Example: PayPal / Braintree Webhooks

Overview

Syllecta verifies PayPal/Braintree signatures and normalizes the payloads before forwarding them to your backend.

Configuration

1. Store provider secret/cert in Backoffice (per tenant/provider).
2. Set the provider webhook to https://cloud.syllecta.example/v1/webhooks/paypal (or braintree).
3. Ensure PayPal sends the required verification headers (PAYPAL-TRANSMISSION-ID, PAYPAL-AUTH-ALGO, etc.).

Flow

1. PayPal/Braintree sends the event with the required headers.
2. Syllecta validates the payload, rejects tampered signatures, and prevents duplicates.
3. Successful events are logged and forwarded to your callback URL.

Example Request (simplified)

POST /v1/webhooks/paypal
PayPal-Transmission-Id: 123
PayPal-Transmission-Time: 2023-10-01T00:00:00Z
PayPal-Transmission-Sig: ...
PayPal-Cert-Url: ...
PayPal-Auth-Algo: SHA256withRSA
Webhook-Id: your-webhook-id

Body contains PayPal event JSON.

Callback Handler

app.post("/webhooks/syllecta", express.json(), async (req, res) => {
  const event = req.body;
  if (event.provider === "paypal" && event.type === "PAYMENT.SALE.COMPLETED") {
    await payments.settle(event.data.saleId);
  }
  res.json({ ok: true });
});

The handler receives the normalized provider/type fields, so you can branch for PayPal vs. Braintree events without duplicating verification logic.

Error Cases

• Invalid transmission signature → 400.
• Unknown webhook ID → 403.
• Missing callback → delivery_failed status.

References

• Webhooks API
• Webhook gateway guide
• Examples → Generic HMAC
• Examples → Shopify
• Examples → GitHub