Skip to main content

the billing provider webhook receiver

POST 

/api/v1/credits/webhooks/polar

Receive and dispatch the billing provider payment webhooks.

Public endpoint — this is not Bearer-authenticated. the billing provider signs the raw request body using the Standard Webhooks scheme: webhook-id, webhook-timestamp, and webhook-signature headers with an HMAC-SHA256 over {webhook-id}.{webhook-timestamp}.{body} keyed by polar_webhook_secret. Timestamps outside ±5 minutes are rejected. A mismatch returns 401. In non-dev environments a missing secret fails closed.

Handled event types:

  • checkout.completed — credits the checkout's organization after re-verifying the checkout ownership against the billing provider API.

  • checkout.failed — logged and ignored.

  • Any other event — logged and ignored.

  • Rate-limit tier: webhook (60 req/minute).

Responses

Successful Response