PayPal’s documentation is pretty bad, but they do have a PHP notification verification sample here which mentions:
PHP Currently does not support certificate chain validation, that is necessary to validate webhook directly, from received data. To resolve that, we need to use alternative, which makes a call to PayPal’s verify-webhook-signature API.
It also includes some files that aren’t within the Checkout SDK. I found this question from a year ago in which someone created what seems like a decent explanation of all of the various missing packages and files that aren’t included in the base SDK.
One of the key parts of their answer was to install a separate PayPal SDK, which they don’t mention anywhere in the documentation, via composer (without mentioning its package name). Luckily composer has decent recommendations to my incorrect attempts at finding it so I got it eventually with: composer require paypal/rest-api-sdk-php
. Looking through the files it downloaded, it’s clear that this is the package that the Paypal documentation I listed above is including. However, upon requiring it I got the message
Package paypal/rest-api-sdk-php is abandoned, you should avoid using it. No replacement was suggested.
This seems pretty cut and dry, that it’s not future safe and I shouldn’t use it, but what am I supposed to do instead? Is there some new SDK somewhere I should be looking at or have they just given up on PHP and I have to just start making direct hand crafted API calls?
Advertisement
Answer
There is no supported SDK for webhooks — not for PHP, nor for any other environment. Use a direct HTTPS integration.