Example: PayPal / Braintree Webhooks

Overview

PayPal and Braintree are related payment products, but their webhook verification contracts are different. Syllecta keeps them separate so a tenant cannot accidentally rely on PayPal-style verification for Braintree traffic.

Current status:

  • PayPal is available only in controlled rollout. It requires PayPal transmission headers and tenant-specific webhook configuration before live traffic is accepted.
  • Braintree is reserved until the official bt_signature + bt_payload parser is enabled.

PayPal Setup

  1. Store the PayPal webhook id/secret configuration in Backoffice for the tenant.
  2. Set the provider webhook to https://api.syllecta.com/v1/webhooks/paypal.
  3. Confirm the inbound request includes PayPal-Transmission-Id, PayPal-Transmission-Time, PayPal-Transmission-Sig, PayPal-Auth-Algo, and PayPal-Cert-Url.

PayPal Request Shape

POST /v1/webhooks/paypal
PayPal-Transmission-Id: 123
PayPal-Transmission-Time: 2026-05-18T12:00:00Z
PayPal-Transmission-Sig: ...
PayPal-Cert-Url: ...
PayPal-Auth-Algo: SHA256withRSA

Body contains the PayPal event JSON. Missing, malformed, stale, or mismatched signatures return 400 invalid signature.

Braintree Status

Braintree webhooks use bt_signature and bt_payload, not PayPal transmission headers. The /v1/webhooks/braintree route is reserved, but live Braintree verification is not enabled until the Braintree gateway parser is wired and tested for the tenant.

Callback Handler

ts
app.post("/webhooks/syllecta", express.json(), async (req, res) => {
  const event = req.body;
 
  if (event.provider === "paypal" && event.type === "PAYMENT.SALE.COMPLETED") {
    await payments.settle(event.payload.resource.id);
  }
 
  res.json({ ok: true });
});

References