- First-party (consumer): a signed-up user connects their own WHOOP with one
click. ForeverBetter’s WHOOP app is configured on the server, so the user never
sees a
client_id/secret. This is the flow below. - Bring-your-own (integrator): your app owns a WHOOP app and passes its credentials on each call. See Wearable onboarding.
First-party connect is available when the
wearables.whoop entry in
GET /capabilities reports first_party_oauth: true. When it does not, use
bring-your-own mode and pass your WHOOP app’s client_id/secret on start,
callback, and refresh.1. Start the connection (no credentials)
Once the user is signed in and has a key, start a WHOOP connection with just the provider. The server fills in its own WHOOP app:2. Send the user to WHOOP
Redirect the user toauthorization_url. They log into WHOOP and approve access.
WHOOP redirects back to the configured redirect URI with ?code=....
3. Complete the connection (just the code)
Hand the authorizationcode back. Again, no client_id/secret needed:
4. Sync and analyze
POST /connections/whoop/refresh (first-party mode
needs only the refresh_token).