A list of tasks for developers to take to move an application that uses webhooks from Sandbox testing to a production environment.

Move Webhook Event Notifications to Production

When your application is ready to be moved from the Sandbox environment to production, there are several tasks you need to complete to manage webhook event notifications in production. These include the following:

  • Get production application credentials. In the Developer Dashboard, open your application, and then choose Production on the environment toggle at the top of the page. In the left pane, choose Credentials, and then copy the production application ID and the production access token.

  • Enter production subscription information. In the left pane, choose Webhooks, and then choose Subscriptions. Choose Add subscription, and then enter the webhook event subscription name and the production notification URL. Choose the API version, choose only the events your application needs, and then choose Save.

  • Update your access toke and application ID. Replace your Sandbox access token and application ID with production values in your application.

  • Update API calls. Update your code to make API calls to Square production endpoints.

  • Use idempotency. A generated idempotency value is included as the event_id field in the body of each event notification. Design your application to use this value to bypass processing if it is a repeated value.

  • Use message versioning. If your application passes Square data to another application, you should add versioning to the data before passing it to avoid duplication and to make auditing of the data transfer easier.

  • Validate the webhook event notification. A non-Square post can potentially compromise your application. All webhook notifications from Square include an x-square-signature header. The value of this header is an HMAC-SHA1 signature generated using your webhook signature key, the notification URL, and the raw body of the request. You can validate the webhook notification by generating the HMAC-SHA1 in your own code and comparing it to the signature of the event notification you received. For more information and code examples that show how to validate the signature of an event notification, see Verify and Validate an Event Notification.


The base URL for calling Sandbox endpoints is https://connect.squareupsandbox.com. When you move your application to production, you need production credentials and you need to use https://connect.squareup.com as the base URL.

If you need more assistance, contact Developer Support or ask for help in the Developer Forums.