verify-paddle-webhook v1.1.0
Verify your Paddle.com Webhooks
Secure your webhooks with ease by validating whether they were really sent by Paddle.com.
Important: You will need your public key from your Paddle account. Find your public key.
Install
$ npm install verify-paddle-webhook
API
This package consists of one easy-to-use function - verifyPaddleWebhook
- that checks the p_signature
of your paddle webhook payloads against the public key of your account:
function verifyPaddleWebhook(publicKey, webhookData)
Arguments:
publicKey
<string>
This string is your account's public key.webhookData
<object>
This is your webhook payload, it should be a Javascript object and it should include thep_signature
property as sent by Paddle.
Basic Usage
const {verifyPaddleWebhook} = require('verify-paddle-webhook');
const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;
function isValid(paddleWebhookData) {
return verifyPaddleWebhook(PUBLIC_KEY, paddleWebhookData);
}
Examples
Example: Express.js
const express = require('express');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');
const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;
const app = express();
app.use(express.urlencoded());
app.post('/webhook', function(req, res) {
if (verifyPaddleWebhook(PUBLIC_KEY, req.body)) {
console.log('Webhook is valid!');
// process the webhook
}
res.sendStatus(200);
});
app.listen(80);
Example: Using Node.js to parse the request body:
Paddle actually sends the payload in the body of a POST request formatted as a URL-encoded query string:
alert_id=1234567890&balance_currency=USD&balance_earnings=321.12&balance_fee=666.33 ...etc...
Many high-level frameworks will convert that into a JS object for use with verifyPaddleWebhook
but if you need to convert it manually then you can use the Node.js querystring
module to parse the body:
const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');
const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;
function process(body) {
const webhookData = querystring.parse(body);
if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
console.log('Webhook is valid!');
// process the webhook
}
}
Example: AWS Lambda function / Netlify function (Node.js)
This example works for AWS Lambda and Netlify.
Note: For AWS Lambda this assumes the Lambda function is invoked through AWS API Gateway using proxy integration (see tutorial).
For more detail see the Node.js example.
const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');
const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;
exports.handler = async function(event, context) {
const webhookData = querystring.parse(event.body);
if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
console.log('Webhook is valid!');
// process the webhook
}
return {"statusCode": 200, "body": "OK"};
}