Example: PayPal / Braintree Webhooks
Overview
PayPal and Braintree are related payment products, but their webhook verification contracts are different. Syllecta keeps them separate so a tenant cannot accidentally rely on PayPal-style verification for Braintree traffic.
Current status:
- PayPal is available only in controlled rollout. It requires PayPal transmission headers and tenant-specific webhook configuration before live traffic is accepted.
- Braintree is reserved until the official
bt_signature+bt_payloadparser is enabled.
PayPal Setup
- Store the PayPal webhook id/secret configuration in Backoffice for the tenant.
- Set the provider webhook to https://api.syllecta.com/v1/webhooks/paypal.
- Confirm the inbound request includes
PayPal-Transmission-Id,PayPal-Transmission-Time,PayPal-Transmission-Sig,PayPal-Auth-Algo, andPayPal-Cert-Url.
PayPal Request Shape
POST /v1/webhooks/paypal PayPal-Transmission-Id: 123 PayPal-Transmission-Time: 2026-05-18T12:00:00Z PayPal-Transmission-Sig: ... PayPal-Cert-Url: ... PayPal-Auth-Algo: SHA256withRSA
Body contains the PayPal event JSON. Missing, malformed, stale, or mismatched signatures return 400 invalid signature.
Braintree Status
Braintree webhooks use bt_signature and bt_payload, not PayPal transmission headers. The /v1/webhooks/braintree route is reserved, but live Braintree verification is not enabled until the Braintree gateway parser is wired and tested for the tenant.
Callback Handler
ts
app.post("/webhooks/syllecta", express.json(), async (req, res) => { const event = req.body; if (event.provider === "paypal" && event.type === "PAYMENT.SALE.COMPLETED") { await payments.settle(event.payload.resource.id); } res.json({ ok: true }); });