Create an account in Whatnot's staging environment . Then, please email us at [email protected] with your username. We will generate and provide your access token through a secure link with a short expiration window.

Please include your API token in every request you make using the Bearer token format, using the following header format:

Note: in staging, your key will include the prefix wn_access_tk_test_ ; in production, the prefix will be wn_access_tk_ .

If your token gets leaked or otherwise compromised, please email us immediately at [email protected] . We will issue you a new token and deactivate the compromised one.

Whatnot allows you to request access to customer accounts using the OAuth Authentication Framework . In your dashboard, you can add a button like "Connect" and prompt the beginning of the OAuth flow.

Your Client App will need a secret , which the Whatnot team will generate and provide to you via secure link.

You will also need to provide us one or more redirect_uris that we will redirect to after a user approves or denies the request for authorization.

Whatnot supports "code" authentication which can be started with the following request (new lines included for readability):

If all values are valid, a 302 redirect with a Location header to Whatnot.com will be returned where the user may Approve or Deny the request.

Upon approval, your request uri will be called with the following params. The authorization code should be provided to request a token.

You can then exchange the authorization code for an access token with the following request (new lines for readability):

This endpoint will return the following JSON:

You can then access the user's information to the requested scopes using the returned Access Token. You should store the Refresh Token to be used to obtain a new Access Token in the future.

Refresh tokens expire in 1 year, also subject to change.

Tokens may be refreshed using the token endpoint and grant_type=refresh_token as described in the OAuth Spec .

The response is identical to above:

The used refresh token will be invalidated, and you should store the newly returned Refresh Token.

Your app will be assigned the maximum authorized scopes for the features it is expecting to provide. For example, if you will display Whatnot inventory in your platform, and allow updates to it, you will be provided read:inventory and write:inventory . If you need to display orders in your platform, you may be issued read:orders . For external fulillment (BYOL), you will be provided write:orders and read:customers .

Each of these will be determined per client app, as needed. On a per-user basis, you may request less than your maximum if needed (e.g. if certain features are an upsell within your platform).

full_access - Only granted via access token to your own account. Never permitted for OAuth

read:inventory - Allows reading products, variants, and listings from an account

write:inventory - Allows creating, updating, and deleting products, variants, and listings

read:orders - Allows reading orders from an account

write:orders - Allows writing information to orders (e.g. Tracking Numbers)

read:customers - Read customer information from an order such as address, email, and phone number. Only needed for off-platform fulfillment