Paddle Webhooks

When to Use This Skill

• Setting up Paddle webhook handlers
• Debugging signature verification failures
• Understanding Paddle event types and payloads
• Handling subscription, transaction, or customer events

Verification (core)

Paddle signs every webhook with HMAC-SHA256 over timestamp:rawBody. The Paddle-Signature header is ts=<unix>;h1=<hex> (multiple h1= values appear during secret rotation). Pass the raw request body — don't JSON.parse first.

The official @paddle/paddle-node-sdk exposes paddle.webhooks.unmarshal(rawBody, secretKey, signature) which verifies and parses in one call. For Python (or when not using the SDK), verify manually:

Node:

const crypto = require('crypto');