Whop Extension Starter
Guides

Authentication

Whop OAuth from the extension's service worker.

The extension signs users in with Whop's OAuth, run entirely from the background service worker through chrome.identity.launchWebAuthFlow.

PKCE, no client secret

A Chrome extension can't keep a secret, so it uses PKCE. The worker generates a code verifier, a state, and a nonce, sends the S256 challenge to Whop's authorize endpoint, and exchanges the returned code for tokens.

Two details Whop requires:

  • The token exchange body is JSON, not form-encoded.
  • The openid scope requires a nonce on the authorize request.

The returned id_token is not validated in the extension. The server independently re-fetches the user from /oauth/userinfo, which is the real trust boundary.

Tokens

Tokens live in chrome.storage.local. The worker refreshes the access token a few minutes before it expires, and clears everything on logout. Because storage is unencrypted on disk, never put anything there you wouldn't put in a cookie.

On this page