Quickstart

Set up my computer to receive real Paddle webhooks end-to-end: install the Hookdeck CLI, run a local server that logs incoming requests, start a Hookdeck tunnel that forwards to it, and create a notification destination in Paddle pointing at the tunnel's public URL. Ask me which language and framework I want the local server in (e.g. Node.js/Express, Python/FastAPI, Go/net/http) and which port I want to use (default 3000), then generate a minimal handler that: 1. Accepts POST requests at a path I choose (default /webhooks) 2. Reads the raw request body as bytes (do not parse it — signature verification later requires the raw body) 3. Logs the body to stdout so I can inspect incoming payloads 4. Returns HTTP 200 immediately Next, install the Hookdeck CLI using the right command for my OS: - macOS: brew install hookdeck/hookdeck/hookdeck - npm (any OS): npm install -g hookdeck-cli - Windows (Scoop): scoop bucket add hookdeck https://github.com/hookdeck/scoop-hookdeck-cli.git && scoop install hookdeck - Other: see https://hookdeck.com/docs/cli#install Start the tunnel with: hookdeck listen {PORT} paddle-local --path {WEBHOOK_PATH} Hookdeck will print a public URL (like https://hkdk.events/xxxxxxxx). Copy it — that's the destination URL Paddle will deliver webhooks to. Finally, create a notification destination pointing at that URL. Use the create_notification_setting tool in the Paddle MCP server. If that's not available, use the Paddle API to POST to /notification-settings with: - type: "url" - destination: the Hookdeck public URL - description: a short label like "Local development" - subscribed_events: array of event type names to test with (for a first test, ["customer.created"] is a good starting point) - traffic_source: "all" so the destination receives both real and simulated events — useful for testing with the webhook simulator Save the endpoint_secret_key (prefixed pdl_ntfset_) from the response. It can't be retrieved again after creation and is required for signature verification. Store it in an environment variable like PADDLE_WEBHOOK_SECRET — never hardcode it. To test the full path end-to-end, use the create_simulation and create_simulation_run tools (or the /simulations endpoint) to fire a customer.created event at the destination. You should see the event arrive in both the Hookdeck terminal and your local server's stdout within a second or two. Once this works, the next step is adding signature verification — use the add-webhook-signature-verification prompt for that. For full details, fetch https://developer.paddle.com/webhooks/about and https://developer.paddle.com/webhooks/about/notification-destinations.md or use the paddle-docs MCP server. Ask me for my framework, port, and webhook path, then: generate the local handler, show me the right Hookdeck install command for my OS, walk me through starting the tunnel, create the notification destination, and remind me to save the endpoint_secret_key.

Add Paddle webhook signature verification to my webhook handler so I can confirm events are genuinely sent by Paddle. Ask me which language and framework I'm using (e.g. Node.js/Express, Node.js/Next.js, Python/Flask, Python/Django, Go, PHP, Ruby, Java, C#), then generate the complete verification code. Use the official Paddle SDK if one is available for my language — it handles the full algorithm and timestamp checking automatically: - Node.js: paddle.webhooks.unmarshal(rawBody, secretKey, signature) - Go: paddle.NewWebhookVerifier(secretKey).Middleware(...) or .Verify(req) - PHP: (new Verifier())->verify($request, new Secret('KEY')) - Python: Verifier().verify(request, Secret('KEY')) If no SDK is available, implement the manual algorithm: 1. Read the raw request body as bytes — do not parse or transform it. Even adding whitespace breaks the signature 2. Get the Paddle-Signature header (format: ts=<unix_timestamp>;h1=<hex_signature>) 3. Parse the header: split on ; to get parts, then on = to get key-value pairs 4. Build the signed payload by concatenating: timestamp + ":" + raw_body 5. Compute HMAC-SHA256 of the signed payload using the endpoint secret key as the key 6. Compare your computed signature to the h1 value using a timing-safe comparison function 7. Optionally check that the timestamp ts is within an acceptable tolerance (e.g. 5 seconds) to protect against replay attacks — this is what the SDKs do automatically The endpoint secret key (prefixed pdl_ntfset_) should be stored in an environment variable — never hardcoded. If I don't have it yet, use the get_notification_setting tool in the Paddle MCP server to retrieve it. For full details, fetch https://developer.paddle.com/webhooks/signature-verification.md or use the paddle-docs MCP server. Ask me for my framework, the environment variable name I'm using for the secret key, and whether I already have the Paddle SDK installed, then generate the complete verified handler code.