Logo
Square subscription API webhook test API Documentation

Verifying event notifications can be a bit of a headache sometimes. I took a dive into setting up Square subscription plans for a business of mine and learned the hard way. PHP’s hash_hmac() function has a parameter that, when set, will cause the function to return binary data. Javascript has no equivalent function for returning the same result, and since the Square validation relies on two signatures matching, it’s not possible to create the signature in Qodex alone. It’s for that reason that I created this Qodex Pre-request script. I’m sharing my work with you today so you can have a launchpad for testing your own webhook endpoint! I hope it’s clear, and that you find it useful. Please let me know in the comments. Also, let me know if you have questions.

Requirements:

  • A registered webhook notification URL
  • The signature key generated by registering the webhook notification URL
  • Some code at the end of the webhook notification URL to validate the request and do the stuff you need to have done when it receives a message
  • Merchant id, customer id, location id, plan id
  • A custom (and separate) endpoint used to generate a signature. It should accept POST ‘message’ and POST ‘key’. The key is your signature key. The message is the webhook notification url + request body. The Pre-request script below takes care of posting the data to this custom endpoint.

Additional considerations:

  • After you verify that the request came from Square, you should also compare the customer id, plan id, location id, and merchant id to make sure you have a completely valid request. All but the customer id can be verified on your end without any additional API calls since it's data you already have.

ENDPOINTS