I am trying to implement webhook calls into our applications using this documentation : https://developer.paypal.com/docs/api/webhooks/v1/ , the problem is, when I am trying to verify the webhook signature, it always returns FAILURE, I can’t really test it on production yet. Even if I simulate the webhook event via the direct api call in the documentation it still returns FAILURE. Is there a possibility, that it can only return SUCCESS on paypal events that really happend ? like a real payment on production for example ? Or am I doing something wrong. I can provide more info if needed. Thanks. Here is the response:
PayPalHttpHttpResponse #a30c statusCode => 200 result => stdClass #8bf3 | verification_status => "FAILURE" (7) headers => array (6) | "" => "" | Cache-Control => "max-age=0, no-cache, no-store, must-revalidate" (46) | Content-Length => "33" (2) | Content-Type => "application/json" (16) | Date => "Mon, 29 Mar 2021 14" (19) | Paypal-Debug-Id => "e9ff5d6e338e1" (13)
here is a log of the old request
{"path":"/v1/notifications/verify-webhook-signature","body":{"transmission_id":"8e327350-9134-11eb-aacd-47b3747d966f","transmission_time":"2021-03-30T08:47:27Z","cert_url":"https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-1d93a270","auth_algo":"SHA256withRSA","transmission_sig":"gFiHAuhJeTRsZm441pbYsxkmO7p3fo/ZRt6hbgKTfAX8ZR29Q6YV38A7cqNloGCpes6ZmoMJ8AOLn8iNMC9zlwyzdaFkQ+VEuEc0E8Hbq8imZ3caky7TlXkKmdZmv5LzL+2pFH2o4NaLsbeNkBnyEeq/pJUczgLf1u/5SbA6wytcogLeXAMyqAUxYn35OVo083bVv8ykJ5o0z9pXlsMFjD85gRnci4NbJDQBQVKW9fuX2FUhPceq0eHc1IIxYSYaYAYApPBGp7GOwc3odmahOtHn/hwIbUOupxWEJfiJB/o3lQN5V7F0TvCXPOJLfXrbYKbLD2JRaK4aqIX3BUGrmg==","webhook_id":"82X68571MD226184L","webhook_event":{"id":"WH-2WR32451HC0233532-67976317FL4543714","create_time":"2014-10-23T17:23:52Z","resource_type":"sale","event_type":"PAYMENT.SALE.COMPLETED","summary":"A successful sale payment was made for $ 0.48 USD","resource":{"id":"80021663DE681814L","create_time":"2014-10-23T17:22:56Z","update_time":"2014-10-23T17:23:04Z","state":"completed","amount":{"total":"0.48","currency":"USD","details":{"subtotal":null}},"parent_payment":"PAY-1PA12106FU478450MKRETS4A","valid_until":null,"payment_mode":"ECHECK","clearing_time":"2014-10-30T07:00:00Z","protection_eligibility_type":"ITEM_NOT_RECEIVED_ELIGIBLE,UNAUTHORIZED_PAYMENT_ELIGIBLE","protection_eligibility":"ELIGIBLE","links":[{"href":"https://api.paypal.com/v1/payments/sale/80021663DE681814L","rel":"self","method":"GET"},{"href":"https://api.paypal.com/v1/payments/sale/80021663DE681814L/refund","rel":"refund","method":"POST"},{"href":"https://api.paypal.com/v1/payments/payment/PAY-1PA12106FU478450MKRETS4A","rel":"parent_payment","method":"GET"}]},"links":[{"href":"https://api.paypal.com/v1/notifications/webhooks-events/WH-2WR32451HC0233532-67976317FL4543714","rel":"self","method":"GET","encType":null},{"href":"https://api.paypal.com/v1/notifications/webhooks-events/WH-2WR32451HC0233532-67976317FL4543714/resend","rel":"resend","method":"POST","encType":null}],"event_version":"1.0"}},"verb":"POST","headers":{"Content-Type":"application/json"}}
This is a new request, triggered by subscribed webhook on paypal sandbox (still returns FAILURE):
{"path":"/v1/notifications/verify-webhook-signature","body":{"transmission_id":"bafac560-9150-11eb-88b5-5316a049110c","transmission_time":"2021-03-30T12:09:08Z","cert_url":"https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-1d93a270","auth_algo":"SHA256withRSA","transmission_sig":"APlouF6dHqKMP2zUPxRWlvdM1ddLhW/iyNtl705o5Uv0rzfCiXy7lJ+jP+JPHiebW+PnKBPkemd0JtL9muffe97bKbFB3dQvCwr9iLBYHUOWzZkLjZVICrbJt11TrjY/RTjg9kGxc1QTVo8ajfu6he0GGD80lQm3DA/9WJYvzV2VD1Uj0lDLmrja4Vf7gbEoYcfvKXRegC3rcaz1vxEFgOy5ZbBfcnKDBW97tmfKY32g+uVdJgo0MN9cqmp2fsXmnaix/q3tVfCouP/9qTnTeuX+kO8ZvzqJ5C/wmwAN6WZVRlZy2lIndXo7pYKVvRM53LAj9koAPE1tkLigVSVUQA==","webhook_id":"7KV76897B77655129","webhook_event":{"id":"WH-4LW999679F247300G-9PC79308E9858631L","create_time":"2021-03-30T12:09:04.942Z","resource_type":"sale","event_type":"PAYMENT.SALE.COMPLETED","summary":"Payment completed for $ 48.75 USD","resource":{"id":"76H86888MM106214H","create_time":"2021-03-30T12:07:43Z","update_time":"2021-03-30T12:07:43Z","state":"completed","amount":{"total":"48.75","currency":"USD","details":{"subtotal":"48.75"}},"payment_mode":"INSTANT_TRANSFER","valid_until":null,"transaction_fee":{"currency":"USD","value":"1.96"},"billing_agreement_id":"I-4C7NSCV76GSD","soft_descriptor":"PAYPAL *JOHNDOESTES","protection_eligibility_type":"ITEM_NOT_RECEIVED_ELIGIBLE,UNAUTHORIZED_PAYMENT_ELIGIBLE","protection_eligibility":"ELIGIBLE","invoice_number":"","links":[{"href":"https://api.sandbox.paypal.com/v1/payments/sale/76H86888MM106214H","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/payments/sale/76H86888MM106214H/refund","rel":"refund","method":"POST"}]},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-4LW999679F247300G-9PC79308E9858631L","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-4LW999679F247300G-9PC79308E9858631L/resend","rel":"resend","method":"POST"}],"event_version":"1.0"}},"verb":"POST","headers":{"Content-Type":"application/json"}}
2
Answers
You cannot verify a simulated webhook from 2014. You can only verify recent webhooks your particular client-id has received, for sandbox or live modes (whichever the client-id corresponds to).
Subscribe to actual webhook events (in sandbox or live modes) in order to receive them, then perform the action that will trigger them, then verify them once received.
Same Problem here (No, i don’t use the shitty simulated webhooks).
I’m currently implementing Paypal Checkout with pay upon invoice.
Unfortunately, it is necessary to set up webhooks here. Now I have the problem that I get
{"verification_status": "FAILURE"}
with every validation. It doesn’t matter whether I try to do this via the JavaClient Event.validateReceivedEvent or via the Paypal Rest API with verifiy webhook signature.I can query the event, the webhook via its id and the certificate via the API. Only this shitty validation doesn’t work.
PayPal just pisses me off. The documentation sucks and the shitty sandbox doesn’t do what it’s supposed to do either.
EDIT:
Thx to @bzzzzzz. Now, i figured out, why the event validation always failed. It is because of the n if the webhook_event is serialized with event.toJson(). Same thing happens, if you c&p the webhook_event from sandbox webhooks event into the validation request body.
Now, it is clear why the validation fails.