Skip to main content
Solved

Is the authorization header enough for validating webhook's claims?

  • February 13, 2025
  • 1 reply
  • 38 views

Forum|alt.badge.img+1

The webhook notification will provide the transaction id. I could somehow fetch its details from a RevenueCat’s receipt end-point and match it against the webhook’s claims (since the request can be from anyone).

Or it is an over-kill, and the shared Auth header should be sufficient?

Best answer by Ryan Glanz

We don’t surface the transaction id in our api, actually. So you can rely on the Auth header, but another strategy some developers use is to query this customer endpoint each time they get a webhook. That way you can verify the subscription in the webhook/customer matches (not by transaction id, but by identifier), and you can get the full customer details (in the case that the webhook omits some) to update your db with (if you want)

View original
Did this post help you find an answer to your question?
This post has been closed for comments

1 reply

Ryan Glanz
RevenueCat Staff
Forum|alt.badge.img+8
  • RevenueCat Staff
  • 383 replies
  • Answer
  • February 17, 2025

We don’t surface the transaction id in our api, actually. So you can rely on the Auth header, but another strategy some developers use is to query this customer endpoint each time they get a webhook. That way you can verify the subscription in the webhook/customer matches (not by transaction id, but by identifier), and you can get the full customer details (in the case that the webhook omits some) to update your db with (if you want)


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings