Hello everyone,

I’m running into an issue where every test event I send from the Square Developer Dashboard (e.g. payment.created, payment.updated) returns 403 Forbidden and no request ever shows up in my server logs. Here’s what I’ve done so far:

• Endpoint setup

   

  • Django REST Framework action with methods=['post'], no authentication or CSRF.

  • Immediately returns 200 OK at the top of the handler to isolate delivery.

   

• Manual testing

   

  • Exposed my local dev server via a Cloudflare Tunnel.

  • curl -X POST -d '{}' to the same path returns 200 OK.

   

• Signature verification

   

  • I extract x-square-hmacsha256-signature from headers.

  • I use is_valid_webhook_event_signature(body, signature, signature_key, notification_url) with:

     

    • The signature key from my webhook subscription.

    • The exact notification URL I registered (including trailing slash).

     

  • Even if I skip verification and log the very first line of the handler, nothing ever appears.

   

• Cloudflare / Firewall

   

  • No WAF or firewall events blocking that specific path.

  • SSL/TLS in “Full (strict)” mode.

   

I’m at a loss why Square can’t deliver test events to my webhook. Has anyone else encountered this in a dev environment using tunnels? Are there any hidden Dashboard settings, signature pitfalls, or additional headers I need to configure?

Thanks in advance for any pointers or troubleshooting tips!