Skip to main content
In production, your app runs inside the Whop iframe behind a reverse proxy that injects the x-whop-user-token header on every request. Every Whop app verifies that token via whopsdk.verifyUserToken, so you need the same header on localhost to test against real users. The dev proxy injects it for you.

Pick your setup

Two installation modes. Both ship the same proxy binary; the difference is whether the proxy spawns your dev server or runs alongside it.

NextJS / Javascript app

1

Add the proxy as a dev dependency

2

Update your package.json dev script

Update your package.json dev script to include the proxy.
You can update the dev command to match your framework requirements. You can also wrap other commands with the proxy in a similar way.
3

Run the proxy

Standalone mode (other frameworks)

1

Run your app locally

Run your app on your local machine on some port, for example 5000.
2

Run the proxy in standalone mode

This will run the proxy as an independent process. It will start a server on port 3000 and forward requests to port 5000 and append the user token in the headers.

Proxy Command Options

The proxy can be configured using the following command line options:

Next steps

Authentication

Verify the iframe user token in the same code locally and in production.

Listen to webhooks

Forward Whop webhooks to localhost while developing (use ngrok or Cloudflare Tunnel).

Build app views

Set up the iframe entry points your app will render inside.

Request permissions

Configure the scopes your app needs before publishing.