The 403 error in webhooks can be caused mainly by two factors:
- That you do not have the CSRF middleware disabled
- That you do not have the webhooks environment variable configured correctly
Disable CSRF for webhook routes
You have to do this topic in the path of App\Http\Middleware\VerifyCsrfToken
There you have to create a “protected” property:
protected $except = ;
Setting environment variables
In your .env file you need to specify the environment variable of the webhook. That variable will look like this in your .env file:
STRIPE_WEBHOOK_SECRET=whsec_vxxxxxyyyyzzzz
You have to get the value of the variable from the Stripe panel, on the webhook configuration screen, you have to click the link that says “Reveal” that is located next to the “Signature secret” label. You copy it into your .env file and you’re done!
incorrect routes
You have of course to verify that the path you are taking your webhook to is correct. When creating the webhook in stripe you have to put the finished URL in “/stripe/webhook”, something like:
http://example.com/stripe/webhook
Although I don’t think it’s a problem with the URL, because if it’s a 403 it seems to be due to the two problems mentioned before.
API version
Oh! Another thing that could cause problems would be the version of the API that you have configured in the webhook. It would be necessary to check that it is the correct one, that you are using in your version of Cashier. Consult the documentation to define the version of the API to use in the webhook.