BlogSendGrid WebhooksLaravel

How to Receive SendGrid Webhooks in Laravel

Exclude webhook routes from CSRF + use getContent for raw bytes

Laravel is the dominant PHP framework for SaaS development in 2026. Out of the box, the VerifyCsrfToken middleware blocks any POST without a token — including webhooks. The fix is to exclude the webhook URI from CSRF and read $request->getContent() for the raw bytes that HMAC verification needs. This guide walks through the Laravel setup for SendGrid webhooks end to end: capturing the raw body, verifying the signature, handling retries idempotently, and iterating locally without redeploying. Cross-reference the SendGrid Webhooks overview for the event catalog and sample payload.

SendGrid Official Webhook Docs

1. Set Up the Laravel Endpoint

The endpoint needs to do three things, in this order: read the raw body, verify the signature against those exact bytes, and only then parse the JSON for your business logic.

// app/Http/Middleware/VerifyCsrfToken.php — exclude webhook URIs
class VerifyCsrfToken extends Middleware
{
    protected $except = ['webhooks/*'];
}

// routes/web.php (or routes/api.php)
Route::post('/webhooks/{service}', [WebhookController::class, 'receive']);

// app/Http/Controllers/WebhookController.php
namespace App\Http\Controllers;

use Illuminate\Http\Request;

class WebhookController extends Controller
{
    public function receive(Request $request, string $service)
    {
        // IMPORTANT: getContent() returns the raw body BEFORE parsing.
        $rawBody = $request->getContent();
        $signature = $request->header('X-Signature-Header');

        // 1. Verify HMAC over $rawBody
        // 2. Parse JSON only after verification passes
        // 3. Process the event idempotently (use the event id as your key)

        $event = json_decode($rawBody, true);
        logger()->info('Verified webhook', ['type' => $event['type'] ?? null]);

        return response('ok', 200);
    }
}
Raw body, every time
Don't reach for $request->input() or $request->all() on a webhook route — by the time you do, Laravel has parsed the JSON and the original byte sequence is gone. Use $request->getContent() to get the unparsed body string, verify HMAC against that, then json_decode for application use. Form-encoded webhooks (Twilio, Mailgun) need $request->all() for the parsed params, but $request->getContent() still has the raw bytes if you need them.

2. Verify the SendGrid Signature

Signing details
Algorithm
ECDSA (P-256, SHA-256)
Header
X-Twilio-Email-Event-Webhook-Signature
Encoding
base64

SendGrid signs `{X-Twilio-Email-Event-Webhook-Timestamp}{raw_request_body}` with an ECDSA private key. Verify with the public key from Settings → Mail Settings → Event Webhooks (must be enabled per-webhook).

PHP verification

// composer require sendgrid/eventwebhook
use SendGrid\EventWebhook\EventWebhook;

class WebhookController extends Controller
{
    public function sendgrid(Request $request)
    {
        $payload = $request->getContent();
        $signature = $request->header('X-Twilio-Email-Event-Webhook-Signature', '');
        $timestamp = $request->header('X-Twilio-Email-Event-Webhook-Timestamp', '');

        $ew = new EventWebhook();
        $publicKey = $ew->convertPublicKeyToECDSA(
            env('SENDGRID_WEBHOOK_PUBLIC_KEY'),
        );
        if (!$ew->verifySignature($publicKey, $payload, $signature, $timestamp)) {
            abort(403);
        }
        $events = json_decode($payload, true);
        return response()->json([
            'ok' => true,
            'count' => count($events),
        ]);
    }
}

Wire this verification call into the Laravel handler from section 1. The pattern is identical across Laravel versions: read raw body, verify, parse JSON, dispatch.

Watch out: SendGrid uses ECDSA, not HMAC. You don't have a shared secret — you have a public key from the SendGrid dashboard. Signed Event Webhooks must be explicitly enabled per webhook subscription; they're off by default.

See SendGrid's official signing docs for the canonical reference, or the cross-service signature verification guide for the same pattern in Ruby and other languages.

3. Make the Handler Idempotent

SendGrid can — and will — send the same event twice. Network blips, your server returning a 5xx mid-processing, deploy windows: any of these triggers a retry, and your handler will see the same event id again. Build for that on day one rather than chasing duplicate-charge bugs in production.

The simplest pattern is a unique constraint on the event id in your database. The handler does the work inside a transaction, and the insert into the events table is the last step — if a retry arrives, the unique-constraint violation tells you the event already committed and you can return 200 without re-running the side effects.

Pattern in any framework:

  1. Read raw body, verify signature.
  2. Begin transaction.
  3. Apply business logic (charge, fulfil, notify, etc.).
  4. Insert event id into processed_events with a unique constraint.
  5. Commit. Return 200.
  6. On unique-constraint violation, return 200 — the event was already processed by a prior delivery.

4. SendGrid Retry Behaviour

Retry policy
Max attempts
Up to 24h of retries
Total window
24 hours
Backoff
Exponential
Retries on
Non-2xx responses
Stops on
Any 2xx response within timeout

Combine the retry numbers above with the idempotency pattern in section 3: aim to acknowledge fast (return 200 under the timeout) and let the idempotency table absorb any duplicates from in-flight retries. The full pattern, including dead-letter queues and replay-from-capture, lives in the Webhook Retry Strategies guide.

5. Test Locally Without Deploying

The fastest iteration loop for any webhook handler is: capture a real SendGrid event with HookRay, then replay that captured request against your local Laravel server until the verification + business logic both pass. No need to retrigger the event in SendGrid, no need to redeploy.

  1. Get a free webhook URL at hookray.com — no signup.
  2. Paste the URL into your SendGriddashboard's webhook settings.
  3. Trigger a test event. HookRay shows the headers, raw body, and parsed payload in real time.
  4. Use HookRay's replay feature to send the captured request against http://localhost:3000/api/webhooks/sendgrid (or wherever your Laravel app is listening) — iterate on your code without re-poking the SendGrid dashboard.

Deploying the Laravel Handler

Laravel runs comfortably on Forge/Vapor, traditional VPS (Render, DigitalOcean App Platform), and Docker containers. Octane (Swoole / RoadRunner) keeps boot warm for webhook traffic — at scale, an Octane worker handles incoming webhooks several times faster than per-request PHP-FPM. For low volume, classic LAMP / PHP-FPM is fine.

Need a host that boots quickly enough to absorb webhook bursts? DigitalOcean droplets stay warm, support raw-body proxies cleanly, and avoid the cold-start traps of some serverless runtimes.

Capture a real SendGrid webhook in 30 seconds

Free webhook URL, real-time payload inspection, one-click replay. No signup required.

Start Testing — Free

Same SendGrid Webhook in Other Frameworks

SendGrid + Next.jsSendGrid + ExpressSendGrid + FastAPISendGrid + Ruby on RailsSendGrid Webhooks Overview