Paddle Logo
Paddle Classic
Get Started
Guides
API Reference
Webhooks
Reference
Search
Login
Webhook Reference
Webhook Reference
Security
Verifying Webhooks
Order Fulfillment
Fulfillment Webhook
Order Fulfillment
Subscription Alerts
Overview
Subscription Created
Subscription Updated
Subscription Cancelled
Subscription Payment Succeeded
Subscription Payment Failed
Subscription Payment Refunded
One-off Purchase Alerts
Overview
Order Processing Completed
Payment Refunded
Payment Succeeded
Risk & Dispute Alerts
Overview
High Risk Transaction Created
High Risk Transaction Updated
Payment Dispute Created
Payment Dispute Closed
Payout Alerts
Overview
Transfer Created
Transfer Paid
Audience Alerts
Overview
New Audience Member
Update Audience Member
Manual Invoicing Alerts
Overview
Invoice Sent
Invoice Paid
Invoice Overdue
Invoice Cancelled
Manual Invoicing Alerts (Legacy)

Verifying Webhooks

Check that webhooks are genuinely sent by Paddle

We send a signature field with each webhook that can be used to verify that the webhook was sent by Paddle.

We use public/private key encryption to allow you to verify these requests. Follow the step-by-step guide below to verify a Paddle signature.

  1. Get Your Public Key – this can be found in your Seller Dashboard under Developer Tools > Public Key.
  2. Get the Webhook Signature – the signature is included on each webhook with the attribute p_signature. Make sure to Base64 decode this.
  3. Remove the signature from the response – the signature should not be included in the array of fields used in verification.
  4. Sort remaining fields – ensure the fields are listed in a standard order, sorted by key name, e.g. by using ksort().
  5. PHP Serialize and sign the array – verify the PHP serialized array against the signature using SHA1 with your public key.

Code examples