verify-paddle-webhook

Verify the signature of Paddle.com webhook payloads. Use this to confirm authenticity and secure your webhook handlers.

Usage no npm install needed!

<script type="module">
  import verifyPaddleWebhook from 'https://cdn.skypack.dev/verify-paddle-webhook';
</script>

README

Verify your Paddle.com Webhooks

Travis (.com) npm GitHub

Secure your webhooks with ease by validating whether they were really sent by Paddle.com.

Important: You will need your public key from your Paddle account. Find your public key.

Install

$ npm install verify-paddle-webhook

API

This package consists of one easy-to-use function - verifyPaddleWebhook - that checks the p_signature of your paddle webhook payloads against the public key of your account:

function verifyPaddleWebhook(publicKey, webhookData)

Arguments:

  • publicKey <string> This string is your account's public key.
  • webhookData <object> This is your webhook payload, it should be a Javascript object and it should include the p_signature property as sent by Paddle.

Basic Usage

const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

function isValid(paddleWebhookData) {
    return verifyPaddleWebhook(PUBLIC_KEY, paddleWebhookData);
}

Examples

Example: Express.js

const express = require('express');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

const app = express();
app.use(express.urlencoded());

app.post('/webhook', function(req, res) {
    if (verifyPaddleWebhook(PUBLIC_KEY, req.body)) {
        console.log('Webhook is valid!');
        // process the webhook
    }
    res.sendStatus(200);
});

app.listen(80);

Example: Using Node.js to parse the request body:

Paddle actually sends the payload in the body of a POST request formatted as a URL-encoded query string:

alert_id=1234567890&balance_currency=USD&balance_earnings=321.12&balance_fee=666.33 ...etc...

Many high-level frameworks will convert that into a JS object for use with verifyPaddleWebhook but if you need to convert it manually then you can use the Node.js querystring module to parse the body:

const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

function process(body) {
    const webhookData = querystring.parse(body);
    if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
        console.log('Webhook is valid!');
        // process the webhook
    }
}

Example: AWS Lambda function / Netlify function (Node.js)

This example works for AWS Lambda and Netlify.

Note: For AWS Lambda this assumes the Lambda function is invoked through AWS API Gateway using proxy integration (see tutorial).

For more detail see the Node.js example.

const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

exports.handler = async function(event, context) {
    const webhookData = querystring.parse(event.body);
    if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
        console.log('Webhook is valid!');
        // process the webhook
    }

    return {"statusCode": 200, "body": "OK"};
}