0

PayPal's documentation is pretty bad, but they do have a PHP notification verification sample here which mentions:

PHP Currently does not support certificate chain validation, that is necessary to validate webhook directly, from received data. To resolve that, we need to use alternative, which makes a call to PayPal's verify-webhook-signature API.

It also includes some files that aren't within the Checkout SDK. I found this question from a year ago in which someone created what seems like a decent explanation of all of the various missing packages and files that aren't included in the base SDK.

One of the key parts of their answer was to install a separate PayPal SDK, which they don't mention anywhere in the documentation, via composer (without mentioning its package name). Luckily composer has decent recommendations to my incorrect attempts at finding it so I got it eventually with: composer require paypal/rest-api-sdk-php. Looking through the files it downloaded, it's clear that this is the package that the Paypal documentation I listed above is including. However, upon requiring it I got the message

Package paypal/rest-api-sdk-php is abandoned, you should avoid using it. No replacement was suggested.

This seems pretty cut and dry, that it's not future safe and I shouldn't use it, but what am I supposed to do instead? Is there some new SDK somewhere I should be looking at or have they just given up on PHP and I have to just start making direct hand crafted API calls?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
cebo
  • 688
  • 1
  • 8
  • 26

1 Answers1

0

There is no supported SDK for webhooks -- not for PHP, nor for any other environment. Use a direct HTTPS integration.

Preston PHX
  • 27,642
  • 4
  • 24
  • 44
  • From what I can tell, all of the other language SDK's have some sort of built in programatic verification function. For example: [this](https://github.com/paypal/PayPal-NET-SDK/wiki/Webhook-Event-Validation) doc discussing the .NET SDK's `WebhookEvent.ValidateReceivedEvent(...)` function. All of the various SDK's respective solutions for verification can be found [here](https://developer.paypal.com/docs/api-basics/notifications/webhooks/rest/#to-use-the-paypal-rest-sdks-to-verify-event-notifications) including the PHP document which I linked originally and which is apparently outdated. – cebo May 03 '21 at 18:24
  • All v1/payments and general-purpose REST SDKs that included functionality for webhooks are deprecated. See https://developer.paypal.com/docs/api/deprecated-rest-sdks/ or each SDK's respective page. – Preston PHX May 03 '21 at 19:39
  • If all of the v1 and other verification API's are depricated, how else are you supposed to verify a notification? – cebo May 03 '21 at 19:42
  • v1/payments APIs are deprecated, specifically. Other APIs are not. But the SDKs are. – Preston PHX May 03 '21 at 19:46
  • So which API are you supposed to use now to verify notifications? Can you point me to the part of the documentation that describes the right way to do this? – cebo May 03 '21 at 21:13
  • https://developer.paypal.com/docs/api/webhooks/v1/#verify-webhook-signature – Preston PHX May 03 '21 at 22:50
  • Is that not the exact "API for webhooks" that you just said was deprecated? – cebo May 04 '21 at 16:27
  • Sigh. SDKs are deprecated, APIs are not. – Preston PHX May 04 '21 at 16:52