Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi everyone, Not sure quite which section to post this is as it is laravel but largely more php focused.
I have a working paypal implementation with the package https://github.com/srmklive/laravel-paypal unfortunately this doesn't appear to have a facility to verify webhooks within it
But now i'm trying to work out how to verify an incoming php webhook in laravel using php. So far as i understand there are two options 1 - use the restapi and 2- verify the cert using php openssl.
unfortunately there are huge amounts of outdated info and i'm finding it a bit tricky to find anything useful, has anyone implemented this or could point me in the right direction as paypals documentation is fairly terrible.
many thanks
As far as I understand, you are trying to implement the IPN functionality of Paypal.
When your webhook receive message from Paypal you should send it back to their API endpoint and verify the returned response. There are some examples on the documentation page - https://developer.paypal.com/api/nvp-soap/ipn/IPNImplementation
Hey thanks for the reply, I'm trying to verify a webhook not IPN using php with laravel. I had hoped to use the github package above but it doesn't appear to be possible. I guess something here might be helpful but i'm not sure https://developer.paypal.com/api/webhooks/v1/
Thanks
Oh I see, last time I worked with their API it was called IPN, now they just call them webhooks.
Have you checked this example? https://github.com/paypal/PayPal-PHP-SDK/blob/master/sample/notifications/ValidateWebhookEvent.php
Basically, you need to get some header values like PAYPAL-TRANSMISSION-ID, PAYPAL-TRANSMISSION-SIG from the request they send and send it back to their API endpoint: https://developer.paypal.com/api/webhooks/v1/#verify-webhook-signature_post and check the response.
Why not validate it locally on your own instead of sending out another API call?
$success = (
openssl_verify(
data: implode(separator: '|', array: [
$httpPayPalTransmissionId,
$httpPayPalTransmissionTime,
$webhookID,
crc32(string: $rawRequestBody),
]),
signature: PayPalController::urlSafeBase64Decode(base64EncodedString: $httpPayPalTransmissionSignature),
public_key: openssl_pkey_get_public(public_key: file_get_contents(filename: $cachePath)),
algorithm: 'sha256WithRSAEncryption'
) === 1
);
the package https://github.com/srmklive/laravel-paypal has an implementation to verify webhooks. I missed it at first, because I did not found any mentioning of it in the documentation.
https://github.com/srmklive/laravel-paypal/blob/v3.0/src/Traits/PayPalVerifyIPN.php
It's exactly how Paypal describes it: https://developer.paypal.com/api/rest/webhooks/#link-messagesignature
You can use it like this:
$provider = new PayPal();
$provider->setApiCredentials(config('paypal'));
$token = $provider->getAccessToken();
$provider->setAccessToken($token);
$provider->setWebHookID('<your webhook ID>');
$result = $provider->verifyIPN($request);
Then check the verification_status of the result.
Please or to participate in this conversation.