3
3 Comments

🔑 An NPM package to secure your Paddle webhooks

Hi Indie Hackers,

I created an NPM package that makes it super easy to secure your Paddle.com webhooks by verifying the payload signature.

I wanted to share this with the community here because I know a lot of us use Paddle but maybe not everyone has understood how to verify the webhooks payloads or the importance of doing it.

What is it for?

Use this in your webhook handlers to confirm the validity of requests, to ensure they are really being sent by Paddle and not spoofed or modified by some malicious 3rd party.

Who should use this?

Anybody using Paddle's webhooks! Nobody wants a malicious person to be able to spoof fake data into their webhook handler.

Why did I make it?

I am busy integrating Paddle into my SaaS project and wanted a lean-and-mean way to validate and secure my Paddle webhooks - but there wasn't one.

Their documentation on verifying webhooks gives some express.js example code which involves doing PHP-style serialization and funky string conversions. It felt overly complicated especially for any less experienced developers so I decided to create a simple NPM package that would save people time and lower the barrier-to-entry.

Can I use this in my [commercial] project?

Yup - It's MIT licensed so 100% free to use 👍

  1. 1

    Is Paddle expensive? I was thinking of using Chargebee or Stripe.

    1. 2

      It's more expensive than those options (I think Paddle want 6%?) but it's really apples-to-oranges comparison because Paddle act as a reseller and the "Merchant of Record" so they are legally responsible for calculating the right tax and restoring it to the country/state to which it is owed - I'm happy to pay a bit more to offload that.

      Chargebee have integrations that help you calculate tax but it is still on you to set that up and file the tax.

      Paddle, FastSpring, GumRoad, any appstore or marketplace - these are resellers - and make life a lot easier for a 1-person startup.

      1. 1

        I guess it is a better option since I'm thinking on selling my software to latin america countries (I'm from Mexico) and tax rates may differ. Thank you David.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 47 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 27 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments How I Launched FrontendEase 13 comments