Guides
Going to production
The switch from sandbox to a published extension.
Web app
Deploy the Next.js app to Vercel and set the production environment variables: your real NEXT_PUBLIC_APP_URL, WHOP_MOCK_MODE=false, WHOP_ALLOW_FREE_ACCESS=false, EXTENSION_ALLOWED_ORIGINS=chrome-extension://<published-id>, and the real Whop ids and keys.
Extension
Build the extension with production values, and replace the placeholder origin in the manifest's connect-src with your deployed domain. Publish to the Chrome Web Store to get the permanent extension id, then add https://<published-id>.chromiumapp.org/whop to your Whop OAuth app.
Secure defaults
The starter fails safe:
- Mock mode is opt-in, and the server refuses to boot with it on in production.
- Free access is off by default.
- The CORS wildcard is ignored in production.
- The manifest's host permissions are scoped to Whop and your own API, not all sites.