Join
3
3 Comments

🔑 An NPM package to secure your Paddle webhooks

by David Gill

Hi Indie Hackers,

I created an NPM package that makes it super easy to secure your Paddle.com webhooks by verifying the payload signature.

I wanted to share this with the community here because I know a lot of us use Paddle but maybe not everyone has understood how to verify the webhooks payloads or the importance of doing it.

What is it for?

Use this in your webhook handlers to confirm the validity of requests, to ensure they are really being sent by Paddle and not spoofed or modified by some malicious 3rd party.

Who should use this?

Anybody using Paddle's webhooks! Nobody wants a malicious person to be able to spoof fake data into their webhook handler.

Why did I make it?

I am busy integrating Paddle into my SaaS project and wanted a lean-and-mean way to validate and secure my Paddle webhooks - but there wasn't one.

Their documentation on verifying webhooks gives some express.js example code which involves doing PHP-style serialization and funky string conversions. It felt overly complicated especially for any less experienced developers so I decided to create a simple NPM package that would save people time and lower the barrier-to-entry.

Can I use this in my [commercial] project?

Yup - It's MIT licensed so 100% free to use đź‘Ť

Avatar for David Gill David Gill
posted to Icon for group Developers
Developers
 on April 24, 2020
Say something nice to daveagill…
Post Comment
  1. 1

    Is Paddle expensive? I was thinking of using Chargebee or Stripe.

    User Avatar alexandromg
    ·
    6 years ago
    ·
    Reply
    1. 2

      It's more expensive than those options (I think Paddle want 6%?) but it's really apples-to-oranges comparison because Paddle act as a reseller and the "Merchant of Record" so they are legally responsible for calculating the right tax and restoring it to the country/state to which it is owed - I'm happy to pay a bit more to offload that.

      Chargebee have integrations that help you calculate tax but it is still on you to set that up and file the tax.

      Paddle, FastSpring, GumRoad, any appstore or marketplace - these are resellers - and make life a lot easier for a 1-person startup.

      Avatar for David Gill daveagill
      ·
      6 years ago
      ·
      Reply
      1. 1

        I guess it is a better option since I'm thinking on selling my software to latin america countries (I'm from Mexico) and tax rates may differ. Thank you David.

        User Avatar alexandromg
        ·
        6 years ago
        ·
        Reply
Trending on Indie Hackers
I'm a lawyer who launched an AI contract tool on Product Hunt today — here's what building it as a non-technical founder actually felt like User Avatar 150 comments A simple way to keep AI automations from making bad decisions User Avatar 58 comments “This contract looked normal - but could cost millions” User Avatar 54 comments Never hire an SEO Agency for your Saas Startup User Avatar 42 comments 👉 The most expensive contract mistakes don’t feel risky User Avatar 41 comments The indie maker's dilemma: 2 months in, 700 downloads, and I'm stuck User Avatar 40 comments