Summer Sale! All accounts are 50% off this week.

JamesJefferies's avatar

Paypal Verify webhooks in PHP

Hi everyone, Not sure quite which section to post this is as it is laravel but largely more php focused.

I have a working paypal implementation with the package https://github.com/srmklive/laravel-paypal unfortunately this doesn't appear to have a facility to verify webhooks within it

But now i'm trying to work out how to verify an incoming php webhook in laravel using php. So far as i understand there are two options 1 - use the restapi and 2- verify the cert using php openssl.

unfortunately there are huge amounts of outdated info and i'm finding it a bit tricky to find anything useful, has anyone implemented this or could point me in the right direction as paypals documentation is fairly terrible.

many thanks

0 likes
5 replies
denkata's avatar

Oh I see, last time I worked with their API it was called IPN, now they just call them webhooks.

Have you checked this example? https://github.com/paypal/PayPal-PHP-SDK/blob/master/sample/notifications/ValidateWebhookEvent.php

Basically, you need to get some header values like PAYPAL-TRANSMISSION-ID, PAYPAL-TRANSMISSION-SIG from the request they send and send it back to their API endpoint: https://developer.paypal.com/api/webhooks/v1/#verify-webhook-signature_post and check the response.

ChristofMoser's avatar

Why not validate it locally on your own instead of sending out another API call?

$success = (
	openssl_verify(
		data: implode(separator: '|', array: [
			$httpPayPalTransmissionId,
			$httpPayPalTransmissionTime,
			$webhookID,
			crc32(string: $rawRequestBody),
		]),
		signature: PayPalController::urlSafeBase64Decode(base64EncodedString: $httpPayPalTransmissionSignature),
		public_key: openssl_pkey_get_public(public_key: file_get_contents(filename: $cachePath)),
		algorithm: 'sha256WithRSAEncryption'
	) === 1
);
visifo's avatar

the package https://github.com/srmklive/laravel-paypal has an implementation to verify webhooks. I missed it at first, because I did not found any mentioning of it in the documentation.

https://github.com/srmklive/laravel-paypal/blob/v3.0/src/Traits/PayPalVerifyIPN.php

It's exactly how Paypal describes it: https://developer.paypal.com/api/rest/webhooks/#link-messagesignature

You can use it like this:

$provider = new PayPal();
$provider->setApiCredentials(config('paypal'));
$token = $provider->getAccessToken();
$provider->setAccessToken($token);
$provider->setWebHookID('<your webhook ID>');
$result = $provider->verifyIPN($request);

Then check the verification_status of the result.

Please or to participate in this conversation.