How a Raw-Body Bug Silently Breaks Paddle Billing Webhook Verification
Paddle Billing webhooks use HMAC-SHA256 signatures delivered via the Paddle-Signature HTTP header, requiring verification against the exact raw request bytes Paddle originally sent. A common developer mistake occurs when web frameworks auto-parse the JSON body, and the code re-serializes it before verification, producing different bytes that cause every legitimate webhook to fail. The signed string Paddle constructs combines the timestamp and raw body in the format ts:raw_body, meaning omitting the timestamp prefix also invalidates the computed digest. Paddle Billing, the default for accounts created after August 2023, uses a per-destination secret for signing and is entirely different from the legacy Paddle Classic scheme, which relied on PHP serialization and a public key. The fix requires capturing and preserving the raw, unparsed request body before any framework processing, then parsing it only after the signature has been successfully verified.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in