Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Laravel Stripe Webhooks
Assessments

Laravel Stripe Webhooks Laravel Package

spatie/laravel-stripe-webhooks

Laravel package to handle Stripe webhooks: verifies Stripe signatures, logs valid calls to the database, and dispatches configurable jobs or events per webhook type. Provides the plumbing for receiving and validating webhooks; you implement the business logic.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Event-Driven Alignment: The package excels in Laravel’s event-driven architecture, seamlessly integrating Stripe webhooks into Laravel’s job/event ecosystem. It aligns with Laravel’s queue system, making it ideal for async processing of payment events (e.g., subscriptions, charges, refunds).
  • Separation of Concerns: Decouples webhook validation (signature verification, deduplication) from business logic, adhering to Laravel’s modular design. Business logic is offloaded to custom jobs/listeners, keeping the core package lean.
  • Extensibility: Supports custom profiles, models, and job handling, allowing TPMs to adapt it for complex workflows (e.g., multi-tenant Stripe Connect setups).

Integration Feasibility

  • Low Friction: Requires minimal setup (config publish, migration, route definition) and leverages Laravel’s native features (queues, events, middleware). No need for external dependencies beyond Stripe’s PHP SDK.
  • Stripe SDK Compatibility: Works with Stripe’s PHP SDK, enabling easy payload transformation (e.g., converting JSON to Stripe\Event objects) for richer business logic.
  • Idempotency: Built-in deduplication via webhook_calls table prevents duplicate processing, critical for financial transactions.

Technical Risk

  • Signature Verification: Disabling verify_signature in dev (as recommended) introduces risk of malicious webhook spoofing. Must enforce strict signing in production.
  • Queue Dependencies: Async processing relies on Laravel queues. Poorly configured queues (e.g., no retries, insufficient workers) could lead to missed events or timeouts.
  • Payload Size: Stripe webhooks can include large payloads (e.g., for customer.created). The payload column in the webhook_calls table uses text, but custom models might need adjustments for very large data.
  • Stripe API Changes: Stripe’s event types or payload structures may evolve. The package abstracts this well, but custom logic in jobs/listeners could break without updates.

Key Questions

  1. Queue Strategy:

    • How will we handle queue backlogs? Are we using dedicated workers for Stripe jobs, or will they share queues with other tasks?
    • What retry policies are needed for failed jobs (e.g., transient failures vs. business logic errors)?

  2. Error Handling:

    • How will we monitor and alert on WebhookFailed exceptions or job failures? (e.g., Laravel Horizon, Sentry)
    • Should we implement a dead-letter queue for unrecoverable failures?

  3. Testing:

    • How will we test webhook handlers? (e.g., mocking Stripe events, replaying failed webhooks)
    • Are we using tools like stripe-cli for local testing?

  4. Scaling:

    • Will we need to partition the webhook_calls table (e.g., by tenant or date) for large-scale deployments?
    • How will we handle rate limits if Stripe retries webhooks aggressively?

  5. Multi-Environment:

    • How will we manage signing secrets across dev/staging/prod? (e.g., environment variables, Vault)
    • Do we need to support multiple signing secrets (e.g., for Stripe Connect)?

  6. Compliance:

    • Are we logging webhook payloads in compliance with PCI/DSP2 requirements? If so, how will we secure the webhook_calls table?

Integration Approach

Stack Fit

  • Laravel Ecosystem: Perfectly aligned with Laravel’s queue workers, events, and middleware. No additional infrastructure needed beyond Laravel’s core.
  • Stripe SDK: Leverages Stripe’s PHP SDK for payload transformation, reducing boilerplate for accessing Stripe objects/methods.
  • Database: Uses Laravel migrations for the webhook_calls table, ensuring consistency with the app’s database schema.

Migration Path

  1. Assessment Phase:

    • Audit existing Stripe webhook handling (if any) for gaps (e.g., missing signature verification, no deduplication).
    • Identify critical event types (e.g., payment_intent.succeeded, invoice.payment_failed) to prioritize in the migration.

  2. Setup:

    • Install the package and publish config/migrations: 
      composer require spatie/laravel-stripe-webhooks
php artisan vendor:publish --provider="Spatie\StripeWebhooks\StripeWebhooksServiceProvider"
php artisan vendor:publish --provider="Spatie\WebhookClient\WebhookClientServiceProvider" --tag="webhook-client-migrations"
php artisan migrate
    • Configure the Stripe webhook endpoint in routes/web.php: 
      Route::stripeWebhooks('stripe/webhooks');
    • Exclude the route from CSRF middleware.

  3. Implementation:

    • Phase 1: Implement signature verification and logging. Test with Stripe’s test events.
    • Phase 2: Define jobs/listeners for critical events (e.g., charge.succeeded → update user subscription).
    • Phase 3: Add custom logic (e.g., retry failed webhooks, transform payloads to Stripe objects).

  4. Cutover:

    • Update Stripe dashboard to point to the new endpoint.
    • Gradually enable webhook events in Stripe (use Stripe CLI to simulate events during testing).

Compatibility

  • Laravel Versions: Supports Laravel 8+ (check composer.json for exact versions). Ensure compatibility with your Laravel version.
  • PHP Version: Requires PHP 8.0+. Verify your server meets this requirement.
  • Stripe SDK: Uses Stripe PHP SDK v7+. Confirm your project’s SDK version is compatible.
  • Queue Drivers: Works with any Laravel queue driver (database, Redis, etc.), but async drivers (Redis) are recommended for performance.

Sequencing

  1. Core Setup: Install, configure, and test the package’s baseline functionality (signature verification, logging).
  2. Critical Events: Implement jobs/listeners for high-priority events (e.g., payments, subscriptions).
  3. Edge Cases: Handle retries, failed jobs, and custom logic (e.g., multi-secret support for Stripe Connect).
  4. Monitoring: Set up alerts for failed webhooks or job failures.
  5. Optimization: Profile queue performance and adjust worker counts/retries as needed.

Operational Impact

Maintenance

  • Package Updates: Monitor for updates to spatie/laravel-stripe-webhooks and spatie/webhook-client. Test upgrades in staging before production.
  • Config Management: Centralize signing secrets and queue configurations (e.g., using Laravel Envoy or Ansible).
  • Deprecations: Watch for changes in Stripe’s event types or payload structures that may require updates to jobs/listeners.

Support

  • Debugging: Use the webhook_calls table to replay and debug failed webhooks: 
    // Replay a failed webhook
dispatch(new \Spatie\StripeWebhooks\ProcessStripeWebhookJob(WebhookCall::find($id)));
  • Logging: Ensure job failures are logged (e.g., via Laravel’s failed_jobs table or a monitoring tool).
  • Stripe Dashboard: Use Stripe’s webhook logs to correlate events with your application logs.

Scaling

  • Queue Performance:
    • Scale queue workers horizontally (e.g., using Laravel Forge, Kubernetes) to handle high volumes of webhooks.
    • Monitor queue length and adjust worker counts during peak traffic (e.g., subscription renewals).
  • Database:
    • Consider partitioning the webhook_calls table by date or tenant for large-scale apps.
    • Archive old webhook logs to a separate table or storage to avoid bloat.
  • Retries:
    • Configure job retries wisely (e.g., exponential backoff for transient failures).
    • Implement a dead-letter queue for jobs that fail repeatedly due to business logic errors.

Failure Modes

Failure Scenario Impact Mitigation
Invalid signature Rejected webhook, no processing Ensure verify_signature is enabled in production; monitor WebhookFailed exceptions.
Queue overload Delayed or missed webhooks Scale workers; implement circuit breakers for critical events.
Database connection issues Failed logging, replay impossible Use a robust database with backups; implement local retries for transient failures.
Stripe API changes Broken payload parsing Test with Stripe’s test events; use SDK version pinning.
Job failure (e.g., business logic) Inconsistent state Implement idempotency in jobs; log failures for review.
Deduplication collision Duplicate processing Use unique identifiers (e.g., payload->id) in shouldProcess logic.

Ramp-Up

  • Onboarding:
    • Document the webhook flow for developers (e.g., how to add new event handlers).
    • Provide a runbook for common issues (e
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai