whop-client — Cursor Rules

• auth: • sendOTP(email) → ticket. • verify({ code, ticket, persist? }) → populates tokens, optional session persistence. • refresh() currently unimplemented; rely on automatic refresh instead. • apps: • get(appId) returns rich public metadata, including nested access pass attachments. • getCredentials(appId, companyId) exposes API keys, URLs, permissions, agent users, stats. • create(input) builds a company app and flattens API keys/agent users from nodes wrappers. • update(appId, input) mutates app metadata and returns the full UpdatedApp payload. • getUrl(appId, companyId) derives the dashboard URL via companies.listExperiences. • companies: • list() fetches owned companies. • listApps(companyId) returns app summaries (includes DAU/WAU/MAU/time spent). • installApp(companyId, appId, options?) installs an app, optionally attaching to experiences/access passes. • listExperiences(companyId, options?) paginates experiences with optional filters. • listAccessPasses(companyId, options?) and createAccessPass, updateAccessPass manage storefront products. • createPlan, updatePlan, listAccessPassPlans manage pricing plans (renewals, one-time, expiration). • me.get() returns the authenticated user profile (email, username, avatar variants).

• Import types from the package root (import type { Company, AppCredentials } from '@whoplabs/whop-client'). Entry file src/index.ts re-exports the relevant interfaces. • DTOs correspond closely to GraphQL shapes; avoid mutating them in-place. If CLI needs view models, derive new objects without altering originals.

• Provide Cursor with a shared mental model for projects that wrap @whoplabs/whop-client inside a CLI. • Preserve the SDK contracts: instantiate Whop, call resource methods, and let the SDK handle authentication token refresh and error types. • Favor composition over reimplementation: reuse the SDK helpers (graphqlRequest, session utilities, error classes) instead of rolling new network/auth code.

• Entry point: src/client.ts exports Whop, which wires resources (auth, apps, companies, me) and keeps auth tokens + session file path. • Low-level helpers in src/lib: • errors defines typed errors (WhopError base + Auth/API/Network/Parse variants) that consumers should surface to users. • graphql.ts builds Whop GraphQL requests, sends cookie-authenticated fetch calls, and invokes _updateTokens when the API rotates credentials. • session.ts persists tokens on disk with saveSession/loadSessionSync. • server-actions.ts scrapes Next.js bundles to extract server action IDs required for login; heavy network call but cached per process. • cookies.ts parses Set-Cookie headers into the AuthTokens shape. • rsc.ts posts multipart payloads to Next.js server actions and parses minimal RSC responses. • Resources in src/resources are thin facades that: • assert authentication by calling client.getTokens() and throwing WhopAuthError if missing. • declare the GraphQL document inline, call graphqlRequest, flatten nodes wrappers, and return typed data structures. • Auth uses server actions instead of GraphQL, handles OTP login, extracts tokens, and optionally persists to disk. • src/types re-exports all DTOs used by the resources for CLI display, prompts, and validation.