Whop Extension Starter
Guides

Going to production

The switch from sandbox to a published extension.

Web app

Deploy the Next.js app to Vercel and set the production environment variables: your real NEXT_PUBLIC_APP_URL, WHOP_MOCK_MODE=false, WHOP_ALLOW_FREE_ACCESS=false, EXTENSION_ALLOWED_ORIGINS=chrome-extension://<published-id>, and the real Whop ids and keys.

Extension

Build the extension with production values, and replace the placeholder origin in the manifest's connect-src with your deployed domain. Publish to the Chrome Web Store to get the permanent extension id, then add https://<published-id>.chromiumapp.org/whop to your Whop OAuth app.

Secure defaults

The starter fails safe:

  • Mock mode is opt-in, and the server refuses to boot with it on in production.
  • Free access is off by default.
  • The CORS wildcard is ignored in production.
  • The manifest's host permissions are scoped to Whop and your own API, not all sites.

On this page