For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Apply for AccessDashboard
Guides
Guides
  • Get Started
    • Introduction
    • Quickstart
  • Agent Identity
    • Overview
    • Create Auth Intent
    • Exchange for JWT
    • Sessions
    • JWKS
  • Agent Checkout
    • Overview
    • Create an Invoice
    • List Invoices
    • Get Invoice
    • Cancel Invoice
  • Integration Patterns
    • Overview
    • Shared SDK Client
    • Wallet Auth
    • JWT Verification
    • Subscription Checkout
    • Webhook Verification
  • Concepts
    • Two Invoice IDs
    • Wallet Identity
    • Session vs Token
    • Webhook-Driven State
  • Webhooks
    • Overview
    • Verify Signatures
  • Reliability
    • Errors
    • SDK Reference
Apply for AccessDashboard
On this page
  • The model
  • Why this pattern is safer
  • What to do in your app
  • Related pages
Concepts

Webhook-Driven State

Trust signed webhooks for durable payment state transitions
||View as Markdown|
Was this page helpful?
Edit this page
Previous

Session vs Token

Next

Webhooks

Built with

Invoice creation tells you that a payment can happen. Webhooks tell you that it did happen.

That distinction matters because payment settlement is asynchronous.

The model

Your app should treat signed webhook deliveries as the durable trigger for local state transitions such as:

  • activating a subscription
  • marking a checkout as paid
  • granting entitlements
  • closing out expired or canceled invoices

Polling public invoice status can help the client understand progress, but webhook delivery is the right place to finalize merchant-side state.

Why this pattern is safer

  • settlement may happen after invoice creation
  • delivery may be retried, so you need deduplication
  • signed webhooks let your backend verify authenticity before mutating local state
  • your business logic stays anchored to an explicit event boundary

The practical rule is: verify first, then mutate state.

What to do in your app

  1. preserve the exact raw request body
  2. verify the webhook signature and timestamp
  3. deduplicate by event ID
  4. apply the state transition only after verification succeeds

This keeps fulfillment and entitlements tied to a trustworthy, replay-safe event stream.

Related pages

Webhooks

See the event types and payload shape

Webhook Verification

See the recommended raw-body verification pattern for your backend