Get Support

πŸ”’ OAuth Implementation

Below is instructions on how to add Whop OAuth to your website!

First set your Redirect URL on your Whop Dashboard

Make the request

Next build your OAuth URL that you will link your users to log in from.

Below are the query parameters you can pass:

client_idThe unique identifier provided to your application, found in your application settings.Required
redirect_uriThe URL for the authorize response redirect. If provided, this must exactly match one of the comma-separated redirect_uri values in your application settings. To protect yourself from certain forms of man-in-the-middle attacks, the live mode redirect_uri must use a secure HTTPS connection. Defaults to the redirect_uri in your application settings if not provided.Required
scopeThis is only needed if you are building a custom experience. It will represent the company ID you want to authenticate on behalf of (ex: biz_xxxxxx)Optional
stateAn arbitrary string value we’ll pass back to you, useful for CSRF protection.Optional

Handle the response

The user’s browser is redirected back to your configured redirect URI or the value you passed in the redirect_uri parameter. When successful, you receive the following query parameters:

codeAn authorization code you can use in the next call to get an access token for your user. This can only be used once and expires in 5 minutes.
scopeThe same scope that was passed with the original request
stateThe value of the state parameter you provided on the initial GET request.

Complete the connection and get the user token


Used both for turning an authorization_code into an account connection, and for getting a new access token using a refresh_token.


Make this call using your secret API key as a client_secret POST parameter:

curl \
  -d "grant_type"="authorization_code" \
  -d "code"="CODE FROM ABOVE" \
  -d "client_id"="YOUR CLIENT ID" \
  -d "client_secret"="YOUR CLIENT SECRET" \
  -d "redirect_uri"="YOUR REDIRECT URL"


Per OAuth v2, this endpoint isn’t idempotent. Consuming an authorization code more than once revokes the account connection.

grant_typeauthorization_code when turning an authorization code into an access token, or refresh_token when using a refresh token to get a new access token.
code or refresh_tokenThe value of the code or refresh_token, depending on the grant_type.
scope OptionalThe same scope that was passed with the original request. If using a refresh token, this scope must have been requested at first
client_idYour client ID
client_secretYour client secret


access_tokenThe access tokens to make on behalf of the user
scopeThe scope granted to the access token, depending on the scope of the authorization code and scope parameter.
token_typeAlways has a value of bearer.
refresh_tokenCan be used to obtain a new access token when this one expires
expires_inSeconds until this token expires