Verifying Webhooks

We send a signature field with each webhook that can be used to verify that the webhook was sent by Paddle.

We use public/private key encryption to allow you to verify these requests. Follow the step-by-step guide below to verify a Paddle signature.

  1. Get Your Public Key – this can be found in your Seller Dashboard under Developer Tools > Public Key.
  2. Get the Webhook Signature – the signature is included on each webhook with the attribute p_signature. Make sure to Base64 decode this.
  3. Remove the signature from the response – the signature should not be included in the array of fields used in verification.
  4. Sort remaining fields – ensure the fields are listed in a standard order, sorted by key name, e.g. by using ksort().
  5. PHP Serialize and sign the array – verify the PHP serialized array against the signature using SHA1 with your public key.