whop 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9645be1e4507621dd2c72c4703f31b5145a9b52ccf5b06069165b58a543730c5
+  data.tar.gz: 69670ad752cdb9b4135ff02dfae501e3adc01556aa3d24a0b625b36674bcdaa5
+SHA512:
+  metadata.gz: 85298153f9224db542ed3b3aac8b1095c47b7992d7705614cdd71958dd0a6ecc9820593cfec65fed539933b5919cee0107f95e0a2eac6a1fe2293c30ad05e470
+  data.tar.gz: d41161106975b44aeb0d68fcea0ebb8b9bcc8277f0993bc953a5cb43831b8647f9e90e6f3b1b47cbdc39f3337dce634dd8a0bb001a84d551cf5e6d2e580fa418

data/README.md

@@ -0,0 +1,58 @@
+# whop-rails
+
+Rails 7+ gem to build embedded Whop apps: token verification, access checks, API client, webhooks, and generators. Mirrors Whop's Next.js app template.
+
+## Install
+
+Add to Gemfile:
+
+```ruby
+gem "whop-rails", path: "."
+```
+
+Generate initializer and mount webhooks:
+
+```bash
+bin/rails g whop:install
+```
+
+Set env vars:
+
+- `WHOP_APP_ID`
+- `WHOP_API_KEY`
+- `WHOP_WEBHOOK_SECRET`
+- (optional) `WHOP_AGENT_USER_ID`, `WHOP_COMPANY_ID`
+
+## Usage
+
+```ruby
+class ExperiencesController < ApplicationController
+  include Whop::ControllerHelpers
+  before_action -> { require_whop_access!(experience_id: params[:id]) }
+
+  def show
+    user_id = whop_user_id
+    experience = Whop.client.experiences.get(params[:id])
+    render locals: { user_id:, experience: }
+  end
+end
+```
+
+Webhooks:
+
+```bash
+bin/rails g whop:webhooks:handler payment_succeeded
+# POST /whop/webhooks -> verifies signature, enqueues Whop::PaymentSucceededJob
+```
+
+## Example app template
+
+```bash
+rails new whop_app -m examples/rails_app/template.rb --skip-jbuilder --skip-action-mailbox --skip-action-text --skip-active-storage
+```
+
+## License
+
+MIT
+
+

data/config/routes.rb

@@ -0,0 +1,5 @@
+Whop::Webhooks::Engine.routes.draw do
+  post "/", to: "webhooks#receive"
+end
+
+

data/examples/rails_app/template.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+# Rails application template for a Whop-enabled embedded app.
+# Usage:
+#   rails new whop_app -m examples/rails_app/template.rb --skip-jbuilder --skip-action-mailbox --skip-action-text --skip-active-storage
+
+say "Adding whop-rails gem..."
+append_to_file "Gemfile", <<~RUBY
+  
+  gem "whop-rails", path: File.expand_path("../../", __dir__)
+RUBY
+
+run "bundle install"
+
+say "Installing Whop initializer and webhooks engine..."
+generate "whop:install"
+
+env_keys = %w[WHOP_APP_ID WHOP_API_KEY WHOP_WEBHOOK_SECRET]
+say "Remember to set ENV: #{env_keys.join(', ')}", :yellow
+
+say "Adding ExperiencesController and route..."
+create_file "app/controllers/experiences_controller.rb", <<~RUBY
+  class ExperiencesController < ApplicationController
+    include Whop::ControllerHelpers
+    before_action -> { require_whop_access!(experience_id: params[:id]) }
+
+    def show
+      user_id = whop_user_id
+      experience = Whop.client.experiences.get(params[:id])
+      render :show, locals: { user_id: user_id, experience: experience }
+    end
+  end
+RUBY
+
+create_file "app/views/experiences/show.html.erb", <<~ERB
+  <div class="container">
+    <h1>Experience</h1>
+    <p>User ID: <%= user_id %></p>
+    <pre><%= JSON.pretty_generate(experience) %></pre>
+  </div>
+ERB
+
+route "resources :experiences, only: [:show]"
+
+say "Adding Discover page..."
+create_file "app/controllers/discover_controller.rb", <<~RUBY
+  class DiscoverController < ApplicationController
+    def show; end
+  end
+RUBY
+
+create_file "app/views/discover/show.html.erb", <<~ERB
+  <div class="container">
+    <h1>Discover your app</h1>
+    <p>Showcase value, link to communities, add referral params.</p>
+  </div>
+ERB
+
+route "get '/discover', to: 'discover#show'"
+
+say "Generating example webhook handler..."
+generate "whop:webhooks:handler", "payment_succeeded"
+
+say "All set. Configure ENV and run: bin/rails server"
+
+

data/lib/generators/whop/discover_page/discover_page_generator.rb

@@ -0,0 +1,23 @@
+require "rails/generators"
+
+module Whop
+  module Generators
+    class DiscoverPageGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      def create_controller
+        template "discover_controller.rb", "app/controllers/discover_controller.rb"
+      end
+
+      def add_route
+        route "get '/discover', to: 'discover#show'"
+      end
+
+      def create_view
+        template "show.html.erb", "app/views/discover/show.html.erb"
+      end
+    end
+  end
+end
+
+

data/lib/generators/whop/discover_page/templates/discover_controller.rb

@@ -0,0 +1,6 @@
+class DiscoverController < ApplicationController
+  def show
+  end
+end
+
+

data/lib/generators/whop/discover_page/templates/show.html.erb

@@ -0,0 +1,6 @@
+<div class="container">
+  <h1>Discover your app</h1>
+  <p>Showcase value, link to communities, add referral params.</p>
+</div>
+
+

data/lib/generators/whop/install/install_generator.rb

@@ -0,0 +1,23 @@
+require "rails/generators"
+
+module Whop
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      def create_initializer
+        template "whop.rb", "config/initializers/whop.rb"
+      end
+
+      def mount_engine
+        route "mount Whop::Webhooks::Engine => '/whop/webhooks'"
+      end
+
+      def create_iframe_initializer
+        template "whop_iframe.rb", "config/initializers/whop_iframe.rb"
+      end
+    end
+  end
+end
+
+

data/lib/generators/whop/install/templates/whop.rb

@@ -0,0 +1,10 @@
+Whop.configure do |config|
+  config.app_id         = ENV["WHOP_APP_ID"]
+  config.api_key        = ENV["WHOP_API_KEY"]
+  config.webhook_secret = ENV["WHOP_WEBHOOK_SECRET"]
+  config.agent_user_id  = ENV["WHOP_AGENT_USER_ID"]
+  config.company_id     = ENV["WHOP_COMPANY_ID"]
+  # config.api_base_url = "https://api.whop.com"
+end
+
+

data/lib/generators/whop/install/templates/whop_iframe.rb

@@ -0,0 +1,9 @@
+# Allow Whop to embed this app in an iframe
+
+Rails.application.config.action_dispatch.default_headers.delete('X-Frame-Options')
+
+Rails.application.config.content_security_policy do |policy|
+  policy.frame_ancestors :self, "https://whop.com", "https://*.whop.com"
+end
+
+

data/lib/generators/whop/scaffold/all/all_generator.rb

@@ -0,0 +1,22 @@
+require "rails/generators"
+
+module Whop
+  module Scaffold
+    module Generators
+      class AllGenerator < Rails::Generators::Base
+        argument :company_id, type: :string, required: false, default: nil, desc: "(optional) Whop Company ID"
+        argument :experience_id, type: :string, required: false, default: nil, desc: "(optional) Whop Experience ID"
+
+        def scaffold_company
+          invoke "whop:scaffold:company", [company_id].compact
+        end
+
+        def scaffold_experience
+          invoke "whop:scaffold:experience", [experience_id].compact
+        end
+      end
+    end
+  end
+end
+
+

data/lib/generators/whop/scaffold/company/company_generator.rb

@@ -0,0 +1,26 @@
+require "rails/generators"
+
+module Whop
+  module Scaffold
+    module Generators
+      class CompanyGenerator < Rails::Generators::Base
+        argument :company_id, type: :string, required: false, default: nil, desc: "(optional) Whop Company ID (not required)"
+        source_root File.expand_path("templates", __dir__)
+
+        def create_controller
+          template "companies_controller.rb", "app/controllers/companies_controller.rb"
+        end
+
+        def add_route
+          route "get '/dashboard/:companyId', to: 'companies#show', as: :dashboard_company"
+        end
+
+        def create_view
+          template "show.html.erb", "app/views/companies/show.html.erb"
+        end
+      end
+    end
+  end
+end
+
+

data/lib/generators/whop/scaffold/company/templates/companies_controller.rb

@@ -0,0 +1,17 @@
+class CompaniesController < ApplicationController
+  include Whop::ControllerHelpers
+  before_action -> { require_whop_access!(company_id: params[:companyId] || params[:id]) }
+
+  def show
+    user_id = whop_user_id
+    company_id = params[:companyId] || params[:id]
+    company = begin
+      Whop.client.with_company(company_id).companies.get(company_id)
+    rescue StandardError
+      { "id" => company_id }
+    end
+    render :show, locals: { user_id:, company: }
+  end
+end
+
+

data/lib/generators/whop/scaffold/company/templates/show.html.erb

@@ -0,0 +1,7 @@
+<div class="container">
+  <h1>Company</h1>
+  <p>User ID: <%%= user_id %></p>
+  <pre><%%= JSON.pretty_generate(company) %></pre>
+</div>
+
+

data/lib/generators/whop/scaffold/experience/experience_generator.rb

@@ -0,0 +1,26 @@
+require "rails/generators"
+
+module Whop
+  module Scaffold
+    module Generators
+      class ExperienceGenerator < Rails::Generators::Base
+        argument :experience_id, type: :string, required: false, default: nil, desc: "(optional) Whop Experience ID (not required)"
+        source_root File.expand_path("templates", __dir__)
+
+        def create_controller
+          template "experiences_controller.rb", "app/controllers/experiences_controller.rb"
+        end
+
+        def add_route
+          route "get '/experiences/:experienceId', to: 'experiences#show', as: :experience"
+        end
+
+        def create_view
+          template "show.html.erb", "app/views/experiences/show.html.erb"
+        end
+      end
+    end
+  end
+end
+
+

data/lib/generators/whop/scaffold/experience/templates/experiences_controller.rb

@@ -0,0 +1,17 @@
+class ExperiencesController < ApplicationController
+  include Whop::ControllerHelpers
+  before_action -> { require_whop_access!(experience_id: params[:experienceId] || params[:id]) }
+
+  def show
+    user_id = whop_user_id
+    exp_id = params[:experienceId] || params[:id]
+    experience = begin
+      Whop.client.experiences.get(exp_id)
+    rescue StandardError
+      { "id" => exp_id }
+    end
+    render :show, locals: { user_id:, experience: }
+  end
+end
+
+

data/lib/generators/whop/scaffold/experience/templates/show.html.erb

@@ -0,0 +1,7 @@
+<div class="container">
+  <h1>Experience</h1>
+  <p>User ID: <%%= user_id %></p>
+  <pre><%%= JSON.pretty_generate(experience) %></pre>
+</div>
+
+

data/lib/generators/whop/webhooks/handler/handler_generator.rb

@@ -0,0 +1,17 @@
+require "rails/generators"
+
+module Whop
+  module Webhooks
+    module Generators
+      class HandlerGenerator < Rails::Generators::NamedBase
+        source_root File.expand_path("templates", __dir__)
+
+        def create_job
+          template "job.rb", File.join("app/jobs/whop", "#{file_name}_job.rb")
+        end
+      end
+    end
+  end
+end
+
+

data/lib/generators/whop/webhooks/handler/templates/job.rb

@@ -0,0 +1,10 @@
+class <%= class_name %>Job < ApplicationJob
+  queue_as :default
+
+  def perform(event)
+    # event is a Hash with keys: "action", "data", etc.
+    Rails.logger.info("Whop webhook <%= file_name %> received: #{event.inspect}")
+  end
+end
+
+

data/lib/generators/whop/webhooks/install/install_generator.rb

@@ -0,0 +1,15 @@
+require "rails/generators"
+
+module Whop
+  module Webhooks
+    module Generators
+      class InstallGenerator < Rails::Generators::Base
+        def add_route
+          route "mount Whop::Webhooks::Engine => '/whop/webhooks'"
+        end
+      end
+    end
+  end
+end
+
+

data/lib/whop/access.rb

@@ -0,0 +1,37 @@
+module Whop
+  # Access helpers using persisted GraphQL operations per Whop docs
+  class Access
+    def initialize(client)
+      @client = client
+    end
+
+    def user_has_access_to_experience?(user_id:, experience_id:)
+      data = @client.graphql("CheckIfUserHasAccessToExperience", { userId: user_id, experienceId: experience_id })
+      extract_access_boolean(data)
+    end
+
+    def user_has_access_to_access_pass?(user_id:, access_pass_id:)
+      data = @client.graphql("CheckIfUserHasAccessToAccessPass", { userId: user_id, accessPassId: access_pass_id })
+      extract_access_boolean(data)
+    end
+
+    def user_has_access_to_company?(user_id:, company_id:)
+      data = @client.graphql("CheckIfUserHasAccessToCompany", { userId: user_id, companyId: company_id })
+      extract_access_boolean(data)
+    end
+
+    private
+
+    def extract_access_boolean(graphql_result)
+      if graphql_result.is_a?(Hash)
+        data = graphql_result["data"] || graphql_result
+        key = %w[hasAccessToExperience hasAccessToAccessPass hasAccessToCompany].find { |k| data.key?(k) rescue false }
+        payload = key ? data[key] : data
+        return payload["hasAccess"] if payload.is_a?(Hash) && payload.key?("hasAccess")
+      end
+      !!graphql_result
+    end
+  end
+end
+
+

data/lib/whop/client.rb

@@ -0,0 +1,177 @@
+require "faraday"
+require "json"
+require "faraday/retry"
+
+module Whop
+  class Error < StandardError; end
+
+  # Thin HTTP client for Whop API + GraphQL with context headers.
+  class Client
+    attr_reader :config, :on_behalf_of_user_id, :company_id
+
+    def initialize(config, on_behalf_of_user_id: nil, company_id: nil)
+      @config = config
+      @on_behalf_of_user_id = on_behalf_of_user_id || config.agent_user_id
+      @company_id = company_id || config.company_id
+    end
+
+    def with_user(user_id)
+      self.class.new(config, on_behalf_of_user_id: user_id, company_id: @company_id)
+    end
+
+    def with_company(company_id)
+      self.class.new(config, on_behalf_of_user_id: @on_behalf_of_user_id, company_id: company_id)
+    end
+
+    # REST helpers
+    def get(path, params: nil)
+      response = connection.get(path) do |req|
+        req.params.update(params) if params
+      end
+      parse_response!(response)
+    end
+
+    def post(path, json: nil)
+      response = connection.post(path) do |req|
+        req.headers["Content-Type"] = "application/json"
+        req.body = JSON.generate(json) if json
+      end
+      parse_response!(response)
+    end
+
+    # GraphQL (persisted operations by operationName)
+    def graphql(operation_name, variables = {})
+      response = Faraday.post("#{config.api_base_url}/public-graphql") do |req|
+        apply_common_headers(req.headers)
+        req.headers["Content-Type"] = "application/json"
+        req.body = JSON.generate({ operationName: operation_name, variables: variables })
+      end
+      parse_response!(response)
+    end
+
+    # Resources
+    def users
+      @users ||= Resources::Users.new(self)
+    end
+
+    def experiences
+      @experiences ||= Resources::Experiences.new(self)
+    end
+
+    def companies
+      @companies ||= Resources::Companies.new(self)
+    end
+
+    def access
+      require_relative "access"
+      @access ||= Access.new(self)
+    end
+
+    private
+
+    def connection
+      @connection ||= Faraday.new(url: config.api_base_url) do |faraday|
+        faraday.request :retry, max: 2, interval: 0.1, backoff_factor: 2
+        faraday.response :raise_error
+        faraday.adapter Faraday.default_adapter
+      end
+    end
+
+    def apply_common_headers(headers)
+      headers["Authorization"] = "Bearer #{config.api_key}"
+      headers["x-on-behalf-of"] = on_behalf_of_user_id if on_behalf_of_user_id
+      headers["x-company-id"] = company_id if company_id
+    end
+
+    def parse_response!(response)
+      body = response.body
+      json = parse_body_safely(body)
+      if response.status.to_i >= 400
+        raise Error, "Whop API error (#{response.status}): #{json.inspect}"
+      end
+      json
+    end
+
+    def parse_body_safely(body)
+      return body unless body.is_a?(String) && !body.empty?
+      JSON.parse(body)
+    rescue JSON::ParserError
+      body
+    end
+  end
+end
+
+module Whop
+  module Resources
+    class Base
+      attr_reader :client
+      def initialize(client)
+        @client = client
+      end
+    end
+
+    class Users < Base
+      def get(user_id)
+        client.get("/v5/users/#{user_id}")
+      end
+    end
+
+    class Experiences < Base
+      def get(experience_id)
+        client.get("/v5/experiences/#{experience_id}")
+      end
+    end
+
+    class Companies < Base
+      def get(company_id)
+        # If the client is already scoped to this company, use the context-aware endpoint
+        if client.company_id && client.company_id == company_id
+          # Whop v5 exposes a context-aware company endpoint that reads x-company-id
+          return client.get("/v5/company")
+        end
+
+        # Otherwise, fetch via app-scoped companies endpoint by id
+        client.get("/v5/app/companies/#{company_id}")
+      end
+    end
+  end
+end
+
+module Whop
+  # Access helpers using persisted GraphQL operations per Whop docs
+  class Access
+    def initialize(client)
+      @client = client
+    end
+
+    def user_has_access_to_experience?(user_id:, experience_id:)
+      data = @client.graphql("CheckIfUserHasAccessToExperience", { userId: user_id, experienceId: experience_id })
+      extract_access_boolean(data)
+    end
+
+    def user_has_access_to_access_pass?(user_id:, access_pass_id:)
+      data = @client.graphql("CheckIfUserHasAccessToAccessPass", { userId: user_id, accessPassId: access_pass_id })
+      extract_access_boolean(data)
+    end
+
+    def user_has_access_to_company?(user_id:, company_id:)
+      data = @client.graphql("CheckIfUserHasAccessToCompany", { userId: user_id, companyId: company_id })
+      extract_access_boolean(data)
+    end
+
+    private
+
+    def extract_access_boolean(graphql_result)
+      # Attempt to locate the access payload; tolerate schema variants
+      if graphql_result.is_a?(Hash)
+        data = graphql_result["data"] || graphql_result
+        key = %w[hasAccessToExperience hasAccessToAccessPass hasAccessToCompany].find { |k| data.key?(k) rescue false }
+        payload = key ? data[key] : data
+        return payload["hasAccess"] if payload.is_a?(Hash) && payload.key?("hasAccess")
+      end
+      !!graphql_result
+    end
+  end
+end
+
+

data/lib/whop/controller_helpers.rb

@@ -0,0 +1,51 @@
+module Whop
+  module ControllerHelpers
+    private
+
+    def whop_user_id
+      # Primary: verified JWT from header
+      token = request.headers["x-whop-user-token"] || request.headers["X-Whop-User-Token"]
+      if token.present?
+        payload = Whop::Token.verify_from_jwt(token)
+        app_id = payload["aud"]
+        raise Whop::Error, "Invalid app audience" if app_id != (ENV["WHOP_APP_ID"] || Whop.config.app_id)
+        return payload["sub"]
+      end
+
+      # Development fallback: support whop-dev-user-token (header or param)
+      if defined?(Rails) && Rails.env.development?
+        dev_token = request.get_header("HTTP_WHOP_DEV_USER_TOKEN") || request.headers["whop-dev-user-token"] || params["whop-dev-user-token"] || params[:whop_dev_user_token]
+        if dev_token.present?
+          # If looks like JWT, try to verify; otherwise treat as direct user_id
+          if dev_token.include?(".")
+            payload = Whop::Token.verify_from_jwt(dev_token)
+            return payload["sub"]
+          else
+            return dev_token
+          end
+        end
+      end
+
+      nil
+    end
+
+    def require_whop_access!(experience_id: nil, access_pass_id: nil, company_id: nil)
+      uid = whop_user_id
+      raise Whop::Error, "Missing Whop user token" if uid.nil?
+
+      has_access = if experience_id
+        Whop.client.access.user_has_access_to_experience?(user_id: uid, experience_id: experience_id)
+      elsif access_pass_id
+        Whop.client.access.user_has_access_to_access_pass?(user_id: uid, access_pass_id: access_pass_id)
+      elsif company_id
+        Whop.client.access.user_has_access_to_company?(user_id: uid, company_id: company_id)
+      else
+        true
+      end
+
+      render plain: "Forbidden", status: :forbidden unless has_access
+    end
+  end
+end
+
+

data/lib/whop/dsl.rb

@@ -0,0 +1,107 @@
+module Whop
+  module DSL
+    class Registry
+      attr_reader :resources
+      def initialize
+        @resources = {}
+      end
+
+      def resource(name, &block)
+        ns = (@resources[name.to_sym] ||= Namespace.new(name))
+        ns.instance_eval(&block) if block
+        ns
+      end
+    end
+
+    class Namespace
+      attr_reader :name, :methods
+      def initialize(name)
+        @name = name.to_sym
+        @methods = {}
+      end
+
+      def graphql(method_name, operation:, args: [])
+        @methods[method_name.to_sym] = { type: :graphql, operation: operation, args: Array(args).map(&:to_sym) }
+      end
+
+      def rest_get(method_name, path:, args: [], params: [])
+        @methods[method_name.to_sym] = { type: :rest_get, path: path, args: Array(args).map(&:to_sym), params: Array(params).map(&:to_sym) }
+      end
+
+      def rest_post(method_name, path:, args: [], body: [])
+        @methods[method_name.to_sym] = { type: :rest_post, path: path, args: Array(args).map(&:to_sym), body: Array(body).map(&:to_sym) }
+      end
+    end
+
+    class ClientProxy
+      def initialize(client, registry)
+        @client = client
+        @registry = registry
+      end
+
+      def method_missing(name, *args, **kwargs, &block)
+        ns = @registry.resources[name.to_sym]
+        return super unless ns
+        NamespaceProxy.new(@client, ns)
+      end
+
+      def respond_to_missing?(name, include_all = false)
+        @registry.resources.key?(name.to_sym) || super
+      end
+    end
+
+    class NamespaceProxy
+      def initialize(client, namespace)
+        @client = client
+        @namespace = namespace
+      end
+
+      def method_missing(name, *args, **kwargs, &block)
+        spec = @namespace.methods[name.to_sym]
+        return super unless spec
+        case spec[:type]
+        when :graphql
+          variables = build_named_args(spec[:args], args, kwargs)
+          @client.graphql(spec[:operation], variables)
+        when :rest_get
+          path = interpolate_path(spec[:path], build_named_args(spec[:args], args, kwargs))
+          query = kwargs.select { |k, _| spec[:params].include?(k.to_sym) }
+          @client.get(path, params: query)
+        when :rest_post
+          path = interpolate_path(spec[:path], build_named_args(spec[:args], args, kwargs))
+          body = kwargs.select { |k, _| spec[:body].include?(k.to_sym) }
+          @client.post(path, json: body)
+        else
+          raise Whop::Error, "Unknown DSL method type: #{spec[:type]}"
+        end
+      end
+
+      def respond_to_missing?(name, include_all = false)
+        @namespace.methods.key?(name.to_sym) || super
+      end
+
+      private
+
+      def build_named_args(arg_names, args, kwargs)
+        return kwargs if kwargs && !kwargs.empty?
+        Hash[arg_names.zip(args)]
+      end
+
+      def interpolate_path(path, named)
+        path.gsub(/:(\w+)/) { |m| named[$1.to_sym] }
+      end
+    end
+
+    module_function
+
+    def registry
+      @registry ||= Registry.new
+    end
+
+    def define(&block)
+      registry.instance_eval(&block)
+    end
+  end
+end
+
+

data/lib/whop/dsl_prelude.rb

@@ -0,0 +1,23 @@
+require_relative "dsl"
+
+Whop::DSL.define do
+  resource :access do
+    graphql :check_if_user_has_access_to_experience, operation: "CheckIfUserHasAccessToExperience", args: %i[userId experienceId]
+    graphql :check_if_user_has_access_to_access_pass, operation: "CheckIfUserHasAccessToAccessPass", args: %i[userId accessPassId]
+    graphql :check_if_user_has_access_to_company, operation: "CheckIfUserHasAccessToCompany", args: %i[userId companyId]
+  end
+
+  resource :users do
+    rest_get :get, path: "/v5/users/:userId", args: %i[userId]
+  end
+
+  resource :experiences do
+    rest_get :get, path: "/v5/experiences/:experienceId", args: %i[experienceId]
+  end
+
+  resource :companies do
+    rest_get :get, path: "/v5/companies/:companyId", args: %i[companyId]
+  end
+end
+
+

data/lib/whop/error.rb

@@ -0,0 +1,5 @@
+module Whop
+  class Error < StandardError; end
+end
+
+

data/lib/whop/token.rb

@@ -0,0 +1,37 @@
+require "jwt"
+require "openssl"
+
+module Whop
+  module Token
+    JWT_PEM = <<~PEM.freeze
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErz8a8vxvexHC0TLT91g7llOdDOsN
+      uYiGEfic4Qhni+HMfRBuUphOh7F3k8QgwZc9UlL0AHmyYqtbhL9NuJes6w==
+      -----END PUBLIC KEY-----
+    PEM
+
+    module_function
+
+    def verify(headers)
+      token = headers["x-whop-user-token"] || headers["X-Whop-User-Token"]
+      raise Whop::Error, "Missing x-whop-user-token header" if token.nil? || token.empty?
+      payload = verify_from_jwt(token)
+      app_id = payload["aud"]
+      expected = ENV["WHOP_APP_ID"] || Whop.config.app_id
+      raise Whop::Error, "Token audience mismatch" if expected && app_id != expected
+      { "user_id" => payload["sub"] }
+    end
+
+    def verify_from_jwt(token)
+      key = OpenSSL::PKey::EC.new(JWT_PEM)
+      payload, _header = JWT.decode(token, key, true, {
+        iss: "urn:whopcom:exp-proxy",
+        verify_iss: true,
+        algorithm: "ES256"
+      })
+      payload
+    end
+  end
+end
+
+

data/lib/whop/version.rb

@@ -0,0 +1,5 @@
+module Whop
+  VERSION = "1.0.0"
+end
+
+

data/lib/whop/webhooks/engine.rb

@@ -0,0 +1,17 @@
+require "rails/engine"
+
+module Whop
+  module Webhooks
+    class Engine < ::Rails::Engine
+      isolate_namespace Whop::Webhooks
+
+      initializer "whop.webhooks.routes" do
+        Whop::Webhooks::Engine.routes.draw do
+          post "/", to: "webhooks#receive"
+        end
+      end
+    end
+  end
+end
+
+

data/lib/whop/webhooks/signature.rb

@@ -0,0 +1,52 @@
+require "openssl"
+
+module Whop
+  module Webhooks
+    module Signature
+      module_function
+
+      # Compute hex HMAC-SHA256 digest of the given payload using the secret.
+      def compute(secret, payload)
+        OpenSSL::HMAC.hexdigest("SHA256", secret, payload.to_s)
+      end
+
+      # Compare provided signature header to computed digest in constant time.
+      # Accepts formats like "sha256=<hex>" or raw hex.
+      def valid?(secret, payload, provided)
+        return false if secret.to_s.empty? || payload.nil? || provided.to_s.empty?
+        given = provided.to_s
+        given = given.split("=", 2).last if given.include?("=")
+        expected_primary = compute(secret, payload)
+        return true if secure_compare(expected_primary, given)
+        # Fallback: tolerate JSON formatting differences (dev convenience)
+        normalized = normalize_json(payload)
+        if normalized
+          expected_canonical = compute(secret, normalized)
+          return true if secure_compare(expected_canonical, given)
+        end
+        false
+      end
+
+      def normalize_json(payload)
+        begin
+          obj = JSON.parse(payload)
+          JSON.generate(obj)
+        rescue StandardError
+          nil
+        end
+      end
+
+      # Constant-time comparison to avoid timing attacks.
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
+        l = a.unpack("C*")
+        r = b.unpack("C*")
+        result = 0
+        l.zip(r) { |x, y| result |= x ^ y }
+        result.zero?
+      end
+    end
+  end
+end
+
+

data/lib/whop.rb

@@ -0,0 +1,51 @@
+require "active_support"
+require "active_support/core_ext/module/attribute_accessors"
+
+module Whop
+  # Base error type for gem
+  require_relative "whop/error"
+  class Configuration
+    attr_accessor :app_id, :api_key, :webhook_secret, :agent_user_id, :company_id, :api_base_url
+
+    def initialize
+      @api_base_url = "https://api.whop.com"
+    end
+  end
+
+  mattr_accessor :_config, instance_writer: false, default: Configuration.new
+
+  def self.configure
+    yield _config if block_given?
+    _config
+  end
+
+  def self.config
+    _config
+  end
+
+  def self.client
+    require_relative "whop/client"
+    @_client ||= Whop::Client.new(config)
+  end
+
+  def self.api
+    require_relative "whop/dsl"
+    DSL::ClientProxy.new(client, DSL.registry)
+  end
+end
+
+if defined?(Rails)
+  require_relative "whop/webhooks/engine"
+end
+
+# Load default DSL resource mappings
+require_relative "whop/dsl_prelude"
+
+# Ensure webhook signature verifier is loaded for controller usage
+require_relative "whop/webhooks/signature"
+
+# Load controller helpers so apps can include Whop::ControllerHelpers
+require_relative "whop/token"
+require_relative "whop/controller_helpers"
+
+

metadata

@@ -0,0 +1,206 @@
+--- !ruby/object:Gem::Specification
+name: whop
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Nikhil Nelson
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-10-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+- !ruby/object:Gem::Dependency
+  name: faraday-retry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9.0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+description: 'A Rails 7+ gem to build embedded Whop apps. Mirrors Whop''s Next.js
+  template: verification, access control, webhooks, and API client with a small meta-programming
+  DSL.'
+email:
+- thesolohacker47@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- config/routes.rb
+- examples/rails_app/template.rb
+- lib/generators/whop/discover_page/discover_page_generator.rb
+- lib/generators/whop/discover_page/templates/discover_controller.rb
+- lib/generators/whop/discover_page/templates/show.html.erb
+- lib/generators/whop/install/install_generator.rb
+- lib/generators/whop/install/templates/whop.rb
+- lib/generators/whop/install/templates/whop_iframe.rb
+- lib/generators/whop/scaffold/all/all_generator.rb
+- lib/generators/whop/scaffold/company/company_generator.rb
+- lib/generators/whop/scaffold/company/templates/companies_controller.rb
+- lib/generators/whop/scaffold/company/templates/show.html.erb
+- lib/generators/whop/scaffold/experience/experience_generator.rb
+- lib/generators/whop/scaffold/experience/templates/experiences_controller.rb
+- lib/generators/whop/scaffold/experience/templates/show.html.erb
+- lib/generators/whop/webhooks/handler/handler_generator.rb
+- lib/generators/whop/webhooks/handler/templates/job.rb
+- lib/generators/whop/webhooks/install/install_generator.rb
+- lib/whop.rb
+- lib/whop/access.rb
+- lib/whop/client.rb
+- lib/whop/controller_helpers.rb
+- lib/whop/dsl.rb
+- lib/whop/dsl_prelude.rb
+- lib/whop/error.rb
+- lib/whop/token.rb
+- lib/whop/version.rb
+- lib/whop/webhooks/engine.rb
+- lib/whop/webhooks/signature.rb
+homepage: https://github.com/TheSoloHacker47/whop-gem
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.3
+signing_key:
+specification_version: 4
+summary: 'Rails integration for Whop Apps: config, token verification, access checks,
+  webhooks, generators.'
+test_files: []