Skip to main content

Refreshing Access Tokens

Postman is an application you can use to make, save, and share API requests. We're going to use it to demonstrate using a refresh token to receive a new access token from WHOOP.

Prerequisites

  • Refresh Token: A refresh token is received along with an access token when completing the initial OAuth 2.0 flow, when the auth request includes the offline scope. Learn more
  • Client Id: A unique identifier for your client. Learn more
  • Client Secret: A secret value that accompanies your client identifier. Learn more
  • Refresh Token Endpoint: https://api.prod.whoop.com/oauth/oauth2/token . Learn more

Making the Request

We're going to issue a POST request to the refresh token endpoint to receive a new access token.

Fill in the fields as follows:

  • HTTP Request Type/Verb: POST
  • URL: https://api.prod.whoop.com/oauth/oauth2/token

In the Body section, select the "x-www-form-urlencoded" radio button. Fill in the following keys and values:

  • grant_type: refresh_token. This grant type explicitly tells an OAuth provider you're asking for a refresh token.
  • refresh_token: The value of the refresh token received along with an access token.
  • client_id: A unique identifier for your client.
  • client_secret: A secret value that accompanies your client identifier.
  • scope: The offline scope allows you to get a new refresh token and an access token.

Postman Refresh Token Body

In this image, Postman variables take the place of the refresh token, client id, and client secret. Postman should prepopulate those variables with the configured values. Alternatively, place the values directly in the value of the POST data rather than using variables at all.

Click "Send" to make your request.

Receiving the Response

Under the Request Body section, a Response Body should be visible as a JSON payload. It will have the following form:

{
  "access_token": "the-value-of-the-new-access-token",
  "expires_in": 3600,
  "refresh_token": "the-value-of-the-new-refresh-token",
  "scope": "offline other-scopes-requested",
  "token_type": "bearer"
}

Congratulations

You can use the new access token to make additional API requests for this user's data. You can also use the new refresh token to complete this flow once the access token expires.