The Murph is an iOS app for athletes training the Murph CrossFit hero workout. We want to integrate WHOOP so users can see their recovery before the workout and their strain after — giving them the context they need to push safely.
We only fetch WHOOP data when the user explicitly opts in (via Settings → Connect WHOOP) and only display it in three specific places — nowhere else.
User taps "Connect WHOOP." OAuth 2.0 flow with PKCE. One-tap, standard iOS sheet.
Recovery score (0–100) shown on the Home screen so users can gauge readiness.
Strain, avg HR, max HR shown in workout summary after the WHOOP workout syncs.
Mockups styled to match The Murph's existing design language — warm neutrals, army-green accents, Bebas Neue typography, and monospaced counters.
Connect your WHOOP to see recovery before workouts and strain after.
We request the minimum scopes required to display the three screens above. No data is sent to third parties. Data is stored only in the user's iCloud and a user-scoped Firestore collection.
read:workout
Strain, average HR, max HR, and calories for the workout the user just completed.
read:recovery
Today's recovery score (0–100) pulled on Home screen load.
read:body_measurement
User's max HR for percentage display, and weight for calorie accuracy.
read:profile
First name + WHOOP user ID to associate the OAuth tokens with our user.
offline
Allows our app to refresh access tokens in the background.
Native iOS app uses OAuth 2.0 Authorization Code flow with PKCE (no client secret shipped in the binary).
Redirect URI: themurph://whoop/callback
Access and refresh tokens stored in the iOS Keychain, encrypted with the user's device passcode + Secure Enclave. Never sent to any server other than WHOOP.
The Murph pulls data on demand (Home load and workout save). No server middleware. No third-party analytics see WHOOP data.
Tapping "Disconnect WHOOP" revokes the token with WHOOP's API, deletes local tokens, and clears cached data.