API Documentation
Authentication
An overview of authentication methods for the Whop API
Access to the Whop API can be granted through two methods: API Keys and OAuth Credentials. All requests must include an
Authorization header with the format Bearer {TOKEN}, where TOKEN is either the API key or the OAuth access token.
API Keys
An API key is a unique identifier that allows developers to access Whop’s API on behalf of a company to validate licenses, retrieve user information, and more. It is needed for most endpoints.Protect your API keys to prevent unauthorized access. API keys can be a
security risk if they fall into the wrong hands.
Creating an API key
- Head to your Developers setting panel under your business
- Click New API Key
- Set a memorable name for your key.
- Copy the API key
Scoped API keys
Scoped API keys provide access to specific resources or endpoints within Whop’s API, restricting access to the entire API. This approach limits the actions that client-side code can perform and reduces potential security vulnerabilities. Scoped API keys are the best way for your company to use client-sided keys.
Instructions to create a scoped API key
- Create a new API key under the Developers setting panel
- Click the triple dots and click Edit permissions
- Add the permissions you want this key to have access to. If you are storing keys client-side, we recommend keeping your permissions as minimal as possible.
- Save!
When altering memberships, always perform operations server-side. Client-side
requests should only be used for validation.
Recommended API key scopes
- Validate a license key
Membership/Validate License
- Retrieve a license key
Membership/Retrieve Membership
OAuth Credentials
Head to the developer settings page to obtain your Client ID and Client Secret. These keys will be used with the OAuth endpoints to obtain an access token.Once you close the modal, you cannot view your Client Secret again. Store it
securely. If needed, you can generate a new one, but the previous one will be
invalidated.