DEV Community: Doğukan Karakaş The latest articles on DEV Community by Doğukan Karakaş (@east). https://dev.to/east https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2148153%2F4e176cec-abac-404f-a709-9a8802e7aa87.jpg DEV Community: Doğukan Karakaş https://dev.to/east en I built a full StockX clone with Next.js and Whop Doğukan Karakaş Fri, 13 Mar 2026 16:10:52 +0000 https://dev.to/east/i-built-a-full-stockx-clone-with-nextjs-and-whop-3520 https://dev.to/east/i-built-a-full-stockx-clone-with-nextjs-and-whop-3520 <p>I spent a few days building a StockX clone called <a href="https://stockx-clone-zeta.vercel.app/" rel="noopener noreferrer">Swaphause</a>. Real-time bid/ask marketplace, escrow payments, seller identity verification, embedded buyer-seller chat per trade. It's a single Next.js project and the whole thing is <a href="https://github.com/east-6/stockx-clone" rel="noopener noreferrer">on GitHub</a>.</p> <p>The matching engine and product pages were the parts I expected to be hard. They were interesting, but manageable, standard algorithms and React. What I was actually dreading was the marketplace infrastructure: escrow payments where funds are held until a product is authenticated, routing money to individual sellers, handling KYC so sellers can actually receive payouts, and building a real-time chat system so buyers and sellers can coordinate shipping. Those are the kinds of problems that turn a side project into a multi-month ordeal.</p> <p>I ended up using <a href="https://whop.com" rel="noopener noreferrer">Whop</a> for all of it, connected accounts, KYC, escrow, webhooks, embedded chat, one SDK. I'll explain what I mean.</p> <h2> What's in the box </h2> <p>Swaphause is a bid/ask marketplace. Buyers place bids, sellers place asks, and when prices cross, a trade executes automatically. Here's what it does:</p> <ul> <li>Bid/ask matching engine with automatic trade execution</li> <li>Real-time pricing via Supabase Realtime</li> <li>Escrow payments via Whop for Platforms (connected accounts, KYC, fee splits)</li> <li>OAuth login through Whop (PKCE flow, iron-session cookies)</li> <li>Seller identity verification (KYC) handled by Whop's hosted flow</li> <li>Embedded buyer-seller chat per trade via Whop components</li> <li>Product authentication/verification admin flow</li> <li>Search, category filters, custom pagination</li> <li>User dashboard with portfolio, active orders, trade history</li> <li>In-app notifications for bids, payments, shipping</li> </ul> <p>Stack: Next.js 15 (App Router), Prisma, Supabase, Whop SDK, Zod, deployed on Vercel.</p> <p>It handles real money. You can deploy it and run a marketplace today.</p> <h2> How Whop made the hard parts easy </h2> <h3> Escrow payments without being the merchant </h3> <p>This was the hardest problem. A marketplace like StockX doesn't just charge people, it holds funds in escrow until a product is verified as authentic, then pays the seller. If I'd built this from scratch I'd be dealing with payment holds, payout scheduling, refund logic, and compliance.</p> <p>Whop's Direct Charge model handles the escrow pattern. The payment goes directly to the seller's connected account, the platform takes a percentage via <code>application_fee_amount</code>, and the funds are held until the product clears authentication. Swaphause is never the merchant of record.</p> <p>Here's the checkout creation. This is the core of the payment system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">createCheckoutForTrade</span><span class="p">(</span> <span class="nx">trade</span><span class="p">:</span> <span class="nx">TradeForCheckout</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CheckoutResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">checkoutConfig</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">whopsdk</span><span class="p">.</span><span class="nx">checkoutConfigurations</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">redirect_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_APP_URL</span><span class="p">}</span><span class="s2">/api/trades/</span><span class="p">${</span><span class="nx">trade</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">/payment-callback`</span><span class="p">,</span> <span class="na">plan</span><span class="p">:</span> <span class="p">{</span> <span class="na">company_id</span><span class="p">:</span> <span class="nx">trade</span><span class="p">.</span><span class="nx">seller</span><span class="p">.</span><span class="nx">connectedAccountId</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">"</span><span class="s2">usd</span><span class="dl">"</span><span class="p">,</span> <span class="na">initial_price</span><span class="p">:</span> <span class="nx">trade</span><span class="p">.</span><span class="nx">price</span><span class="p">,</span> <span class="na">plan_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">one_time</span><span class="dl">"</span><span class="p">,</span> <span class="na">application_fee_amount</span><span class="p">:</span> <span class="nx">trade</span><span class="p">.</span><span class="nx">platformFee</span><span class="p">,</span> <span class="p">},</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">tradeId</span><span class="p">:</span> <span class="nx">trade</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">buyerId</span><span class="p">:</span> <span class="nx">trade</span><span class="p">.</span><span class="nx">buyerId</span><span class="p">,</span> <span class="na">sellerId</span><span class="p">:</span> <span class="nx">trade</span><span class="p">.</span><span class="nx">sellerId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">checkoutUrl</span><span class="p">:</span> <span class="nx">checkoutConfig</span><span class="p">.</span><span class="nx">purchase_url</span> <span class="k">as</span> <span class="kr">string</span><span class="p">,</span> <span class="na">checkoutId</span><span class="p">:</span> <span class="nx">checkoutConfig</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>That single SDK call creates a hosted checkout page. The <code>company_id</code> points to the seller's connected account, the <code>application_fee_amount</code> is Swaphause's cut (9.5%), and the <code>metadata</code> carries trade IDs through to the webhook so I know which trade got paid.</p> <p>The money flow: buyer pays → funds held → seller ships → platform authenticates the item → if it passes, payout releases to the seller's account; if it fails, the buyer gets a full refund and the seller's ask reopens.</p> <p>Sellers also need identity verification before they can receive payouts. That's two SDK calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Create a connected account under the platform</span> <span class="kd">const</span> <span class="nx">company</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">whopsdk</span><span class="p">.</span><span class="nx">companies</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">displayName</span> <span class="o">||</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">parent_company_id</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">WHOP_COMPANY_ID</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Generate hosted KYC URL</span> <span class="kd">const</span> <span class="nx">accountLink</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">whopsdk</span><span class="p">.</span><span class="nx">accountLinks</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">company_id</span><span class="p">:</span> <span class="nx">company</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">use_case</span><span class="p">:</span> <span class="dl">"</span><span class="s2">account_onboarding</span><span class="dl">"</span><span class="p">,</span> <span class="na">redirect_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_APP_URL</span><span class="p">}</span><span class="s2">/dashboard`</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Whop hosts the entire KYC flow, identity documents, bank account linking, tax info. Swaphause doesn't see or store any of it.</p> <p>On the webhook side, Whop sends <code>payment.succeeded</code> and <code>payment.failed</code> events. The handler verifies the signature with <code>whopsdk.webhooks.unwrap()</code>, does an idempotency check (so duplicate deliveries don't create duplicate records), and routes each event to the right database update. About 60 lines for the handler plus two event-specific functions, all wrapped in a single Prisma <code>$transaction</code>.</p> <h3> Auth without a password table </h3> <p>Same pattern as my <a href="https://dev.to/east/i-built-a-full-substack-clone-with-nextjs-and-whop-336h">Substack clone</a>. Whop OAuth with PKCE replaces all the password hashing, email verification, reset tokens, and session management. Two API routes and a config object. The login route generates a PKCE challenge, stashes the verifier in an iron-session cookie, and redirects to Whop. The callback exchanges the code for a token, pulls the user profile, upserts them into Postgres, and sets the session.</p> <p>One thing worth calling out: the <code>WHOP_API_BASE</code> env var controls sandbox vs. production for the entire app. Set it to <code>https://sandbox-api.whop.com</code> during development, <code>https://api.whop.com</code> when you go live. One toggle, everything switches.</p> <h3> Chat without building chat </h3> <p>Building a real-time messaging system means WebSocket servers, message persistence, connection state, moderation. Whop has embeddable chat components, so I skipped all of that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ChatElement</span><span class="p">,</span> <span class="nx">ChatSession</span><span class="p">,</span> <span class="nx">Elements</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@whop/embedded-components-react-js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">loadWhopElements</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@whop/embedded-components-vanilla-js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">elements</span> <span class="o">=</span> <span class="nf">loadWhopElements</span><span class="p">({</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">whopEnvironment</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getToken</span><span class="p">({</span> <span class="nx">abortSignal</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">abortSignal</span><span class="p">:</span> <span class="nx">AbortSignal</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/token</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">abortSignal</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">data</span><span class="p">.</span><span class="nx">token</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">TradeChat</span><span class="p">({</span> <span class="nx">channelId</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">channelId</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">})</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">channelId</span><span class="p">)</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Chat available once trade is matched.<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">Elements</span> <span class="na">elements</span><span class="p">=</span><span class="si">{</span><span class="nx">elements</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ChatSession</span> <span class="na">token</span><span class="p">=</span><span class="si">{</span><span class="nx">getToken</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ChatElement</span> <span class="na">options</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="nx">channelId</span> <span class="p">}</span><span class="si">}</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">height</span><span class="p">:</span> <span class="dl">"</span><span class="s2">500px</span><span class="dl">"</span><span class="p">,</span> <span class="na">width</span><span class="p">:</span> <span class="dl">"</span><span class="s2">100%</span><span class="dl">"</span> <span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">ChatSession</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">Elements</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Each trade gets a DM channel auto-created when a bid matches an ask. The matching engine calls Whop's DM channel API, stores the <code>chatChannelId</code> on the trade, and sends an initial system message. Buyers and sellers can coordinate shipping details without leaving the app. I wrote zero backend code for messaging.</p> <h2> The matching engine (the part I actually engineered) </h2> <p>This is probably the most interesting piece from a pure engineering standpoint. When a new bid comes in, the engine needs to find the lowest ask at or below the bid price and execute a trade. The tricky part: two concurrent bids could try to match the same ask.</p> <p>The solution is a double-check-inside-transaction pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Fast path, check outside transaction</span> <span class="kd">const</span> <span class="nx">matchingAsk</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">ask</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">productSizeId</span><span class="p">:</span> <span class="nx">bid</span><span class="p">.</span><span class="nx">productSizeId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ACTIVE</span><span class="dl">"</span><span class="p">,</span> <span class="na">price</span><span class="p">:</span> <span class="p">{</span> <span class="na">lte</span><span class="p">:</span> <span class="nx">bid</span><span class="p">.</span><span class="nx">price</span> <span class="p">},</span> <span class="p">},</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">price</span><span class="p">:</span> <span class="dl">"</span><span class="s2">asc</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">matchingAsk</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Safe path, re-validate inside transaction</span> <span class="kd">const</span> <span class="nx">trade</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ask</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">ask</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">matchingAsk</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ACTIVE</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ask</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">freshBid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">bid</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">bid</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ACTIVE</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">freshBid</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Trade executes at the ask price (seller's price)</span> <span class="kd">const</span> <span class="nx">tradePrice</span> <span class="o">=</span> <span class="nx">ask</span><span class="p">.</span><span class="nx">price</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">platformFee</span> <span class="o">=</span> <span class="nx">tradePrice</span> <span class="o">*</span> <span class="p">(</span><span class="nx">PLATFORM_FEE_PERCENT</span> <span class="o">/</span> <span class="mi">100</span><span class="p">);</span> <span class="c1">// Mark both as matched, create trade, update product stats</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">bid</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">bid</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MATCHED</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">ask</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">ask</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MATCHED</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">trade</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">buyerId</span><span class="p">:</span> <span class="nx">bid</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">sellerId</span><span class="p">:</span> <span class="nx">ask</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">productSizeId</span><span class="p">:</span> <span class="nx">bid</span><span class="p">.</span><span class="nx">productSizeId</span><span class="p">,</span> <span class="na">bidId</span><span class="p">:</span> <span class="nx">bid</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">askId</span><span class="p">:</span> <span class="nx">ask</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">price</span><span class="p">:</span> <span class="nx">tradePrice</span><span class="p">,</span> <span class="nx">platformFee</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MATCHED</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Check outside the transaction first (fast path, avoids locking when there's no match), then re-validate inside the transaction (safe path, guarantees no two bids match the same ask). The trade always executes at the ask price, same as StockX.</p> <h2> Things I'd do differently </h2> <p>I'd build the webhook handler first. Same lesson I learned building the Substack clone. It's the most important code in the project because it's where payment state materializes in your database. If it's broken, people pay but your app doesn't know.</p> <p>I'd start on the Whop sandbox from day one. I've done the "start on production then switch" dance before, and it always means recreating your app and re-entering all your credentials.</p> <p>One thing specific to this project: Whop's sandbox doesn't deliver real webhook events. I ended up building a payment callback route as a fallback, after checkout, Whop redirects the buyer to a callback URL with a <code>payment_id</code> param, and the callback verifies payment status directly with the API. Build that from the start instead of debugging why your webhook never fires in sandbox.</p> <p>Also: use the <strong>company</strong> API key, not the app API key. The company key has the permissions needed for <code>company:create_child</code> (creating connected accounts for sellers). I burned time on 403 errors before figuring that out.</p> <h2> Links </h2> <ul> <li> <strong>Demo</strong>: <a href="https://stockx-clone-zeta.vercel.app/" rel="noopener noreferrer">stockx-clone-zeta.vercel.app</a> </li> <li> <strong>Code</strong>: <a href="https://github.com/east-6/stockx-clone" rel="noopener noreferrer">github.com/east-6/stockx-clone</a> </li> <li> <strong>Full tutorial</strong>: <a href="https://whop.com/blog/build-stockx-clone/" rel="noopener noreferrer">3-part walkthrough on the Whop blog</a> covering every file from scaffold to deploy</li> <li> <strong>Whop developer docs</strong>: <a href="https://dev.whop.com" rel="noopener noreferrer">dev.whop.com</a> </li> </ul> <p>The Whop-specific code in the whole project is maybe 400 lines. Everything else is a normal Next.js app. If you're building a marketplace where sellers need to get paid and products need authentication before payout, the <a href="https://dev.whop.com" rel="noopener noreferrer">Whop developer docs</a> are worth looking at.</p> nextjs stockx whop I built a full Substack clone with Next.js and Whop Doğukan Karakaş Mon, 09 Mar 2026 11:32:09 +0000 https://dev.to/east/i-built-a-full-substack-clone-with-nextjs-and-whop-336h https://dev.to/east/i-built-a-full-substack-clone-with-nextjs-and-whop-336h <p>I spent the last few weeks building a Substack clone called <a href="https://penstack-fresh.vercel.app/" rel="noopener noreferrer">Penstack</a>. Rich text editor, paid subscriptions where money goes directly to writers, OAuth login, embedded chat per publication.</p> <p>The editor and publication pages were the parts I thought would be hard. They weren't, honestly. Standard React. What I was dreading was the payments layer: routing money to individual creators, handling identity verification, dealing with tax stuff. And then building a chat system on top of that. Those are the kinds of features that turn a weekend project into a quarter-long slog.</p> <p>I ended up using Whop for all of it, and most of those problems just... went away. I'll explain what I mean.</p> <h2> What's in the box </h2> <p>Penstack is a multi-writer publishing platform. Readers browse, subscribe to writers, and get access to paid content. Writers get a rich text editor, an analytics dashboard, and a chat channel for their community. Here's what it does:</p> <ul> <li>Rich text editor (Tiptap) with images, code blocks, formatting, links</li> <li>Custom paywall break: writers drop a marker anywhere in a post, and everything below it is gated</li> <li>Paid subscriptions via Whop Direct Charges. Money goes to the writer, Penstack takes 10%</li> <li>OAuth login through Whop (PKCE flow, iron-session cookies)</li> <li>Identity verification (KYC) for writers, handled by Whop's hosted flow</li> <li>Embedded chat per publication using Whop's React components</li> <li>Explore page with trending writers and category filters</li> <li>Notifications for follows, subscriptions, and payments</li> <li>Writer dashboard with subscriber/follower/view counts</li> </ul> <p>Stack: Next.js 15 (App Router), Prisma 7, Supabase for Postgres, Tiptap for the editor, Whop SDK, UploadThing for images, deployed on Vercel.</p> <p>It handles real money. You can deploy it and charge people today.</p> <h2> How Whop made the hard parts easy </h2> <h3> Auth without a password table </h3> <p>I've implemented email/password auth from scratch before. Password hashing, email verification, reset token generation and expiration, session management, CSRF protection. It takes a while and it's never fun. The Whop OAuth setup replaced all of that with two API routes and a config object.</p> <p>The whole OAuth config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">isSandbox</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WHOP_SANDBOX</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">true</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">whopDomain</span> <span class="o">=</span> <span class="nx">isSandbox</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">sandbox.whop.com</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">whop.com</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">whopApiDomain</span> <span class="o">=</span> <span class="nx">isSandbox</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">sandbox-api.whop.com</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">api.whop.com</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">WHOP_OAUTH</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authorizationUrl</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">whopDomain</span><span class="p">}</span><span class="s2">/oauth`</span><span class="p">,</span> <span class="na">tokenUrl</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">whopApiDomain</span><span class="p">}</span><span class="s2">/oauth/token`</span><span class="p">,</span> <span class="na">userInfoUrl</span><span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">whopApiDomain</span><span class="p">}</span><span class="s2">/oauth/userinfo`</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WHOP_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WHOP_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">scopes</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">openid</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">profile</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">],</span> <span class="na">redirectUri</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_APP_URL</span><span class="p">}</span><span class="s2">/api/auth/callback`</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> <p>The login route generates a PKCE challenge, stashes the verifier in an iron-session cookie, and redirects to Whop. The callback exchanges the authorization code for a token, pulls the user profile from <code>/oauth/userinfo</code>, upserts them into Postgres, and sets the session. That's it. No password table, no token rotation, no "forgot password" flow.</p> <p>One thing I really like: the <code>WHOP_SANDBOX</code> toggle. Set it to <code>true</code> during development and every OAuth call hits the sandbox environment instead of production. When you're ready to go live, just remove it.</p> <h3> Payments in about 100 lines </h3> <p>This was the feature I was most nervous about. If I'd gone the Stripe Connect route, I'd be building account onboarding flows, managing payout schedules, handling currency edge cases for different countries. That alone could eat weeks.</p> <p>Whop's Direct Charge model skips most of that complexity. The payment goes directly to the writer's connected account, and Penstack takes a 10% application fee. Penstack is never the merchant of record, which means I'm not on the hook for refunds, chargebacks, or international tax compliance.</p> <p>Here's the checkout route. This is the core of the whole payments system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">priceInCents</span> <span class="o">=</span> <span class="nx">writer</span><span class="p">.</span><span class="nx">monthlyPriceInCents</span> <span class="o">??</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">priceInDollars</span> <span class="o">=</span> <span class="nx">priceInCents</span> <span class="o">/</span> <span class="mi">100</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">applicationFee</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">priceInCents</span> <span class="o">*</span> <span class="nx">PLATFORM_FEE_PERCENT</span><span class="p">)</span> <span class="o">/</span> <span class="mi">10000</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">checkout</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">whop</span><span class="p">.</span><span class="nx">checkoutConfigurations</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">plan</span><span class="p">:</span> <span class="p">{</span> <span class="na">company_id</span><span class="p">:</span> <span class="nx">writer</span><span class="p">.</span><span class="nx">whopCompanyId</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">"</span><span class="s2">usd</span><span class="dl">"</span><span class="p">,</span> <span class="na">renewal_price</span><span class="p">:</span> <span class="nx">priceInDollars</span><span class="p">,</span> <span class="na">billing_period</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">plan_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">renewal</span><span class="dl">"</span><span class="p">,</span> <span class="na">release_method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">buy_now</span><span class="dl">"</span><span class="p">,</span> <span class="na">application_fee_amount</span><span class="p">:</span> <span class="nx">applicationFee</span><span class="p">,</span> <span class="na">product</span><span class="p">:</span> <span class="p">{</span> <span class="na">external_identifier</span><span class="p">:</span> <span class="s2">`penstack-writer-</span><span class="p">${</span><span class="nx">writer</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">writer</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2"> Subscription`</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">redirect_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_APP_URL</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">writer</span><span class="p">.</span><span class="nx">handle</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">writerId</span><span class="p">:</span> <span class="nx">writer</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">checkout</span><span class="p">.</span><span class="nx">purchase_url</span> <span class="p">});</span> </code></pre> </div> <p>That single SDK call creates the plan, the product, and a hosted checkout page. The <code>application_fee_amount</code> field is where Penstack takes its cut. The <code>metadata</code> carries user and writer IDs through to the webhook so I know who subscribed to whom.</p> <p>The subscriber flow looks like this: they click "Subscribe," my server creates the checkout config, Whop hosts the actual payment page, and after payment succeeds Whop fires a <code>membership.activated</code> webhook. My handler picks that up and creates the subscription record in Postgres.</p> <p>Writers also need identity verification before they can accept payments. That's two more SDK calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Create a connected account under the platform</span> <span class="kd">const</span> <span class="nx">company</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">whop</span><span class="p">.</span><span class="nx">companies</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="nx">writer</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">parent_company_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WHOP_COMPANY_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">writer</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Generate hosted KYC URL</span> <span class="kd">const</span> <span class="nx">setupCheckout</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">whop</span><span class="p">.</span><span class="nx">checkoutConfigurations</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">company_id</span><span class="p">:</span> <span class="nx">company</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">setup</span><span class="dl">"</span><span class="p">,</span> <span class="na">redirect_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_APP_URL</span><span class="p">}</span><span class="s2">/settings`</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Whop hosts the whole KYC flow. Identity documents, bank account linking, tax info. Penstack doesn't see or store any of it.</p> <p>On the webhook side, Whop sends events like <code>payment.succeeded</code> and <code>membership.activated</code>. The webhook handler verifies the signature, does an idempotency check (so duplicate deliveries don't create duplicate records), and routes each event type to the right database update. About 60 lines for the handler plus four event-specific functions.</p> <h3> Chat without building chat </h3> <p>I was fully prepared to skip this feature. Building a real-time chat system means WebSocket servers, message persistence, connection state management, moderation tooling. It's a ton of infrastructure for something that isn't core to a publishing platform.</p> <p>But Whop has embeddable chat components, so I tried them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Elements</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@whop/embedded-components-react-js</span><span class="dl">"</span><span class="p">;</span> <span class="p">&lt;</span><span class="nc">Elements</span> <span class="na">elements</span><span class="p">=</span><span class="si">{</span><span class="nx">elements</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ChatSession</span> <span class="na">token</span><span class="p">=</span><span class="si">{</span><span class="nx">getToken</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ChatElement</span> <span class="na">options</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="nx">channelId</span> <span class="p">}</span><span class="si">}</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">height</span><span class="p">:</span> <span class="dl">"</span><span class="s2">500px</span><span class="dl">"</span><span class="p">,</span> <span class="na">width</span><span class="p">:</span> <span class="dl">"</span><span class="s2">100%</span><span class="dl">"</span> <span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">ChatSession</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">Elements</span><span class="p">&gt;</span> </code></pre> </div> <p>That's the whole chat implementation on the frontend. Each writer's publication has a <code>channelId</code>, and the <code>token</code> prop grabs the user's OAuth access token from a lightweight API endpoint. Writers can also set their chat to subscriber-only with a boolean toggle. I wrote zero backend code for messaging.</p> <h2> The paywall break (the part I actually engineered) </h2> <p>This is probably the most interesting piece from a pure engineering standpoint. Substack gives you a binary choice: a post is free or it's paid. Penstack lets writers place the paywall break <em>wherever they want</em> in a post. Write three paragraphs of free preview to hook the reader, then drop the break, and everything after it requires a subscription.</p> <p>It's a custom Tiptap node, defined as an <code>atom</code> in the <code>block</code> group so it sits between paragraphs like a horizontal rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Node</span><span class="p">,</span> <span class="nx">mergeAttributes</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tiptap/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">PaywallBreak</span> <span class="o">=</span> <span class="nx">Node</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">paywallBreak</span><span class="dl">"</span><span class="p">,</span> <span class="na">group</span><span class="p">:</span> <span class="dl">"</span><span class="s2">block</span><span class="dl">"</span><span class="p">,</span> <span class="na">atom</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nf">parseHTML</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[{</span> <span class="na">tag</span><span class="p">:</span> <span class="dl">'</span><span class="s1">div[data-type="paywall-break"]</span><span class="dl">'</span> <span class="p">}];</span> <span class="p">},</span> <span class="nf">renderHTML</span><span class="p">({</span> <span class="nx">HTMLAttributes</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">div</span><span class="dl">"</span><span class="p">,</span> <span class="nf">mergeAttributes</span><span class="p">(</span><span class="nx">HTMLAttributes</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">data-type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">paywall-break</span><span class="dl">"</span><span class="p">,</span> <span class="na">class</span><span class="p">:</span> <span class="dl">"</span><span class="s2">paywall-break</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="dl">"</span><span class="s2">Content below is for paid subscribers only</span><span class="dl">"</span><span class="p">,</span> <span class="p">];</span> <span class="p">},</span> <span class="nf">addCommands</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">setPaywallBreak</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="nx">commands</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">commands</span><span class="p">.</span><span class="nf">insertContent</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="p">});</span> <span class="p">},</span> <span class="p">};</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Writers insert it from the toolbar (there's a lock icon) or with <code>Cmd+Shift+P</code>. In the editor it renders as a visible divider with a label.</p> <p>The server-side part is dead simple. When saving a post, the client scans the Tiptap JSON for the break's position:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">paywallIndex</span><span class="p">:</span> <span class="kr">number</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">content</span><span class="p">?.</span><span class="nx">content</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">idx</span> <span class="o">=</span> <span class="nx">content</span><span class="p">.</span><span class="nx">content</span><span class="p">.</span><span class="nf">findIndex</span><span class="p">(</span> <span class="p">(</span><span class="nx">node</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">node</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">paywallBreak</span><span class="dl">"</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">idx</span> <span class="o">!==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="nx">paywallIndex</span> <span class="o">=</span> <span class="nx">idx</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>That index gets stored on the post record. When a non-subscriber loads the article, the server slices the content array at that position and only sends back what's above the break. The node itself doesn't know anything about pricing or subscription status. It's just a position marker. All the access control happens on the server.</p> <h2> Things I'd do differently </h2> <p>I'd build the webhook handler first if I started over. It's the most important code in the project because it's where payment state actually materializes in your database. If the webhook handler is broken, people pay but your app has no idea. I burned a couple hours on a signature verification bug that turned out to be a trailing newline in the webhook secret. (<code>printf</code>, not <code>echo</code>, when setting env vars through a CLI. Lesson learned.)</p> <p>I'd also use the Whop sandbox (<code>sandbox.whop.com</code>) from the very beginning. I started on production and switched to sandbox later, which meant recreating my app and re-entering all my credentials again. Starting on sandbox and switching to production when you're ready is way smoother.</p> <p>The other thing: if you're deploying to Vercel with Supabase, use the Vercel integration instead of setting up Supabase manually. It populates your connection strings automatically, and you avoid the whole "which pooler port do I use" confusion. (Transaction mode on port 6543 for your app, session mode on port 5432 for Prisma migrations. I mixed them up more than once.)</p> <h2> Links </h2> <ul> <li> <strong>Demo</strong>: <a href="https://penstack-fresh.vercel.app" rel="noopener noreferrer">penstack-fresh.vercel.app</a> </li> <li> <strong>Full tutorial</strong>: <a href="https://whop.com/blog/build-substack-clone/" rel="noopener noreferrer">7-part walkthrough on the Whop blog</a> covering every file from scaffold to deploy</li> <li> <strong>Whop developer docs</strong>: <a href="https://dev.whop.com" rel="noopener noreferrer">dev.whop.com</a> </li> </ul> <p>The Whop-specific code in the whole project is maybe 300 lines. Everything else is a normal Next.js app. If you're building something where creators need to get paid, the <a href="https://dev.whop.com" rel="noopener noreferrer">Whop developer docs</a> are worth looking at.</p> webdev nextjs whop