WP Mobile Apps

Recipe: Bypass IAP for a specific user

Goal

Give a single named user full access to the app without making them go through the paywall — typically because they’re a press contact, a comp account, a beta tester, or a partner. After this recipe, the named user will see content as if they were already subscribed, without you needing to issue a real App Store / Play Store purchase or fabricate a WooCommerce order.

This is the per-user equivalent of the automatic exemption administrators already get.

Prerequisites

  • WP Admin access with edit_user capability for the user you’re modifying
  • The user already exists in WordPress (this recipe doesn’t cover creating users)

How the bypass works

The plugin adds an IAP information section to the WordPress user profile screen with a single checkbox: IAP not required. When checked, it writes the user meta iap_not_required with value 'yes'.

There are two consumers of this meta:

  1. The mobile JSON pipeline. When the user authenticates, mam-main resolves the user, and any code subscribed to Hook: mam_iap_require_iap can read iap_not_required and force inapp_has_iap / inapp_is_required to 'no'. The mam-main core (or a sibling plugin) is the typical subscriber.
  2. App-side gating logic. The app’s own gating may also consult inapp_is_required / inapp_has_iap in the payload, which the filter chain has already adjusted.

The plugin sets the meta but does not itself read it. The actual exemption is delivered by mam_iap_require_iap. If your stack does not have a subscriber for that filter that reads iap_not_required, checking the box has no effect on its own. See Hook: mam_iap_require_iap for the filter contract.

Administrators are exempted unconditionally by phone-manager.php regardless of this flag — there’s nothing to do for admin accounts.

Steps

1. Open the user’s profile

Go to Users → All Users, click the user you want to exempt. Or, if you’re modifying your own profile, use Users → Profile.

2. Find the IAP information section

Scroll to the bottom of the profile page. You’ll see a section headed IAP information with a single field labeled IAP not required.

3. Check the box

Tick IAP not required and click Update User (or Update Profile for your own account).

The save handler verifies the standard WordPress profile nonce (update-user_{user_id}) and the edit_user capability for the target user before writing iap_not_required to user meta.

4. Verify

Sign in as the affected user (or check the phone-data response for that user) and confirm:

  • The paywall does not appear
  • Content gated behind a subscription is accessible

If the paywall still appears, check:

  • That you saved on the right user
  • That a mam_iap_require_iap subscriber exists in your stack and reads the iap_not_required meta — see Hook: mam_iap_require_iap
  • That you’re not signed in as the user from a stale session — sign out and back in to refresh the cached payload

Removing the exemption

Uncheck IAP not required and save. The plugin distinguishes between unchecked and absent: when the box is unticked on save, the plugin deletes the iap_not_required user meta entirely, rather than storing 'no'. So a user without the box ever ticked and a user who had it ticked then unticked end up in the same state.

Common gotchas

  • The box is on every profile, including admins. Admins are already exempt regardless. Ticking it on an admin account is harmless but redundant.
  • The exemption requires a subscriber. This plugin only stores the flag. The flag becoming an actual paywall bypass depends on a mam_iap_require_iap filter callback reading the meta. If you’re rolling your own stack and seeing no effect, that’s the missing piece.
  • The user has to be authenticated. The phone-data pipeline can only consult iap_not_required after mam_update_current_user resolves a real user. Anonymous app traffic is treated by the global inapp_is_required flag from Recipe: Configure IAP settings.
  • No bulk operation. There’s no admin tool to flip many users at once. For larger exemption lists, write a one-shot CLI script or use update_user_meta() directly.

Variations

Exempt by role

If the goal is “everyone in this role bypasses IAP,” skip per-user meta and instead subscribe to Hook: mam_iap_require_iap with logic like if ( current_user_can( 'editor' ) ) return 'no';. That’s faster and cleaner than checking a box on every editor’s profile.

Exempt by feature flag

To toggle the paywall globally based on something the General Settings tab can’t express (a date window, a server-load condition, a remote feature flag), use Hook: mam_iap_require_iap.

Verification

This article was last verified against:

  • Plugin: mam-inapp-purchase-manager v2.0
  • Source: mam-inapp-purchase-manager.php (mam_admin_manage_user_iap, save_user_iap_fields)
  • User meta key: iap_not_required

Re-verify whenever the user meta key name changes, the profile section is renamed or moved, or the nonce/capability check in save_user_iap_fields() changes.

  • Plugin overview: mam-inapp-purchase-manager
  • Recipe: Configure IAP settings
  • Hook: mam_iap_require_iap

Metadata

Field Value
Article type Recipe (Admin)
Plugin slug mam-inapp-purchase-manager
Applies to plugin version 2.0+
Category Building Your App
Audience WordPress admin
Estimated time 5 minutes
Last verified 2026-05-01

Related Articles

Contents

    Need Support?

    Can’t find the answer you’re looking for? Don’t worry we’re here to help!

    Contact Support