Setting up dispute webhooks (Stripe + PayPal)
The chargeback feedback loop is the single biggest accuracy upgrade WooFraudGuard offers. Wiring it up takes about 10 minutes per gateway.
Stripe webhook
- In Stripe Dashboard, go to Developers → Webhooks → Add endpoint.
- For the URL, use
https://yourstore.com/wp-json/woofraudguard/v1/webhooks/stripe. - Subscribe to
charge.dispute.createdandcharge.dispute.funds_withdrawn. - After saving, click Reveal on the signing secret (starts with
whsec_). - Paste it into WooFraudGuard → Settings → Privacy & API keys → Stripe webhook signing secret.
Stripe signs every webhook request with the secret. WooFraudGuard verifies the HMAC-SHA256 signature on receipt and rejects anything that doesn\’t match — there\’s no path for a third party to inject fake chargebacks.
PayPal webhook
- In PayPal Developer Dashboard, go to Apps & Credentials and create a REST API app.
- Copy the Client ID and Secret.
- Paste both into WooFraudGuard → Settings → Privacy & API keys → PayPal REST API client ID / secret.
- In the same PayPal dashboard, go to Webhooks → Add webhook.
- For the URL, use
https://yourstore.com/wp-json/woofraudguard/v1/webhooks/paypal. - Subscribe to
CUSTOMER.DISPUTE.CREATEDandCUSTOMER.DISPUTE.UPDATED. - PayPal assigns the webhook an ID (e.g.
5GP123…). Paste it into PayPal webhook ID.
For each incoming webhook, WooFraudGuard fetches an OAuth2 token (using your REST credentials) and calls PayPal\’s /v1/notifications/verify-webhook-signature endpoint to confirm the webhook is legitimate. This is the modern PayPal verification flow — it replaces the old shared-token approach.
Sandbox testing
Both gateways have sandbox modes. For PayPal, flip the PayPal sandbox mode toggle and use your sandbox credentials. For Stripe, just use your test API key — Stripe doesn\’t require a separate URL.
To trigger a test chargeback in Stripe: in the dashboard, find any test payment, click the three-dot menu, and pick Dispute payment. Stripe will fire charge.dispute.created immediately.