# PayPal Subscription Webhook Specification > **Document Version:** 1.0 > **Date:** 2026-04-07 > **Reference:** https://developer.paypal.com/docs/subscriptions/reference/webhooks/ --- ## Overview This document defines the complete logic for handling PayPal subscription webhook callbacks in LearnPress. All events follow PayPal's official documentation and LearnPress subscription lifecycle rules. --- ## 1. Webhook Endpoint | Item | Value | |---|---| | **Endpoint URL** | `/wp-json/lp/v1/gateways/paypal/subscription-webhook` | | **Method** | `POST` | | **Authentication** | PayPal webhook signature verification | | **Response Status** | Always return `200 OK` for valid requests | โœ… **Important:** PayPal will retry webhook delivery **exponentially** for up to 3 days for any non-2xx response. Always return 200 even for unhandled or duplicate events. --- ## 2. Processing Pipeline All webhook events go through this exact order: ``` 1. ๐Ÿ” Signature Verification โ”œโ”€ Extract all PayPal headers โ”œโ”€ Call PayPal verify API endpoint โ””โ”€ FAIL โ†’ Return 403 (do not process) 2. ๐Ÿงพ Payload Validation โ”œโ”€ Parse JSON payload โ”œโ”€ Validate event structure โ””โ”€ FAIL โ†’ Return 400 3. ๐Ÿ†” Event Duplicate Check โ”œโ”€ Check if event ID has been processed before โ””โ”€ ALREADY_PROCESSED โ†’ Return 200 OK 4. ๐Ÿ“ฆ Event Dispatching โ”œโ”€ Lookup event handler from event map โ”œโ”€ Execute handler logic โ””โ”€ NO_HANDLER โ†’ Return 200 OK 5. โœ… Mark Processed โ””โ”€ Store event ID as processed 6. ๐Ÿ“จ Return Response โ””โ”€ Always 200 OK ``` --- ## 3. Event Handler Matrix This is the official mapping of PayPal event types to LearnPress actions: | PayPal Event Type | LearnPress Action | Order Status | Subscription Status | Notes | |---|---|---|---|---| | **`BILLING.SUBSCRIPTION.CREATED`** | Store PayPal subscription ID | `pending` | `pending` | First event received when user subscribes | | **`BILLING.SUBSCRIPTION.ACTIVATED`** | Activate subscription, grant course access | `completed` | `active` | Payment successfully authorized | | **`BILLING.SUBSCRIPTION.CANCELLED`** | Schedule cancellation at period end | `completed` | `active` | โ— **DO NOT CANCEL IMMEDIATELY** - user paid for current period | | **`BILLING.SUBSCRIPTION.SUSPENDED`** | Suspend subscription, revoke access | `on-hold` | `on-hold` | PayPal suspended after failed payments | | **`BILLING.SUBSCRIPTION.EXPIRED`** | Expire subscription permanently | `completed` | `expired` | Subscription reached end date | | **`BILLING.SUBSCRIPTION.PAYMENT.FAILED`** | Log failure, send notification | `failed` | `active` | PayPal will retry 3 times before suspending | | **`PAYMENT.SALE.COMPLETED`** | Process renewal payment, extend subscription | `completed` | `active` | Recurring payment received successfully | | **`PAYMENT.SALE.REFUNDED`** | Refund order, adjust access | `refunded` | *depends* | Full refund = revoke access immediately | | **`PAYMENT.SALE.REVERSED`** | Chargeback / dispute | `refunded` | `suspended` | โ— **IMMEDIATELY REVOKE ACCESS** | --- ## 4. State Transition Rules ### โœ… Normal Successful Flow ``` CREATED โ†’ ACTIVATED โ†’ [PAYMENT.COMPLETED] (repeat monthly) โ†’ [CANCELLED / EXPIRED] ``` ### โŒ Failed Payment Flow ``` PAYMENT.FAILED โ†’ (Retry 1) โ†’ (Retry 2) โ†’ (Retry 3) โ†’ SUSPENDED ``` ### โš ๏ธ Chargeback Flow ``` PAYMENT.REVERSED โ†’ SUSPENDED (immediately) ``` --- ## 5. Idempotency Rules All handlers **MUST** be idempotent: 1. Always check existing state before making changes 2. Never process the same event ID twice 3. Processing an event multiple times produces exactly the same result 4. No side effects on duplicate delivery Stored event IDs are kept for **90 days** after processing. --- ## 6. Error Handling | Scenario | Response Code | Action | |---|---|---| | Invalid signature | `403 Forbidden` | Log error, do not process | | Invalid JSON payload | `400 Bad Request` | Log error | | Missing required headers | `400 Bad Request` | Log error | | Gateway not enabled | `404 Not Found` | Log error | | Duplicate event | `200 OK` | Silently ignore | | Unhandled event type | `200 OK` | Log for reference | | Handler execution failed | `200 OK` | Log full error, PayPal will retry | --- ## 7. Logging Requirements All webhook events **MUST** log: - Event ID - Event type - PayPal subscription ID - Processing result (success/failure) - Full error message on failure Logs are stored in: `wp-content/uploads/learnpress/logs/paypal-webhooks.log` --- ## 8. Testing Scenarios Required test cases for implementation: | Test Case | Expected Result | |---|---| | Valid signature | Event processed successfully | | Invalid signature | 403 response, no changes | | Duplicate event ID | 200 response, no changes | | Unhandled event type | 200 response, logged | | Order not found | 200 response, logged | | Event processed out of order | State remains correct | --- ## Reference Documents - [PayPal Subscription Webhooks Official Docs](https://developer.paypal.com/docs/subscriptions/reference/webhooks/) - [PayPal Webhook Verification](https://developer.paypal.com/docs/api/webhooks/v1/#verify-webhook-signature) - [LearnPress Subscription Lifecycle](internal://docs/subscriptions/lifecycle.md)