whoop-mcp

MCP server to connect to whoop API

→ shashankswe2020-ux/whoop-mcp · listed on github_topic

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

github_topic Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

🚨

Known vulnerabilities in dependencies: 1 critical, 3 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

🔐

You'll be asked for 4 credentials: MCP_AUTH_TOKEN, MCP_CONNECTOR_PASSWORD, MCP_JWT_SECRET, WHOOP_CLIENT_SECRET

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configALLOWED_REDIRECT_URIS— MCP_CONNECTOR_PASSWORD no — If set (≥12 chars), enables the OAuth 2.1 connector for claude.ai web/mobile. Requires PUBLIC_URL + .

configLOG_FORMAT— no json json for prod, pretty for local dev.

configLOG_LEVEL— no info debug/info/warn/error.

configMCP_ALLOWED_ORIGINS— , and treat the host as a personal-use deployment — not

🔐 secretMCP_AUTH_TOKEN— behind a single bearer token. Use a strong random

🔐 secretMCP_CONNECTOR_PASSWORD— no — If set (≥12 chars), enables the OAuth 2.1 connector for claude.ai web/mobile. Requires PUBLIC_URL + ALLOWED_REDIRECT_URIS.

configMCP_HOST— no 0.0.0.0 Listen interface.

🔐 secretMCP_JWT_SECRET— no (HKDF) Override JWT signing key. Defaults to HKDF derivation from MCP_AUTH_TOKEN.

configMCP_OAUTH_CLIENT_ID— no whoop-mcp-connector OAuth client identifier advertised by the connector.

configMCP_PORT— no 3000 Listen port.

configMCP_TRANSPORT— The HTTP transport (=http) makes this server suitable for remote

configMCP_TRUST_PROXY— no 0 Set 1 when behind a reverse proxy (Fly/Railway).

configPUBLIC_URL— MCP_CONNECTOR_PASSWORD no — If set (≥12 chars), enables the OAuth 2.1 connector for claude.ai web/mobile. Requires + ALLOWED_REDIRECT_URIS.

configWHOOP_CLIENT_ID— "": "your_client_id",

🔐 secretWHOOP_CLIENT_SECRET— "": "your_client_secret"

configWHOOP_MCP_DISABLE_RESOURCES— To disable resources: set =1.

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/shashankswe2020-ux-whoop-mcp-1xl422)](https://m8ven.ai/mcp/shashankswe2020-ux-whoop-mcp-1xl422)

commit: ea64bf5248a15a7643421c8e2872ee6b4ea28a50

code hash: 6c8754fc3e43e259361ca07960825a454bf998dfb5840d01035de8f94abe4ec2

verified: 6/14/2026, 10:59:04 AM

view raw JSON →