Search
My Cart

Vendors

Webhooks

Receive license events at your own HTTPS endpoints. When a buyer purchases, renews, refunds, or has their entitlement revoked, Packagento POSTs to every endpoint you have configured so your downstream systems (key issuers, activation servers, CRMs) stay in sync.

What it does

These webhooks are outbound: Packagento is the sender. They are separate from the inbound Git-provider webhooks that ingest your release tags - those live on a separate page. Repository ingest webhooks covers that flow.

Manage your endpoints on your vendor webhooks dashboard. Each row is one endpoint with its own bearer token, pause state, and event history.

Events you receive

  • license.created - a buyer purchased your package and the licence is freshly minted. Includes the buyer's project id, the package, and the licence key.
  • license.activated - the buyer's install activated the licence against a specific domain. Use this to pin the licence to that install on your side.
  • license.renewed - a subscription invoice paid, the licence window extended. The payload carries the new expires_at.
  • license.expired - the subscription window passed without renewal. Stop honouring the licence on your side until renewal arrives.
  • license.refunded - the purchase was refunded inside the refund window. Revoke the activation, the entitlement is gone.
  • license.revoked - the licence was administratively revoked (abuse report, chargeback, manual operator action). Treat the same as refunded.

Every payload is JSON, every payload includes the event type, the event uuid (for idempotency on your side), the livemode flag, and the timestamp.

Verifying a delivery

Every POST carries an Authorization: Bearer <token> header with the endpoint's active bearer token (the value shown on the endpoint detail page). Compare the header against your stored copy on every request before processing; reject any request that does not match with HTTP 401. Tokens rotate via the dashboard's "Rotate token" action; previous tokens stay valid for 24 hours after rotation so an in-flight delivery cannot be lost across a rotation.

Each event also includes its event_id in the payload. Dedupe on that id - Packagento will retry on transient errors so the same event can land twice.

Multiple endpoints

You can configure multiple endpoints per vendor account - useful for separate production / staging targets, or for fanning the same event out to a key issuer and a billing system. Each endpoint receives every event independently with its own bearer token and its own event history. Pausing or rotating one endpoint has no effect on the others.

What Packagento expects from your endpoint

  • Respond with 2xx within 10 seconds. Anything else is treated as a delivery failure.
  • Be idempotent on event_id. Retries arrive with the same event_id.
  • Accept HTTPS only. The dashboard will not save an http:// endpoint.

Retries and the circuit breaker

A failed delivery (non-2xx, timeout, network error) is retried with exponential backoff. After several consecutive failures Packagento trips a per-endpoint circuit breaker that pauses delivery to that endpoint and surfaces a banner on the dashboard. A daily recovery probe re-attempts the failing endpoint with a single probe event; if it succeeds the breaker resets automatically. You can also manually clear it by visiting the endpoint detail page once your downstream has recovered.

Sibling endpoints are unaffected. A breaker opening on one endpoint does not stop deliveries to the others.

Pause and resume

Pausing an endpoint queues subsequent events instead of delivering them. When you resume, the queued events flush in order. Useful when you need to take a downstream system down for planned maintenance without losing deliveries; for unplanned outages the circuit breaker handles things automatically.

Activation instructions for your buyers

If your extension requires a separate activation key on top of the buyer's Packagento Composer credentials, the dashboard lets you write a single block of activation instructions that buyers see on their licence page alongside the key. Keep it short and concrete (where to paste the key, where to find the licence settings in your module). Buyers refer back to it whenever they install or migrate the licence.

Event history and replay

Every delivery to every endpoint is logged: the request, the response status, the response body, the attempt number, and any error. The endpoint detail page shows the full history filtered to that endpoint with chips for Delivered / Errored / In flight. Errored events can be replayed individually or in bulk; replay re-uses the original event_id, so your idempotency layer will catch double-delivery cleanly.

Troubleshooting

  • All deliveries 401 on the receiving side: the bearer token on your side is out of date. Rotate the token on the dashboard, update both the issuer (Packagento) and the receiver (you), and replay the errored events.
  • Breaker keeps tripping: open the events tab on the endpoint detail page, filter to Errored, and look at the response bodies. The cause is usually one specific event type your handler chokes on; fix that, then replay-all-errors to clear the queue.
  • Events I expected never arrived: confirm the endpoint is not paused, check its event ledger for the relevant license_id, and check sibling endpoints in case the configuration drifted between them.