Anonymous Access from Client Apps

Since you can't use the app management token from client apps for security reasons, Whisk provides an alternative mechanism to support server-less apps. Client application can request short-lived token to access API and keep reference for user.

If you need the token for browser applications, you must provide a list of domains for whitelisting.

Sample Request and Response

Curl Request
Curl Request
curl "" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"clientId": "<YOUR-APP-ID>"


"user": {
"id": "1025f5d34cdd65b4b3eaa9246e6a5146930",
"updatedAt": 1613220404000,
"createdAt": 1613220404000,
"preferences": {
"diets": [],
"avoidances": [],
"dislikedIngredients": [],
"householdSizeAdults": 1,
"householdSizeChildren": 0,
"cookingSkill": "amateur"
"preferencesMask": [],
"anonymous": true,
"passwordRequired": true,
"emailVerified": false
"token": {
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"expires_in": 2592000,
"scope": "",
"token_type": "Bearer",
"new_user": true

The access_token is bound to specific user's id in Whisk Platform and can be used for communication from client app

The anonymous user is deleted automatically after 30 days of inactivity, but if a user makes a request during this period, the validity increases for another 30 days.