Whop Extension Starter
Guides

Access gating

How the server decides what's unlocked.

Access is decided on the server, on every request. The extension's job is only to carry the user's token and render whatever the server returns.

The entitlements endpoint

POST /api/extension/entitlements takes the user's bearer token, resolves it to a Whop user, and checks access for the configured resource:

GET /api/v1/users/{userId}/access/{resourceId}

It returns an entitlement snapshot — hasAccess, a tier, the feature list, the checkout URL, and the billing URL. The popup caches this only to render the locked or unlocked UI.

The gated resource

The paid feature lives behind POST /api/extension/gated-resource. It re-resolves access and returns 402 (with the entitlement) when the user hasn't paid. This 402 is the real gate; the cached snapshot is never a security boundary.

Free access is off by default

WHOP_ALLOW_FREE_ACCESS defaults to false, so non-paying users get an empty feature list. Turn it on only if you want to hand a free tier to signed-in users who haven't purchased.

On this page