Webhooks PayPal REST APIs use webhooks for event notifications. Webhooks are push API calls that let your app know an event has happened. How to use Configure a webhook listener for your app and then create a webhook and subscribe it to the transaction events that you need. Tip: You can verify your listener is working by using our webhooks simulator. Messages Each JSON-formatted POST notification message contains event information based on the resource type and the event type. For example, an event that let your app know an authorization for payment occured would be of resource type authorization and an event type of created. When your app receives a notification message, it must verify that the notification message: Came from PayPal. Was not altered or corrupted during transmission. Was intended for you. Contains a valid signature. Then, the app must respond with an HTTP 200 code. Note: If your app responds with any other status code, PayPal tries to resend the notification message 25 times over the course of three days. Message signature For security, notification messages are signed and sent over HTTPS (SSL/TLS). Event headers for notification messages contain the PayPal-generated asymmetric signature and information that you can use to validate the signature. For information about using the REST API to monitor webooks, see Webhooks Management API. Event header generation These 4 requirements make use of PayPal’s verify-webhook-signature endpoint. You query this endpoint from your app, and your app sends a payload that includes the following parameters: auth_algo extracted from the PAYPAL-AUTH-ALGO value which is present in the response header. I verified that this value was present in the response header received by my mock webhook listener. cert_url extracted from the PAYPAL-CERT-URL value which is present in the response header. I verified that this value was present in the response header received by my mock webhook listener. transmission_id extracted from the PAYPAL-TRANSMISSION-ID value which is present in the response header. I verified that this value was present in the response header received by my mock webhook listener. transmission_sig extracted from the PAYPAL-TRANSMISSION-SIG value which is present in the response header. I verified that this value was present in the response header received by my mock webhook listener. transmission_time extracted from the PAYPAL-TRANSMISSION-TIME value which is present in the response header. I verified that this value was present in the response header received by my mock webhook listener. webhook_id The ID of the webhook as configured in your PayPal Developer Portal account. I verified that my mock webhook had an associated ID. webhook_event - A webhook event notification. This consists of the notification response received from PayPal, which is now being verified. I also verified that my mock webhook listener responded with an HTTP 200 code. Event header validation Use the following input string to validate a signature: