Ghost Webhooks Explained: How Payment Providers Talk to Your Membership Site
What actually happens between the moment a customer clicks "buy" and the moment Ghost grants them access? A plain-English guide to webhooks, retries, signature verification, and why they sometimes fail.
What actually happens between the moment a customer clicks "buy" and the moment Ghost grants them access? A plain-English guide to webhooks, retries, signature verification, and why they sometimes fail.
What is a webhook
A webhook is an HTTP POST request that one system sends to another when something happens. It is the opposite of polling: instead of your server asking "did anything change?" every few seconds, the other system proactively pushes a notification the moment an event occurs.
When a customer completes a payment, your payment provider does not wait for you to ask. It immediately sends a webhook to a URL you have configured, containing a JSON payload with all the event details.
The key difference from an API call: With a regular API call, you ask and they answer. With a webhook, they tell you without being asked. Webhooks are event-driven: they fire once, immediately, when something happens on the other side.
The full payment flow, step by step
- Customer completes payment on your provider's checkout page (Polar, PayPal, etc.)
- Provider fires a signed webhook to PayGlue's endpoint
- PayGlue verifies the signature to confirm the request is genuine
- PayGlue normalizes the event into a common format
- PayGlue looks up which Ghost tier the product maps to
- PayGlue calls the Ghost Admin API to grant or revoke access
- Customer sees their Ghost account updated within seconds
Signature verification: why it matters
A webhook endpoint is a public URL. Anyone on the internet can send a POST request to it. Without signature verification, an attacker could send a fake "payment succeeded" event and get free membership access.
Every serious payment provider signs their webhooks using a shared secret. The signature is a hash of the payload computed with your secret key. You verify it by computing the same hash on your side and comparing. If they match, the request is genuine.
Signature support by provider:
- Polar: HMAC-SHA256 signature on every event
- Stripe: Stripe-Signature header, timestamp-based
- PayPal: IPN verification (older system, less strict)
- Zapier: no signature on outgoing webhook requests
What can go wrong
Webhooks can fail for many reasons. Your server could be temporarily down. A deploy could cause a brief restart. A network timeout might occur between the provider and your endpoint. The Ghost API could be rate-limited.
When a webhook delivery fails, providers usually try again a few times. But most providers give up after a few hours. If your server was down overnight, you may have missed events permanently.
Retry logic and dead-letter queues
PayGlue implements its own retry logic independent of the provider. If the Ghost Admin API call fails, PayGlue retries with exponential backoff: after 30 seconds, then 2 minutes, then 10 minutes, then 1 hour. This covers temporary Ghost outages without losing the event.
If all retries are exhausted, the event moves to a dead-letter queue. You can see it in the dashboard and replay it manually with one click once the underlying issue is resolved. No purchase is ever silently dropped.
Foto von Pricilla Parras auf Unsplash
