Hi Guys,
Is there a webhook API method to create a listener for payment status updates. e.g. Refunded, void auth, captured auth etc?
I can’t see this ability in the PHP SDK.
Thanks!! 
Currently there isn’t a programmatic way to subscribe to webhooks. Currently the only way to subscribe to events is in the app you create on the Developer Dashboard. 
Thanks for the reply. For a use case think of a ecommerce software provider such a CubeCart, Magento etc… The web hooks could be created automatically instead of leaving (often non technical) merchants this liability to setup. The store can then operate smoothly without these very manual steps.
PayPal has this functionality in their API. Webhooks Management
I hope you can add this to the development roadmap.
Right, for apps that require the seller to create an app in the Developer Dashboard that is the case however we don’t recommend building apps that require the seller to do that. Bad things can happen as you mentioned when non technical people configure apps. To avoid all the confusion entirely you should be using OAuth.
Hi Bryan, not sure if I should create another topic for this or not, but it does seem related.
At the moment there is no ability to include a webhook in each request, something that many other APIs supply; bearing in mind that Square is a bank and it’s often harder and more expensive to implement what seems “simple” in the outside world.
When my users purchase my module (part of a very well known eCommerce package used in the hosting industry), I want them to use oAuth to sign in (ie app in Developer Dashboard). They’d go to my settings page, and login via oAuth whereupon they would inherit the webhook settings etc. I want to do this for three reasons:
- oAuth is superior from a security point of view;
- I want them to inherit webhook settings, most won’t get it right;
- I want to use the app_fee_money ability so I can use micro-charges to finance support.
The problem is though, the webhook URLs used will be the ones entered in my dashboard which refer to my site rather than to their site, ie: mydevbusiness.com/central_hook.php.
Currently I’m proxying the webhook hits through to the end-user site, but obviously that opens a can of worms as far as security is concerned. I am enforcing SSL, and re-signing the body with a new key (unique to each end-user site). Also, deliberately, we’re only listening to a small set of webhooks - things like cards being updated/deleted/forgotten, refunds, new locations. It’s possible to use the merchant_id in the webhook data packet to uniquely identify the target end-user webhook, and locations could also be used where a client has multiple implementations (probably rare).
Is there another way to do this? Is this solution acceptable with Square for now? Note that I didn’t have to implement retry, as I just do a live proxy and return the result on the fly as Square retries - it does mean the client only has about 5-6 seconds instead of 10 to get a 200 response code back, but that should be possible (this is because the limit is 10 seconds, and giving the main proxy 4 seconds to run).
I just thought I’d shed light on what may be a different category of use-case, in case that’s helpful, and obviously I’m keen on feedback.
Cheers,
Brian
Thanks for the feedback! I’ve shared this with the team and at this time there isn’t any alternative they currently suggest.