Configuring Paddle

Peddle uses Cashier Paddle, so we need to set the environment variables that needs to function:

PADDLE_VENDOR_ID=
PADDLE_VENDOR_AUTH_CODE=
PADDLE_PUBLIC_KEY=

You can find your vendor id and auth code by going to Paddle's Authentication page. The vendor id is right at the top, and you need to click the "reveal" button, next to the "default" plan to see the auth code.

If you don't have a "default" integration, create a new integration and use the auth code that comes from that.

Then, go to Paddle's Public Key page; and copy the huge block of text you see there. Be sure to include the BEGIN and END lines, and place the whole thing between quotes, in your .env:

PADDLE_VENDOR_ID=123456
PADDLE_VENDOR_AUTH_CODE=abcdef...
PADDLE_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----"

The formatting looks a bit gross, compared to the rest of .env, but it works.

If you're seeing error messages containing the phrase "you don't have access to that plan" then these environment variables may be the cause. Make sure you haven't left anything out, added any additional lines to the public key, or used someone else's details.

You should also restart the artisan serve command between edits to this file, and .env is cached once per server execution.

Webhooks

Paddle needs to send us updates about successful subscriptions and cancellations etc. To do this, we need to have a public webhook Paddle can call, with info about transactions and accounts.

Peddle has this webhook built in, but you need to make sure your app doesn't require CSRF tokens for this endpoint; by adding the following exception to the VerifyCsrfToken middleware:

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    protected $except = [
        'peddle/webhook',
    ];
}

You also need to set up your webhooks in Paddle. Try using something like Ngrok to Expose to create a temporary public URL, while you're testing things out.

Remember that you need to update your APP_URL with that public domain (and restart the artisan serve command, if you're using it) before changes to .env take effect.