May 3, 2026

Whop MCP API Key Guide

Which Whop API key to use with MCP, how Company API Keys and App API Keys differ, and how to reduce risk before authorizing an AI client.

Summary

Your Whop MCP setup is only as safe as the API key behind it. The MCP client is the interface. The API key is the authority. If the key can refund payments, update products, cancel memberships, or inspect private data, then an AI agent may be able to request those operations through MCP.

Whop documents two relevant key types for API MCP authentication: Company API Keys and App API Keys. Use a Company API Key when the agent should work with your own company data. Use an App API Key when you are building an app that needs access across companies that installed it.

Company API Key

A Company API Key is the normal choice for sellers, operators, and internal workflows. It should access only your company's data.

Use this for:

Summarizing your own products, plans, payments, or memberships.
Creating internal reports.
Debugging your own checkout or customer access issues.
Running a Claude, Cursor, or VS Code workflow against your own Whop account.

The safer pattern is to create a key for the MCP workflow rather than reuse an old broad key. If Whop lets you control scope, keep the key as narrow as possible. If you cannot narrow it enough, narrow the prompt and approval process instead.

App API Key

An App API Key is for app developers. Use it when the AI agent is helping with an app that can access data across companies that installed the app.

This is a different risk profile. A mistake can affect more than your own company. App-key workflows should have stricter review, separate test environments where possible, and a clearer audit trail.

Use an App API Key for:

Building or debugging a Whop app.
Inspecting data across companies that installed your app.
Validating app behavior with Whop's API.
Development workflows where the app context is the actual subject.

Do not use an App API Key just because a Company API Key failed. First understand why the company key failed.

What not to do with keys

Do not commit keys to a public repo. Do not paste keys into Markdown files, screenshots, issue reports, or blog drafts. Do not put a real key in src/, public/, .env.example, or any file that ships to a website.

Do not use one permanent key for every tool. If a key leaks, you want to know which workflow exposed it and rotate only what is necessary.

Do not give an AI client broad permissions and then ask vague prompts. "Clean up my store" is not a safe instruction. "List memberships with failed payments and propose next steps without modifying data" is a safe starting point.

Safe first-session checklist

Before your first real MCP session:

Create or choose the narrowest usable key.
Confirm whether the task is company-level or app-level.
Connect the MCP client.
Ask the client to list tools without calling write actions.
Run one read-only test call.
Review the result.
Only then authorize a specific write action if needed.

Use this prompt:

Before calling any Whop MCP tool, explain whether the action is read-only or write-capable. Do not create, update, delete, cancel, refund, pause, resume, message, or modify data without explicit confirmation.

Rotating keys

Rotate a key if it was pasted into a chat, committed to git, shared in a screenshot, used on an untrusted machine, or used in a test setup you no longer control.

After rotation, update the MCP client config or reauthorize the remote connector. Then restart the client and run the read-only connection test again.

Company key or app key?

Use a Company API Key if the sentence starts with "my Whop" or "our company." Use an App API Key if the sentence starts with "companies that installed my app" or "our app's customers."

If the distinction is still unclear, stop and clarify before connecting MCP. Choosing the wrong key is not just a technical mistake. It changes what data the agent can reach.