JSPM

verify-paddle-webhook

1.1.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 276
  • Score
    100M100P100Q94076F
  • License MIT

Verify the signature of Paddle.com webhook payloads. Use this to confirm authenticity and secure your webhook handlers.

Package Exports

  • verify-paddle-webhook

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (verify-paddle-webhook) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Verify your Paddle.com Webhooks

Travis (.com) npm GitHub

Secure your webhooks with ease by validating whether they were really sent by Paddle.com.

Important: You will need your public key from your Paddle account. Find your public key.

Install

$ npm install verify-paddle-webhook

API

This package consists of one easy-to-use function - verifyPaddleWebhook - that checks the p_signature of your paddle webhook payloads against the public key of your account:

function verifyPaddleWebhook(publicKey, webhookData)

Arguments:

  • publicKey <string> This string is your account's public key.
  • webhookData <object> This is your webhook payload, it should be a Javascript object and it should include the p_signature property as sent by Paddle.

Basic Usage

const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

function isValid(paddleWebhookData) {
    return verifyPaddleWebhook(PUBLIC_KEY, paddleWebhookData);
}

Examples

Example: Express.js

const express = require('express');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

const app = express();
app.use(express.urlencoded());

app.post('/webhook', function(req, res) {
    if (verifyPaddleWebhook(PUBLIC_KEY, req.body)) {
        console.log('Webhook is valid!');
        // process the webhook
    }
    res.sendStatus(200);
});

app.listen(80);

Example: Using Node.js to parse the request body:

Paddle actually sends the payload in the body of a POST request formatted as a URL-encoded query string:

alert_id=1234567890&balance_currency=USD&balance_earnings=321.12&balance_fee=666.33 ...etc...

Many high-level frameworks will convert that into a JS object for use with verifyPaddleWebhook but if you need to convert it manually then you can use the Node.js querystring module to parse the body:

const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

function process(body) {
    const webhookData = querystring.parse(body);
    if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
        console.log('Webhook is valid!');
        // process the webhook
    }
}

Example: AWS Lambda function / Netlify function (Node.js)

This example works for AWS Lambda and Netlify.

Note: For AWS Lambda this assumes the Lambda function is invoked through AWS API Gateway using proxy integration (see tutorial).

For more detail see the Node.js example.

const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

exports.handler = async function(event, context) {
    const webhookData = querystring.parse(event.body);
    if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
        console.log('Webhook is valid!');
        // process the webhook
    }

    return {"statusCode": 200, "body": "OK"};
}