Launch special — let's split the check with SPLITCHECK for 50% off
Share feedback →

Square Webhooks

How to Test Square Webhooks Locally (2026)

Square sends webhooks for payment, refund, order, invoice, and customer events. Square signs every webhook with HMAC-SHA256, computed over your notification URL concatenated with the raw request body using your webhook signature key.

Signature Header

x-square-hmacsha256-signature

Algorithm

HMAC-SHA256 (over notification URL + raw body)

Setup Guide

  1. 1Create a free HookSense endpoint at hooksense.com
  2. 2Copy your unique webhook URL
  3. 3In the Square Developer Dashboard → your app → Webhooks → Subscriptions → Add Endpoint
  4. 4Paste your HookSense URL and choose the event types you need
  5. 5Copy the signature key and add it to HookSense for verification
  6. 6Send a test event from the dashboard or run a sandbox transaction
  7. 7Watch the webhook appear in HookSense in real-time

Common Square Webhook Events

payment.created
payment.updated
refund.created
refund.updated
order.created
order.updated
invoice.payment_made
customer.created

Forward to Localhost

Use HookSense CLI to forward Square webhooks directly to your local development server:

npx hooksense listen -p 3000 --path /api/integrations/square

No ngrok or tunnel setup required. Install with npm i -g hooksense or use npx.

Tips & Best Practices

  • Square's signature is computed over the notification URL + raw body — the exact endpoint URL matters
  • Use a constant-time comparison when verifying signatures to avoid timing attacks
  • Sandbox and production use separate signature keys — keep them straight in HookSense
  • Replay captured events to retest your handler without re-running a sandbox payment

Related

Square Webhook Documentation HMAC Signature Calculator HMAC Verification Guide HookSense Documentation

Start Testing Square Webhooks

Create a free endpoint and receive your first Square webhook in seconds.

Get Started Free