Skip to content
Paddle Classic
You're viewing guides for Paddle Classic, which is no longer available for new signups. Head to developer.paddle.com for Paddle Billing guides.

Sensitive webhook data now removed

Released on August 14, 2022

With the recent release of multi-destination webhooks, all destinations were receiving all events that your account was subscribed to. This included all data within those events.

Some fields within certain events were not designed to be shared and an unintended side effect of allowing many webhook destinations was that this data was finding its way to third party providers. We have now restricted this.

How does it work?

Section titled “How does it work?”

The first endpoint in your list of webhook destinations is now labelled as your primary URL and should be your own application server. This destination will receive all, unfiltered event data. The rest of your destinations will always have sensitive data removed from the payloads.

Screenshot showing how the primary webhook destination is labelled

We consider the following to be sensitive fields:

  • cancel_url
  • update_url