Guides
Webhooks
Verifying Whop events on your server.
POST /api/webhooks/whop receives Whop events. It verifies the signature with the SDK over the raw request body:
const whop = new Whop({
apiKey,
webhookKey: Buffer.from(webhookSecret).toString("base64"),
});
const event = whop.webhooks.unwrap(rawBody, { headers });The webhookKey must be the base64 of your signing secret, and unwrap takes the raw text, not parsed JSON.
This starter only logs the event, because access is checked live on every request — it doesn't need a database to stay correct. In a database-backed app, this is where you'd dedupe by the webhook id and update your own records, returning 200 immediately so Whop doesn't retry.