Server data from the Official MCP Registry
Local-first, read-only WHOOP MCP server for recovery, sleep, strain, workouts, and body signals
Local-first, read-only WHOOP MCP server for recovery, sleep, strain, workouts, and body signals
Valid MCP server (2 strong, 1 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.
5 files analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: WHOOP_CLIENT_ID
Environment variable: WHOOP_CLIENT_SECRET
Environment variable: WHOOP_REDIRECT_URI
Environment variable: WHOOP_CREDENTIALS_FILE
Environment variable: WHOOP_ACCESS_TOKEN
Environment variable: WHOOP_REFRESH_TOKEN
Environment variable: WHOOP_TOKEN_EXPIRES_AT
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-yadheedhya06-mcp-server-whoop": {
"args": [
"-y",
"mcp-server-whoop"
],
"command": "npx"
}
}
}From the project's GitHub README.
A local-first, read-only Model Context Protocol server for WHOOP. It gives MCP-compatible AI clients compact recovery, sleep, strain, HRV, heart-rate, workout, and body-measurement signals without sending your WHOOP credentials through a hosted third party.
processing status, with no older recovery substituted while a new sleep is pendingThis is an independent community project. It is not affiliated with or endorsed by WHOOP. WHOOP data is useful coaching context, not medical advice.
http://127.0.0.1:8765/callback.offline listed below.npx -y mcp-server-whoop@latest auth in a terminal and approve WHOOP access.npx -y mcp-server-whoop@latest status to confirm the local grant exists.npx -y mcp-server-whoop@latest to your AI client's MCP configuration.Use WHOOP to summarize my recovery and sleep from the last 7 days.The authorization command and the AI client must run as the same operating-system user, or both must set WHOOP_CREDENTIALS_FILE to the same private file. The package never asks you to paste WHOOP tokens into an AI conversation.
For reproducible or security-sensitive deployments, replace @latest with an exact reviewed version such as @0.2.0. @latest is convenient but automatically follows future releases.
Create an application in the WHOOP Developer Dashboard and register this exact redirect URL:
http://127.0.0.1:8765/callback
Enable these scopes:
offline
read:recovery
read:cycles
read:sleep
read:workout
read:body_measurement
offline is required because WHOOP access tokens expire and WHOOP rotates refresh tokens.
Run:
npx -y mcp-server-whoop@latest auth
The command prompts for your WHOOP client ID and masks the client secret, opens WHOOP consent in your browser, validates the OAuth state, and saves the resulting grant locally.
Credentials are stored at:
~/.config/mcp-server-whoop/credentials.json
The directory is forced to mode 0700 and the file to 0600. Override the path with WHOOP_CREDENTIALS_FILE if needed.
For headless environments, provide WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and optionally WHOOP_REDIRECT_URI as environment variables before running auth.
The OAuth callback still needs to reach the machine running auth. When authorizing over SSH, create a loopback tunnel from your workstation first:
ssh -L 8765:127.0.0.1:8765 user@your-server
Then run auth in that SSH session and open its printed WHOOP URL in your workstation browser. Do not pass the client secret as a command-line argument because shell history and process listings may expose it.
Check setup without displaying secrets:
npx -y mcp-server-whoop@latest status
Remove the local grant:
npx -y mcp-server-whoop@latest logout
Revoking access in WHOOP account settings is also recommended when you no longer use an integration.
Add this under mcpServers in Claude Desktop's configuration, then fully restart Claude Desktop:
{
"mcpServers": {
"whoop": {
"command": "npx",
"args": ["-y", "mcp-server-whoop@latest"]
}
}
}
claude mcp add --transport stdio whoop -- npx -y mcp-server-whoop@latest
mcpServers clientsAdd the server to the client's MCP JSON. Gemini Code Assist uses ~/.gemini/settings.json; other clients choose their own settings path.
{
"mcpServers": {
"whoop": {
"command": "npx",
"args": ["-y", "mcp-server-whoop@latest"]
}
}
}
Create .vscode/mcp.json for a project, or use VS Code's MCP: Add Server command:
{
"servers": {
"whoop": {
"type": "stdio",
"command": "npx",
"args": ["-y", "mcp-server-whoop@latest"]
}
}
}
Either run:
codex mcp add whoop -- npx -y mcp-server-whoop@latest
Or add this to ~/.codex/config.toml:
[mcp_servers.whoop]
command = "npx"
args = ["-y", "mcp-server-whoop@latest"]
Local Codex and ChatGPT desktop clients that support stdio can use the Codex configuration above. ChatGPT web does not launch a command on your computer; it requires a separately secured remote bridge or tunnel and a workspace plugin. This repository intentionally does not ship or operate a public health-data relay.
Client menus and configuration paths change over time. If a client supports standard local stdio MCP, the portable values are always:
command: npx
arguments: -y mcp-server-whoop@latest
After restarting the client, confirm that it discovers exactly these five tools:
whoop_latest_overview
whoop_recovery_history
whoop_sleep_history
whoop_cycle_strain_history
whoop_workout_history
Useful prompts:
Use WHOOP to review today's recovery, latest sleep, current strain, and latest workout.Compare my recovery, HRV, and resting heart rate over the last 14 days.Show my last 7 days of sleep, including naps, and flag anything still processing.Summarize my workout strain and heart-rate zones for the last 30 days.Use WHOOP as context for today's training, but do not treat it as medical advice.The model decides when to call tools, so explicitly say Use WHOOP when you want live data rather than a general answer.
| Tool | Purpose |
|---|---|
whoop_latest_overview | Current coaching snapshot with pending-data safeguards |
whoop_recovery_history | Recovery, HRV, resting HR, SpO2, and skin-temperature trends |
whoop_sleep_history | Primary sleep and optional naps, stages, need, quality, and timing |
whoop_cycle_strain_history | Daily strain, calories, and average/max heart rate |
whoop_workout_history | Sport, duration, strain, HR, calories, distance, and zone minutes |
All tools are marked read-only, non-destructive, and idempotent.
For a health-data MCP, a larger tool count also means a larger capability surface. This server keeps authentication outside the agent and gives the model only the five health-reading capabilities it needs.
It intentionally has:
The goal is not maximum WHOOP API coverage. It is the smallest practical authority boundary for recovery-aware AI.
WHOOP returns absolute timestamps plus a timezone_offset on sleep, cycle, and workout records. This server applies each record's own offset and returns only already-converted local timestamps such as:
2026-07-07 18:02:22 +04:00
It does not apply the machine's current timezone to historical records.
WHOOP exposes activity type and workout sport, but its public API does not indicate whether a workout was auto-detected or manually started. This server does not guess.
When the newest primary sleep is still PENDING_SCORE, the latest overview returns:
{
"status": {
"state": "waiting_for_whoop",
"current_recovery_available": false
},
"recovery": null
}
An older recovery is never presented as current.
| Variable | Purpose |
|---|---|
WHOOP_CLIENT_ID | WHOOP OAuth client ID |
WHOOP_CLIENT_SECRET | WHOOP OAuth client secret |
WHOOP_REDIRECT_URI | OAuth callback, defaults to http://127.0.0.1:8765/callback |
WHOOP_CREDENTIALS_FILE | Override local credential-file path |
WHOOP_ACCESS_TOKEN | Optional short-lived access-token override |
WHOOP_REFRESH_TOKEN | Optional refresh-token override |
WHOOP_TOKEN_EXPIRES_AT | Optional ISO token-expiry override |
Client configuration from WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI overrides file values. Token environment variables can bootstrap a headless setup, but once a refresh token rotates, the newer token persisted in the credential file takes precedence. Do not put secrets directly in command-line arguments or commit them to source control.
Missing WHOOP ...Run npx -y mcp-server-whoop@latest status as the same OS user that launches the AI client. If the credentials are elsewhere, set WHOOP_CREDENTIALS_FILE in the client's MCP environment.
The redirect in the Developer Dashboard and the value used by this package must match exactly. The default is http://127.0.0.1:8765/callback, including scheme, host, port, and path.
Copy the authorization URL printed in the terminal and open it manually. The callback listener expires after five minutes; rerun auth if needed.
8765 is already in useRegister another loopback URL such as http://127.0.0.1:9876/callback, set WHOOP_REDIRECT_URI to that exact value, and rerun auth.
nullCheck the returned status.state. If it is waiting_for_whoop or waiting_for_recovery, WHOOP has not finished scoring the newest sleep. The server intentionally refuses to label an older recovery as current; retry after WHOOP finishes processing.
Run npx -y mcp-server-whoop@latest --help in a terminal to verify Node.js and npm can launch the package, then restart the AI client and inspect its MCP logs. Do not run the bare server interactively to inspect output: stdio is reserved for MCP protocol messages.
git clone git@github.com:Yadheedhya06/mcp-server-whoop.git
cd mcp-server-whoop
npm ci --ignore-scripts
npm run check
Run the local source server:
npm run dev
Build and inspect the exact npm artifact:
npm pack --dry-run
This project publishes evidence rather than claiming that any package is perfectly safe. See the full security policy and reproducible security evidence.
These controls reduce risk, but they are not a paid penetration test or a guarantee. The limitations are documented explicitly in SECURITY-EVIDENCE.md.
MIT
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.