Stripe Webhook
Stripe is the default billing provider when BILLING_PROVIDER=stripe. Without a webhook, Sosyabot doesn't see successful payments or subscription changes — your users will pay but the workspace won't unlock.
Endpoint
`<BASE_URL>/api/v1/webhooks/billing/stripe`The signing secret must match the value in your .env:
STRIPE_WEBHOOK_SECRET=whsec_...Events to subscribe to
In the Stripe dashboard, register the endpoint and select these event types:
payment_intent.succeededpayment_intent.payment_failedsubscription_schedule.createdsubscription_schedule.updatedsubscription_schedule.canceledinvoice.paidinvoice.payment_failedcustomer.subscription.createdcustomer.subscription.updatedcustomer.subscription.deleted
Local development
Use the Stripe CLI:
stripe listen --forward-to localhost:4200/api/v1/webhooks/billing/stripeThe CLI prints a temporary whsec_... — paste it into your local .env and restart the API.
Verification
Sosyabot verifies every inbound webhook by computing the HMAC-SHA256 signature against the raw body using STRIPE_WEBHOOK_SECRET. Verification failures return 400 invalid signature and the event is dropped — Stripe will retry per its standard backoff schedule.
Don't reuse the secret across environments
Each Stripe environment (test mode, live mode, CLI listener) has a distinct signing secret. Rotating environments without rotating STRIPE_WEBHOOK_SECRET will silently 400 every event.