Skip to main content

Refreshing Access Tokens

This example will use the Fetch API to make an HTTP request to WHOOP's server.

Prerequisites

  • Refresh Token: A refresh token is received along with an access token when completing the initial OAuth 2.0 flow, when the auth request includes the offline scope. Learn more
  • Client Id: A unique identifier for your client. Learn more
  • Client Secret: A secret value that accompanies your client identifier. Learn more
  • Refresh Token Endpoint: https://api.prod.whoop.com/oauth/oauth2/token . Learn more

Making the Request

We first need to assemble the parameters to provide to WHOOP's server in order to retrieve new access and refresh tokens.

const refreshParams = {
    grant_type: 'refresh_token',
    client_id: process.env.CLIENT_ID,
    client_secret: process.env.CLIENT_SECRET,
    scope: 'offline',
    refresh_token: refresh_token,
}

These fields represent:

  • grant_type: refresh_token. This grant type explicitly tells an OAuth provider you're asking for a refresh token.
  • client_id: A unique identifier for your client.
  • client_secret: A secret value that accompanies your client identifier.
  • scope: The offline scope allows your app the receive a refresh token, along with the new access token.
  • refresh_token: The value of the refresh token received along with an access token.

Now that we have the parameters to send to the API endpoint, we can construct the entire API call:

const getFreshTokens = async (refreshParams) => {
    const body = new URLSearchParams(refreshParams)
    const headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
    }

    const refreshTokenResponse = await fetch(
        `https://api.prod.whoop.com/oauth/oauth2/token`,
        {
            body,
            headers,
            method: 'POST',
        },
    )

    return refreshTokenResponse.json()
}

Response Type

The response object received from making the API request will look as follows:

interface AuthResult {
    access_token: string
    refresh_token: string
    expires_in: number
    scope: string
    token_type: 'bearer'
}

Congratulations

Your app can now use the new access token for subsequent API requests for this user's data. Your app can also use the refresh token to complete this flow once the access token expires.