Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

MarkTierney's avatar

Testing Stripe Webhooks 403 error

Hi,

I'm trying to test my stripe webhooks. Everything works fine testing manually locally.

But when I run phpunt I get a 403 response on every webhook If I comment out the VerifyWebhookSignature code in the Cashier package I get a 200 response.

I have my STRIPE_WEBHOOK_SECRET defined as an environment variable but it's not verifying it for some reason.

Even when I disable the middleware the webhook calls are NOT getting logged in my test database.

Any help much appreciated, cheers.

0 likes
16 replies
MarkTierney's avatar

If I bypass the middleware the webhook calls are logged in my local database, but not the test database defined in my phpunit.xml

otherprod's avatar

For the persons that will come after, i found a solution for this problem. For a reason the config in .env is not readed correctly (permission server)

Create a cashier.php inside config directory

return [
'webhook' => [
    'secret' => 'putyourwebshooksecreethere'
]
];
otherprod's avatar

@Sinnbeck Hi can you develop your response ? I don't understand what you mean (yes we use git)

otherprod's avatar

@Sinnbeck Thank you for your clarification. Of course take care of your credentials if you work with strangers on your repositories, or dont forget to add this file in your gitignore.

alessandrobelli's avatar

Having same problem while testing cashier. I get 403 or 405 errors...

martinbean's avatar

@alessandrobelli Then you need to fix them.

A 403 Forbidden error is usually using the wrong webhook signature.

A 405 error is usually when the webhook URL is doing a redirect and therefore changes the method from POST to GET. This usually occurs for things like canonical redirects where you redirect HTTP to HTTPS, or non-www URLs to www.

chrisl0w's avatar

I had the same error on my local Sail Environment and fixed it by doing the following:

  1. Install Stripe CLI: https://stripe.com/docs/stripe-cli
  2. Run stripe login
  3. Run stripe listen --forward-to localhost/stripe/webhook
  4. Copy the webhook signing secret which will get printed after running stripe listen
  5. Add the webhook signing secret to your .env file under the key STRIPE_WEBHOOK_SECRET=
8 likes
alessandrobelli's avatar

@cloew.at@gmail.com Thanks for the suggestion. This made everything work for me :) Another note: I struggled a couple of hours playing with the stripe dashboard, creating users + subscriptions. I was getting code 200, no results, no error. Eventually I dived into the Webhook controller and if the user is not found in the database by the stripe_id, basically nothing is done. In my case, this is not useful, but I'm going to solve that soon.

andrecopetti's avatar

@chrisl0w Thanks for the help, buddy. I did everything as you mentioned, and I was still getting the 403 error. So, if someone is encountering this 403 error (Timestamp outside the tolerance zone), just make sure your server's clock is correct. Now everything works fine :)

j3rg's avatar

For me I initially had the STRIPE_WEHBOOK_SECRET with the wrong value as I used it locally on Windows then switcher over to the docker container. I updated the the .env with the new secret, and what fixed it was restarting my Laravel container. I assume maybe it had the old secret in cache or something. By the way the project create did not use sail they created their own docker compose setup.

asim-ali-peerzada's avatar

For a 403 error with webhooks, you have to check your existing middlewares they are intercepting that webhook request and causing the 403. Simply add this inside the handle in middleware: if ($request->is('stripe/*')) { return $next($request); } You're good to go....

Please or to participate in this conversation.