In this tutorial, we'll see how to create a whitelist that allows users with premium accounts unlimited access to premium content on our site.

This guide is a continuation of the free samples tutorial.

First, if you haven't yet done so, go ahead and create the premium content page group. We'll use this page group for our policy to ensure that premium users only have free access to premium pages and not, say, admin pages.

Second, we'll create a visitor group to keep track of premium users. Go to the visitor groups page and click the "New visitor group" button. Our visitor group will contain all the user IDs of premium users.

visitor group named "premium users" with visitors "11", "22", and "33"

You can start it out with any user IDs you already know, or add them in later. User IDs can be added via the web interface or web API.

curl  "$ID/visitors" \
-d "visitor=44"

Lastly, we'll create the policy to tie it all together. Go to the policies page and click the "New policy" button. We'll have this policy always allow premium users access to our site's premium content.

policy named "premium access" that reads "When visitors in premium users visits premium content page(s) 1 time in 180 days then allow visit."

The amount of time is not important, but make sure the number of times is set to 1 in the Frequency section. This guarantees that that our policy will trigger every time a premium user visits.

Note that our premium access policy must have a higher priority (a higher priority number) than the free samples policy in order for this configuration to work. Policies with higher priority are checked first, and we want to make sure premium users are allowed by premium access before they can be denied.

human with user ID 1 visits page "/premium/content", web server asks Gatekeeper what to do, Gatekeeper returns "allow", web server returns content

human with user ID 796 visits page "/premium/content", web server asks Gatekeeper what to do, Gatekeeper returns "deny", web server returns error

After this configuration, you will want to ensure that the "premium users" visitor group accurately reflects the set of your premium users. For example, whenever a user pays for a subscription, you can use Gatekeeper's visitor group API to add a user ID to the visitor group. Likewise, when a subscription expires, you can use Gatekeeper's API to remove a user ID from the visitor group. If you want to periodically check to make sure that the visitor group list is accurate, you can also use Gatekeeper's API to list visitors in a specific group.