Skip to main content

Webhook Integration

Stay informed when events happen in your PayPal account. Set up webhooks to send notifications for events such as successful payments, failed transactions, or refunds.

This guide walks you through:

  • Setting up a webhook listener.
  • Subscribing to events.
  • Verifying messages.
  • Testing with PayPal's simulator.

Overview

Webhooks let your server listen for PayPal events in real time.

Common use cases:

  • Confirming a payment was captured.
  • Detecting failed transactions.
  • Syncing order status in your database.

Common webhook events

Event NameDescription
PAYMENT.CAPTURE.COMPLETEDPayment completed successfully
PAYMENT.CAPTURE.DENIEDPayment denied
PAYMENT.CAPTURE.REFUNDEDPayment refunded

See the full event list.

Webhook notification flow

  1. Webhook Setup Phase
    • You register a URL through PayPal's Developer Dashboard
    • PayPal confirms registration by sending you a webhook_id
  2. Transaction Phase
    • Customer starts a payment on your site
    • Your server creates a payment through PayPal
    • Customer completes payment on PayPal
    • PayPal sends confirmation to the customer
  3. Webhook Notification Phase
    • PayPal sends a POST request to your webhook URL
    • The request includes event data (like PAYMENT.CAPTURE.COMPLETED)
    • PayPal adds special signature headers for security
  4. Verification Phase
    • Your server extracts the PayPal signature headers
    • Your server verifies the signature with PayPal
    • If valid:
      • Process the webhook event
      • Update order status
      • Return HTTP 200 OK
    • If invalid:
      • Log security warning
      • Still return HTTP 200 OK (to acknowledge receipt)
  5. Retry Mechanism
    • If your server doesn't respond with 200 OK
    • PayPal retries the webhook delivery
    • Retries continue for up to 3 days

1. Set up your webhook listener

Your listener should be a public HTTPS endpoint that accepts POST requests.

You can use curl to simulate receiving a webhook by setting up a local server with tools like ngrok or localtunnel. Here's an example of how to send a test webhook to your listener:

curl -X POST https://your-webhook-endpoint.com/webhook \
-H "Content-Type: application/json" \
-d '{
  "id": "WH-12345",
  "event_type": "PAYMENT.CAPTURE.COMPLETED",
  "resource": {
    "id": "PAY-67890",
    "status": "COMPLETED"
  }
}'

Replace https://your-webhook-endpoint.com/webhook with your actual webhook URL. This example sends a PAYMENT.CAPTURE.COMPLETED event to your listener.

2. Verify the webhook signature

Each webhook from PayPal includes a signature. Use the /v1/notifications/verify-webhook-signature endpoint to verify the header.

Required headers

  • PAYPAL-TRANSMISSION-ID
  • PAYPAL-TRANSMISSION-TIME
  • PAYPAL-CERT-URL
  • PAYPAL-AUTH-ALGO
  • PAYPAL-TRANSMISSION-SIG

Verification examples

curl -X POST https://api.paypal.com/v1/notifications/verify-webhook-signature \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
-d '{
  "transmission_id": "<PAYPAL-TRANSMISSION-ID>",
  "transmission_time": "<PAYPAL-TRANSMISSION-TIME>",
  "cert_url": "<PAYPAL-CERT-URL>",
  "auth_algo": "<PAYPAL-AUTH-ALGO>",
  "transmission_sig": "<PAYPAL-TRANSMISSION-SIG>",
  "webhook_id": "<WEBHOOK_ID>",
  "webhook_event": <WEBHOOK_EVENT>
}'

3. Register your webhook

Go to the Developer Dashboard → Select your app → Webhooks → Add URL.

Select events such as:

  • CHECKOUT.ORDER.APPROVED
  • PAYMENT.CAPTURE.COMPLETED

4. Test using PayPal’s webhook simulator

  1. Go to the webhook simulator.
  2. Select your app and endpoint.
  3. Choose an event.
  4. Send a test webhook.

Your server should log or respond to the event.

Best practices

  • Always verify signatures for security.
  • Respond with HTTP 200 if the event is received.
  • Log all webhook attempts for auditing.
  • Make the webhook idempotent and handle duplicate deliveries gracefully.
  • Use retry logic. PayPal will retry for up to 3 days if your server fails.

See also