thread Webhooks Always Returning 403 Forbidden – No Incoming Requests Reaching My Handler in Foro de la Comunidad Square https://community.squareup.com/t5/Foro-de-la-Comunidad-Square/Webhooks-Always-Returning-403-Forbidden-No-Incoming-Requests/m-p/790563#M49 <P class="">Hello everyone,</P><P class="">&nbsp;</P><P class="">I’m running into an issue where every test event I send from the Square Developer Dashboard (e.g.&nbsp;<SPAN class="">payment.created</SPAN>, <SPAN class="">payment.updated</SPAN>) returns <SPAN class=""><STRONG>403 Forbidden</STRONG></SPAN> and <SPAN class=""><STRONG>no</STRONG></SPAN> request ever shows up in my server logs. Here’s what I’ve done so far:</P><P class="">&nbsp;</P><UL><LI><P class=""><STRONG>Endpoint setup</STRONG></P><P class="">&nbsp;</P><UL><LI><P class="">Django REST Framework action with <SPAN class="">methods=['post']</SPAN>, no authentication or CSRF.</P></LI><LI><P class="">Immediately returns <SPAN class="">200 OK</SPAN> at the top of the handler to isolate delivery.</P></LI></UL><P>&nbsp;</P></LI><LI><P class=""><STRONG>Manual testing</STRONG></P><P class="">&nbsp;</P><UL><LI><P class="">Exposed my local dev server via a Cloudflare Tunnel.</P></LI><LI><P class=""><SPAN class="">curl -X POST -d '{}'</SPAN> to the same path returns <SPAN class="">200 OK</SPAN>.</P></LI></UL><P>&nbsp;</P></LI><LI><P class=""><STRONG>Signature verification</STRONG></P><P class="">&nbsp;</P><UL><LI><P class=""><SPAN class="">I extract </SPAN>x-square-hmacsha256-signature<SPAN class=""> from headers.</SPAN></P></LI><LI><P class=""><SPAN class="">I use </SPAN>is_valid_webhook_event_signature(body, signature, signature_key, notification_url)<SPAN class=""> with:</SPAN></P><P class="">&nbsp;</P><UL><LI><P class="">The <SPAN class=""><STRONG>signature key</STRONG></SPAN> from my webhook subscription.</P></LI><LI><P class="">The exact notification URL I registered (including trailing slash).</P></LI></UL><P>&nbsp;</P></LI><LI><P class="">Even if I skip verification and log the very first line of the handler, nothing ever appears.</P></LI></UL><P>&nbsp;</P></LI><LI><P class=""><STRONG>Cloudflare / Firewall</STRONG></P><P class="">&nbsp;</P><UL><LI><P class="">No WAF or firewall events blocking that specific path.</P></LI><LI><P class="">SSL/TLS in “Full (strict)” mode.</P></LI></UL><P>&nbsp;</P></LI></UL><P class="">I’m at a loss why Square can’t deliver test events to my webhook. Has anyone else encountered this in a dev environment using tunnels? Are there any hidden Dashboard settings, signature pitfalls, or additional headers I need to configure?</P><P class="">&nbsp;</P><P class="">Thanks in advance for any pointers or troubleshooting tips!</P> Sun, 21 Sep 2025 12:02:17 GMT webiscleaning 2025-09-21T12:02:17Z Webhooks Always Returning 403 Forbidden – No Incoming Requests Reaching My Handler https://community.squareup.com/t5/Foro-de-la-Comunidad-Square/Webhooks-Always-Returning-403-Forbidden-No-Incoming-Requests/m-p/790563#M49 <P class="">Hello everyone,</P><P class="">&nbsp;</P><P class="">I’m running into an issue where every test event I send from the Square Developer Dashboard (e.g.&nbsp;<SPAN class="">payment.created</SPAN>, <SPAN class="">payment.updated</SPAN>) returns <SPAN class=""><STRONG>403 Forbidden</STRONG></SPAN> and <SPAN class=""><STRONG>no</STRONG></SPAN> request ever shows up in my server logs. Here’s what I’ve done so far:</P><P class="">&nbsp;</P><UL><LI><P class=""><STRONG>Endpoint setup</STRONG></P><P class="">&nbsp;</P><UL><LI><P class="">Django REST Framework action with <SPAN class="">methods=['post']</SPAN>, no authentication or CSRF.</P></LI><LI><P class="">Immediately returns <SPAN class="">200 OK</SPAN> at the top of the handler to isolate delivery.</P></LI></UL><P>&nbsp;</P></LI><LI><P class=""><STRONG>Manual testing</STRONG></P><P class="">&nbsp;</P><UL><LI><P class="">Exposed my local dev server via a Cloudflare Tunnel.</P></LI><LI><P class=""><SPAN class="">curl -X POST -d '{}'</SPAN> to the same path returns <SPAN class="">200 OK</SPAN>.</P></LI></UL><P>&nbsp;</P></LI><LI><P class=""><STRONG>Signature verification</STRONG></P><P class="">&nbsp;</P><UL><LI><P class=""><SPAN class="">I extract </SPAN>x-square-hmacsha256-signature<SPAN class=""> from headers.</SPAN></P></LI><LI><P class=""><SPAN class="">I use </SPAN>is_valid_webhook_event_signature(body, signature, signature_key, notification_url)<SPAN class=""> with:</SPAN></P><P class="">&nbsp;</P><UL><LI><P class="">The <SPAN class=""><STRONG>signature key</STRONG></SPAN> from my webhook subscription.</P></LI><LI><P class="">The exact notification URL I registered (including trailing slash).</P></LI></UL><P>&nbsp;</P></LI><LI><P class="">Even if I skip verification and log the very first line of the handler, nothing ever appears.</P></LI></UL><P>&nbsp;</P></LI><LI><P class=""><STRONG>Cloudflare / Firewall</STRONG></P><P class="">&nbsp;</P><UL><LI><P class="">No WAF or firewall events blocking that specific path.</P></LI><LI><P class="">SSL/TLS in “Full (strict)” mode.</P></LI></UL><P>&nbsp;</P></LI></UL><P class="">I’m at a loss why Square can’t deliver test events to my webhook. Has anyone else encountered this in a dev environment using tunnels? Are there any hidden Dashboard settings, signature pitfalls, or additional headers I need to configure?</P><P class="">&nbsp;</P><P class="">Thanks in advance for any pointers or troubleshooting tips!</P> Sun, 21 Sep 2025 12:02:17 GMT https://community.squareup.com/t5/Foro-de-la-Comunidad-Square/Webhooks-Always-Returning-403-Forbidden-No-Incoming-Requests/m-p/790563#M49 webiscleaning 2025-09-21T12:02:17Z