ajax({
   url: 'https://api.whop.com/api/v1/licenses/ABC-123',
   type: 'GET',
   contentType: 'application/json'
   headers: {
      'Authorization': '<clientID>'
   },
   success: function (result) {
       // If successful, what to do with the response payload.
       console.log(result);
   },
   error: function (error) {
       // If error, what to do with the error payload.
       console.log(error);
   }
});

If you are using any of Whop's SDKs, both bearer and client ID auth are supported natively. See the docs for the Javascript SDK.

Which endpoints should I use the bearer token for and which endpoints should I use the client ID for?

The bearer token should be used when calling endpoints from your backend (server side). The bearer token can be used to hit any of Whop's endpoints. The client ID should be used when making requests from the frontend (client side).

When using the client ID to authenticate requests, you will only be to hit the following endpoints:

  • Get License
  • Update License
  • Validate License
  • Reset License

Frontend code can be inspected by attackers, which means your client ID is publicly visible. The scoped access of client ID ensures you can still use Whop for critical operations on your frontend without leaking the sensitive bearer token that will give an attacker full access to your Whop account.

See here for an example on how to use client ID and the Javascript SDK to do license verification for your desktop application.

How to reset your API keys

Finding the API Key Management Tools

  1. Sign in to your dashboard at https://business.whop.com/dashboard
  2. Click on Settings button in the left hand column
  3. Select the Developer tab located along the top of the page
  4. Your page should now look like this:
10291029

Resetting your API keys

  1. To reset your keys, select the Manage Keys button in your developer settings window
  2. You will then need to enter your Whop account password in the Lost your key? field
  3. Lastly, select Reset API key to receive your new key
451451

Be mindful of the yellow warning: We do NOT store your API secret!

Forgot your Whop password? Reset it in 4 easy steps

  1. Go to the Whop login menu here: https://whop.com/account?login=true
  2. Select Forgot Password
  3. Enter the email associated with your account (If you only ever logged in with Discord, this would be the email linked to your Discord account)
  4. You should receive an email with a link to reset your password