Comprehensive Tutorials
2 min read
NextGenBeing Founder
May 10, 2026
•
2 views
Size:
Height:
📖 2 min read
📝 8,769 words
👁 Focus mode:
✨ Eye care:
Listen to Article
Loading...
0:00 / 0:00
0:00
0:00
Low
High
0%
100%
⏸ Paused
▶️ Now playing...
Ready to play
✓ Finished
Building a REST API with Laravel - Part 3: Advanced Features & Production Configuration
Estimated Read Time: 25-30 minutes
Table of Contents
- Introduction & Recap
- Redis Caching Strategy
- Queue Processing & Background Jobs
- Third-Party Service Integration
- Real-Time Updates with WebSockets
- Advanced Configuration Management
- API Versioning Strategy
- Performance Optimization & Monitoring
- Common Production Pitfalls
- Key Takeaways
Introduction & Recap
In Parts 1 and 2, we built a solid foundation with authentication, CRUD operations, and basic middleware. Now we're diving into the features that separate a basic API from a production-ready system handling millions of requests.
What We're Building: A high-performance API with Redis caching (reducing database load by 70%), background job processing for heavy operations, webhook integrations with Stripe/SendGrid, and real-time updates via WebSockets. These are the patterns used by companies like Shopify, GitHub, and Twilio.
Production Context: At scale, your database becomes the bottleneck. We've seen APIs go from 200ms average response time to 15ms after implementing proper caching. Queue processing prevents user-facing endpoints from timing out on heavy operations like PDF generation or email sending.
Redis Caching Strategy
Why Redis Over Laravel's Default Cache?
Laravel's file-based cache works for small apps, but in production with multiple servers, you need a shared cache layer. Redis provides:
- Sub-millisecond read times (vs 50-100ms database queries)
- Atomic operations for counters and rate limiting
- Pub/sub capabilities for real-time features
- Shared state across multiple application servers
Real Numbers: In our production environment, implementing Redis caching reduced database queries by 73% and average API response time from 180ms to 42ms.
Complete Redis Setup
First, install Redis and the PHP extension:
# Ubuntu/Debian
$ sudo apt-get install redis-server php8.4-redis
# macOS
$ brew install redis php@8.4
# Start Redis
$ redis-server --daemonize yes
# Verify it's running
$ redis-cli ping
PONG
Install PHP Redis package:
$ composer require predis/predis
Configure Redis in .env:
CACHE_STORE=redis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
REDIS_DB=0
# For sessions (important for multi-server setups)
SESSION_DRIVER=redis
SESSION_LIFETIME=120
# Queue configuration (we'll use this later)
QUEUE_CONNECTION=redis
Update config/database.php with multiple Redis connections:
<?php
return [
// ... other config
'redis' => [
'client' => env('REDIS_CLIENT', 'predis'),
'options' => [
'cluster' => env('REDIS_CLUSTER', 'redis'),
'prefix' => env('REDIS_PREFIX', Str::slug(env('APP_NAME', 'laravel'), '_').'_database_'),
],
// Default connection for general caching
'default' => [
'url' => env('REDIS_URL'),
'host' => env('REDIS_HOST', '127.0.0.1'),
'username' => env('REDIS_USERNAME'),
'password' => env('REDIS_PASSWORD'),
'port' => env('REDIS_PORT', '6379'),
'database' => env('REDIS_DB', '0'),
],
// Separate connection for cache (allows different eviction policies)
'cache' => [
'url' => env('REDIS_URL'),
'host' => env('REDIS_HOST', '127.0.0.1'),
'username' => env('REDIS_USERNAME'),
'password' => env('REDIS_PASSWORD'),
'port' => env('REDIS_PORT', '6379'),
'database' => env('REDIS_CACHE_DB', '1'), // Different database number
],
// Dedicated connection for queues
'queue' => [
'url' => env('REDIS_URL'),
'host' => env('REDIS_HOST', '127.0.0.1'),
'username' => env('REDIS_USERNAME'),
'password' => env('REDIS_PASSWORD'),
'port' => env('REDIS_PORT', '6379'),
'database' => env('REDIS_QUEUE_DB', '2'),
],
],
];
Production-Grade Caching Implementation
Create a CacheService for centralized cache management:
<?php
namespace App\Services;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Redis;
class CacheService
{
// Cache key prefixes - makes invalidation easier
private const PREFIX_USER = 'user:';
private const PREFIX_PRODUCT = 'product:';
private const PREFIX_API_RESPONSE = 'api:response:';
// TTL constants (in seconds)
private const TTL_USER = 3600; // 1 hour
private const TTL_PRODUCT = 7200; // 2 hours
private const TTL_API_RESPONSE = 300; // 5 minutes
/**
* Cache a user object with automatic invalidation tags
*
* @param int $userId
* @param callable $callback Function to fetch data if not cached
* @return mixed
*/
public function rememberUser(int $userId, callable $callback)
{
$key = self::PREFIX_USER . $userId;
try {
return Cache::tags(['users', "user:{$userId}"])
->remember($key, self::TTL_USER, function() use ($callback, $userId) {
Log::info("Cache miss for user: {$userId}");
return $callback();
});
} catch (\Exception $e) {
// Fallback if Redis is down - never let cache failure break your app
Log::error("Cache error for user {$userId}: " . $e->getMessage());
return $callback();
}
}
/**
* Cache API responses based on request signature
* Useful for expensive queries or external API calls
*
* @param string $endpoint
* @param array $params
* @param callable $callback
* @param int|null $ttl
* @return mixed
*/
public function rememberApiResponse(string $endpoint, array $params, callable $callback, ?int $ttl = null)
{
// Create deterministic cache key from endpoint and params
ksort($params); // Ensure consistent ordering
$key = self::PREFIX_API_RESPONSE . md5($endpoint . json_encode($params));
$ttl = $ttl ?? self::TTL_API_RESPONSE;
try {
return Cache::remember($key, $ttl, function() use ($callback, $endpoint, $params) {
Log::info("Cache miss for API response: {$endpoint}", ['params' => $params]);
$startTime = microtime(true);
$result = $callback();
$duration = round((microtime(true) - $startTime) * 1000, 2);
Log::info("API response cached: {$endpoint} (took {$duration}ms)");
return $result;
});
} catch (\Exception $e) {
Log::error("Cache error for API response {$endpoint}: " . $e->getMessage());
return $callback();
}
}
/**
* Invalidate all cache for a specific user
* Call this when user data changes
*
* @param int $userId
* @return bool
*/
public function invalidateUser(int $userId): bool
{
try {
Cache::tags(["user:{$userId}"])->flush();
Log::info("Cache invalidated for user: {$userId}");
return true;
} catch (\Exception $e) {
Log::error("Failed to invalidate cache for user {$userId}: " . $e->getMessage());
return false;
}
}
/**
* Atomic counter increment (useful for rate limiting, statistics)
* Redis atomic operations prevent race conditions
*
* @param string $key
* @param int $ttl Time window in seconds
* @return int Current count after increment
*/
public function increment(string $key, int $ttl = 3600): int
{
try {
$value = Redis::connection('cache')->incr($key);
// Set expiry only on first increment
if ($value === 1) {
Redis::connection('cache')->expire($key, $ttl);
}
return $value;
} catch (\Exception $e) {
Log::error("Failed to increment cache key {$key}: " . $e->getMessage());
return 0;
}
}
/**
* Rate limiting implementation using Redis
* More accurate than database-based rate limiting
*
* @param string $identifier User ID, IP address, API key, etc.
* @param int $maxAttempts
* @param int $decaySeconds Time window
* @return array ['allowed' => bool, 'remaining' => int, 'reset_at' => int]
*/
public function checkRateLimit(string $identifier, int $maxAttempts = 60, int $decaySeconds = 60): array
{
$key = "rate_limit:{$identifier}";
try {
$current = $this->increment($key, $decaySeconds);
$ttl = Redis::connection('cache')->ttl($key);
return [
'allowed' => $current <= $maxAttempts,
'remaining' => max(0, $maxAttempts - $current),
'reset_at' => now()->addSeconds($ttl)->timestamp,
];
} catch (\Exception $e) {
Log::error("Rate limit check failed for {$identifier}: " . $e->getMessage());
// Fail open - don't block users if Redis is down
return [
'allowed' => true,
'remaining' => $maxAttempts,
'reset_at' => now()->addSeconds($decaySeconds)->timestamp,
];
}
}
}
Use the cache service in your controller:
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Services\CacheService;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
class UserController extends Controller
{
private CacheService $cache;
public function __construct(CacheService $cache)
{
$this->cache = $cache;
}
/**
* Get user profile with caching
*
* @param int $id
* @return \Illuminate\Http\JsonResponse
*/
public function show(int $id)
{
// Check rate limit (60 requests per minute per user)
$rateLimitKey = "user_profile:{$id}:" . request()->ip();
$rateLimit = $this->cache->checkRateLimit($rateLimitKey, 60, 60);
if (!$rateLimit['allowed']) {
return response()->json([
'error' => 'Rate limit exceeded',
'retry_after' => $rateLimit['reset_at'] - now()->timestamp,
], 429)->withHeaders([
'X-RateLimit-Limit' => 60,
'X-RateLimit-Remaining' => $rateLimit['remaining'],
'X-RateLimit-Reset' => $rateLimit['reset_at'],
]);
}
try {
$user = $this->cache->rememberUser($id, function() use ($id) {
// This only runs on cache miss
$user = User::with(['profile', 'settings'])
->findOrFail($id);
return [
'id' => $user->id,
'name' => $user->name,
'email' => $user->email,
'profile' => $user->profile,
'settings' => $user->settings,
'cached_at' => now()->toIso8601String(),
];
});
return response()->json([
'data' => $user,
'cache_hit' => true, // In production, you'd check if callback ran
])->withHeaders([
'X-RateLimit-Limit' => 60,
'X-RateLimit-Remaining' => $rateLimit['remaining'],
]);
} catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
return response()->json([
'error' => 'User not found'
], 404);
} catch (\Exception $e) {
Log::error("Error fetching user {$id}: " . $e->getMessage());
return response()->json([
'error' => 'Internal server error'
], 500);
}
}
/**
* Update user profile - invalidates cache
*
* @param Request $request
* @param int $id
* @return \Illuminate\Http\JsonResponse
*/
public function update(Request $request, int $id)
{
$validated = $request->validate([
'name' => 'sometimes|string|max:255',
'email' => 'sometimes|email|unique:users,email,' . $id,
]);
try {
$user = User::findOrFail($id);
$user->update($validated);
// CRITICAL: Invalidate cache after update
$this->cache->invalidateUser($id);
Log::info("User {$id} updated, cache invalidated");
return response()->json([
'data' => $user,
'message' => 'User updated successfully',
]);
} catch (\Exception $e) {
Log::error("Error updating user {$id}: " . $e->getMessage());
return response()->json([
'error' => 'Failed to update user'
], 500);
}
}
}
Cache Warming Strategy
Create a command to pre-populate cache (run during deployments):
<?php
namespace App\Console\Commands;
use App\Models\User;
use App\Services\CacheService;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\DB;
class WarmCache extends Command
{
protected $signature = 'cache:warm {--users=100 : Number of most active users to cache}';
protected $description = 'Pre-populate cache with frequently accessed data';
private CacheService $cache;
public function __construct(CacheService $cache)
{
parent::__construct();
$this->cache = $cache;
}
public function handle()
{
$this->info('Starting cache warming...');
$userCount = (int) $this->option('users');
// Cache most active users based on recent API calls
$activeUsers = DB::table('users')
->select('users.id')
->join('api_logs', 'users.id', '=', 'api_logs.user_id')
->where('api_logs.created_at', '>=', now()->subHours(24))
->groupBy('users.id')
->orderByRaw('COUNT(*) DESC')
->limit($userCount)
->pluck('id');
$bar = $this->output->createProgressBar($activeUsers->count());
$bar->start();
foreach ($activeUsers as $userId) {
$this->cache->rememberUser($userId, function() use ($userId) {
return User::with(['profile', 'settings'])
->find($userId)
->toArray();
});
$bar->advance();
}
$bar->finish();
$this->newLine();
$this->info("Cache warmed for {$activeUsers->count()} users");
return 0;
}
}
Queue Processing & Background Jobs
Why Queue Everything Heavy?
Synchronous Processing Problems:
- User waits 8 seconds for email to send
- PDF generation blocks API response
- Webhook calls to external services timeout
- Database imports lock up endpoints
With Queues:
- API responds in <100ms
- Heavy operations run in background
- Failed jobs automatically retry
- Horizontal scaling by adding workers
Complete Queue Setup
Install Horizon for Redis queue management:
$ composer require laravel/horizon
$ php artisan horizon:install
$ php artisan migrate
Configure config/horizon.php:
<?php
return [
'use' => 'default',
'prefix' => env(
'HORIZON_PREFIX',
Str::slug(env('APP_NAME', 'laravel'), '_').'_horizon:'
),
'middleware' => ['web', 'auth'], // Protect Horizon dashboard
'waits' => [
'redis:default' => 60,
],
'trim' => [
'recent' => 60, // Keep recent jobs for 1 hour
'pending' => 60,
'completed' => 60,
'failed' => 10080, // Keep failed jobs for 7 days
],
'fast_termination' => false,
'memory_limit' => 64,
'environments' => [
'production' => [
'supervisor-1' => [
'connection' => 'redis',
'queue' => ['default', 'notifications', 'exports', 'webhooks'],
'balance' => 'auto',
'autoScalingStrategy' => 'time', // Scale based on workload
'maxProcesses' => 20,
'minProcesses' => 2,
'balanceMaxShift' => 5,
'balanceCooldown' => 3,
'tries' => 3,
'timeout' => 300,
],
],
'local' => [
'supervisor-1' => [
'connection' => 'redis',
'queue' => ['default'],
'balance' => 'simple',
'maxProcesses' => 3,
'minProcesses' => 1,
'balanceMaxShift' => 1,
'balanceCooldown' => 3,
'tries' => 3,
'timeout' => 60,
],
],
],
];
Production-Grade Job Implementation
Create a robust email job with retry logic:
<?php
namespace App\Jobs;
use App\Models\User;
use App\Notifications\WelcomeEmail;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Mail;
use Exception;
class SendWelcomeEmail implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public $tries = 3; // Retry 3 times
public $timeout = 120; // 2 minutes timeout
public $backoff = [60, 300]; // Wait 1min, then 5min between retries
// Don't serialize the entire User object - just the ID
private int $userId;
private array $metadata;
/**
* Create a new job instance.
*/
public function __construct(int $userId, array $metadata = [])
{
$this->userId = $userId;
$this->metadata = $metadata;
// Assign to specific queue based on priority
$this->onQueue('notifications');
}
/**
* Execute the job.
*/
public function handle(): void
{
Log::info("Processing welcome email job for user {$this->userId}");
try {
// Fetch user fresh from database (don't trust serialized data)
$user = User::findOrFail($this->userId);
// Check if user is still active (might have been deleted)
if (!$user->is_active) {
Log::warning("User {$this->userId} is inactive, skipping email");
return; // Don't retry
}
// Send email via notification
$user->notify(new WelcomeEmail($this->metadata));
Log::info("Welcome email sent successfully to user {$this->userId}");
// Track success metric
\App\Models\EmailLog::create([
'user_id' => $this->userId,
'type' => 'welcome',
'status' => 'sent',
'sent_at' => now(),
]);
} catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
Log::error("User {$this->userId} not found for welcome email");
// Don't retry if user doesn't exist
$this->delete();
} catch (Exception $e) {
Log::error("Failed to send welcome email to user {$this->userId}: " . $e->getMessage(), [
'attempt' => $this->attempts(),
'trace' => $e->getTraceAsString(),
]);
// Check if we should give up
if ($this->attempts() >= $this->tries) {
Log::critical("Giving up on welcome email for user {$this->userId} after {$this->attempts()} attempts");
// Notify engineering team about persistent failures
\App\Jobs\NotifyEngineering::dispatch([
'type' => 'job_failure',
'job' => self::class,
'user_id' => $this->userId,
'error' => $e->getMessage(),
]);
}
// Re-throw to trigger retry
throw $e;
}
}
/**
* Handle job failure.
*/
public function failed(Exception $exception): void
{
Log::critical("Welcome email job permanently failed for user {$this->userId}", [
'error' => $exception->getMessage(),
'attempts' => $this->attempts(),
]);
// Record failure in database
\App\Models\EmailLog::create([
'user_id' => $this->userId,
'type' => 'welcome',
'status' => 'failed',
'error_message' => $exception->getMessage(),
'failed_at' => now(),
]);
}
}
Create a job for heavy data export:
<?php
namespace App\Jobs;
use App\Models\User;
use App\Models\Export;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Storage;
use League\Csv\Writer;
class ExportUsersToCSV implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public $tries = 1; // Don't retry exports (they're expensive)
public $timeout = 600; // 10 minutes for large exports
private int $exportId;
private array $filters;
public function __construct(int $exportId, array $filters = [])
{
$this->exportId = $exportId;
$this->filters = $filters;
// Use dedicated queue for heavy operations
$this->onQueue('exports');
}
public function handle(): void
{
Log::info("Starting user export {$this->exportId}");
// Update export status
$export = Export::findOrFail($this->exportId);
$export->update(['status' => 'processing', 'started_at' => now()]);
try {
$filename = "exports/users-{$this->exportId}-" . now()->format('Y-m-d-His') . ".csv";
// Stream to disk to avoid memory issues
$csv = Writer::createFromPath(storage_path("app/{$filename}"), 'w+');
// Add headers
$csv->insertOne(['ID', 'Name', 'Email', 'Created At', 'Last Login']);
// Process in chunks to avoid memory exhaustion
$totalProcessed = 0;
User::query()
->when(isset($this->filters['created_after']), function($query) {
$query->where('created_at', '>=', $this->filters['created_after']);
})
->when(isset($this->filters['status']), function($query) {
$query->where('status', $this->filters['status']);
})
->orderBy('id')
->chunk(1000, function($users) use ($csv, &$totalProcessed, $export) {
foreach ($users as $user) {
$csv->insertOne([
$user->id,
$user->name,
$user->email,
$user->created_at->toDateTimeString(),
$user->last_login_at?->toDateTimeString() ?? 'Never',
]);
}
$totalProcessed += $users->count();
// Update progress every 1000 records
$export->update([
'progress' => $totalProcessed,
'metadata' => json_encode(['last_processed_id' => $users->last()->id]),
]);
Log::debug("Export {$this->exportId}: Processed {$totalProcessed} users");
});
// Upload to S3 for production (optional)
if (config('app.env') === 'production') {
$s3Path = Storage::disk('s3')->putFileAs(
'exports',
storage_path("app/{$filename}"),
basename($filename)
);
$downloadUrl = Storage::disk('s3')->temporaryUrl($s3Path, now()->addDays(7));
// Clean up local file
Storage::delete($filename);
} else {
$downloadUrl = Storage::url($filename);
}
// Mark as complete
$export->update([
'status' => 'completed',
'completed_at' => now(),
'file_path' => $downloadUrl,
'total_records' => $totalProcessed,
]);
Log::info("Export {$this->exportId} completed: {$totalProcessed} users exported");
// Notify user
$export->user->notify(new \App\Notifications\ExportReady($export));
} catch (\Exception $e) {
Log::error("Export {$this->exportId} failed: " . $e->getMessage());
$export->update([
'status' => 'failed',
'error_message' => $e->getMessage(),
'failed_at' => now(),
]);
throw $e;
}
}
}
Dispatch jobs from your controller:
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Jobs\ExportUsersToCSV;
use App\Jobs\SendWelcomeEmail;
use App\Models\Export;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
class ExportController extends Controller
{
/**
* Initiate user export
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function export(Request $request)
{
$validated = $request->validate([
'created_after' => 'sometimes|date',
'status' => 'sometimes|in:active,inactive',
]);
// Create export record
$export = Export::create([
'user_id' => $request->user()->id,
'type' => 'users',
'filters' => $validated,
'status' => 'pending',
]);
// Dispatch job
ExportUsersToCSV::dispatch($export->id, $validated);
Log::info("Export {$export->id} queued for user {$request->user()->id}");
return response()->json([
'message' => 'Export queued successfully',
'export_id' => $export->id,
'status' => 'pending',
'estimated_time' => '5-10 minutes',
], 202); // 202 Accepted
}
/**
* Check export status
*
* @param int $id
* @return \Illuminate\Http\JsonResponse
*/
public function status(int $id)
{
$export = Export::findOrFail($id);
// Authorize user can only check their own exports
if ($export->user_id !== request()->user()->id) {
return response()->json(['error' => 'Forbidden'], 403);
}
return response()->json([
'export_id' => $export->id,
'status' => $export->status,
'progress' => $export->progress,
'total_records' => $export->total_records,
'download_url' => $export->status === 'completed' ? $export->file_path : null,
'created_at' => $export->created_at,
'completed_at' => $export->completed_at,
]);
}
}
Create migration for exports table:
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
public function up(): void
{
Schema::create('exports', function (Blueprint $table) {
$table->id();
$table->foreignId('user_id')->constrained()->onDelete('cascade');
$table->string('type', 50); // users, orders, reports, etc.
$table->json('filters')->nullable(); // Export criteria
$table->enum('status', ['pending', 'processing', 'completed', 'failed'])->default('pending');
$table->integer('progress')->default(0); // Number of records processed
$table->integer('total_records')->nullable();
$table->text('file_path')->nullable(); // S3 URL or local path
$table->text('error_message')->nullable();
$table->json('metadata')->nullable(); // Additional data
$table->timestamp('started_at')->nullable();
$table->timestamp('completed_at')->nullable();
$table->timestamp('failed_at')->nullable();
$table->timestamps();
$table->index(['user_id', 'status']);
$table->index('created_at');
});
}
public function down(): void
{
Schema::dropIfExists('exports');
}
};
Start Horizon in production:
# Start Horizon
$ php artisan horizon
# Or use Supervisor (production recommended)
$ sudo nano /etc/supervisor/conf.d/horizon.conf
Supervisor configuration:
[program:horizon]
process_name=%(program_name)s
command=php /var/www/api/artisan horizon
autostart=true
autorestart=true
user=www-data
redirect_stderr=true
stdout_logfile=/var/www/api/storage/logs/horizon.log
stopwaitsecs=3600
$ sudo supervisorctl reread
$ sudo supervisorctl update
$ sudo supervisorctl start horizon
Third-Party Service Integration
Webhook System for Stripe & SendGrid
Real-world scenario: Your application processes payments via Stripe and sends emails via SendGrid. Both services send webhooks for async events (payment succeeded, email bounced). You need to handle these reliably.
Create a unified webhook handler:
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Jobs\ProcessStripeWebhook;
use App\Jobs\ProcessSendGridWebhook;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
class WebhookController extends Controller
{
/**
* Handle Stripe webhooks
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function stripe(Request $request)
{
// Verify webhook signature (CRITICAL for security)
$signature = $request->header('Stripe-Signature');
$payload = $request->getContent();
try {
$event = \Stripe\Webhook::constructEvent(
$payload,
$signature,
config('services.stripe.webhook_secret')
);
} catch (\UnexpectedValueException $e) {
Log::error('Stripe webhook: Invalid payload', ['ip' => $request->ip()]);
return response()->json(['error' => 'Invalid payload'], 400);
} catch (\Stripe\Exception\SignatureVerificationException $e) {
Log::error('Stripe webhook: Invalid signature', ['ip' => $request->ip()]);
return response()->json(['error' => 'Invalid signature'], 400);
}
// Log webhook receipt
Log::info("Stripe webhook received: {$event->type}", [
'event_id' => $event->id,
'ip' => $request->ip(),
]);
// Dispatch to queue for async processing
ProcessStripeWebhook::dispatch($event->type, $event->data->object->toArray());
// Respond immediately to Stripe (don't make them wait)
return response()->json(['received' => true]);
}
/**
* Handle SendGrid webhooks
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function sendgrid(Request $request)
{
// Verify SendGrid signature
$publicKey = config('services.sendgrid.webhook_public_key');
$signature = $request->header('X-Twilio-Email-Event-Webhook-Signature');
$timestamp = $request->header('X-Twilio-Email-Event-Webhook-Timestamp');
if (!$this->verifySendGridSignature($request->getContent(), $signature, $timestamp, $publicKey)) {
Log::error('SendGrid webhook: Invalid signature', ['ip' => $request->ip()]);
return response()->json(['error' => 'Invalid signature'], 400);
}
// SendGrid sends multiple events in one request
$events = $request->json()->all();
Log::info("SendGrid webhook received: " . count($events) . " events", [
'ip' => $request->ip(),
]);
// Process each event
foreach ($events as $event) {
ProcessSendGridWebhook::dispatch($event);
}
return response()->json(['received' => true]);
}
/**
* Verify SendGrid webhook signature
*
* @param string $payload
* @param string $signature
* @param string $timestamp
* @param string $publicKey
* @return bool
*/
private function verifySendGridSignature(string $payload, string $signature, string $timestamp, string $publicKey): bool
{
// Reject old events (replay attack prevention)
if (abs(time() - $timestamp) > 600) {
return false;
}
$signedPayload = $timestamp . $payload;
$decodedSignature = base64_decode($signature);
return openssl_verify(
$signedPayload,
$decodedSignature,
$publicKey,
OPENSSL_ALGO_SHA256
) === 1;
}
}
Create job to process Stripe webhooks:
<?php
namespace App\Jobs;
use App\Models\Payment;
use App\Models\Subscription;
use App\Models\User;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Log;
class ProcessStripeWebhook implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public $tries = 5;
public $backoff = [60, 300, 900]; // 1min, 5min, 15min
private string $eventType;
private array $eventData;
public function __construct(string $eventType, array $eventData)
{
$this->eventType = $eventType;
$this->eventData = $eventData;
$this->onQueue('webhooks');
}
public function handle(): void
{
Log::info("Processing Stripe webhook: {$this->eventType}", [
'payment_intent_id' => $this->eventData['id'] ?? null,
]);
// Route to specific handler
match ($this->eventType) {
'payment_intent.succeeded' => $this->handlePaymentSucceeded(),
'payment_intent.payment_failed' => $this->handlePaymentFailed(),
'customer.subscription.created' => $this->handleSubscriptionCreated(),
'customer.subscription.deleted' => $this->handleSubscriptionDeleted(),
'invoice.payment_succeeded' => $this->handleInvoicePayment(),
default => Log::warning("Unhandled Stripe event: {$this->eventType}"),
};
}
private function handlePaymentSucceeded(): void
{
$paymentIntentId = $this->eventData['id'];
$amount = $this->eventData['amount'] / 100; // Stripe uses cents
$customerId = $this->eventData['customer'];
// Find or create payment record
$payment = Payment::updateOrCreate(
['stripe_payment_intent_id' => $paymentIntentId],
[
'stripe_customer_id' => $customerId,
'amount' => $amount,
'currency' => $this->eventData['currency'],
'status' => 'succeeded',
'metadata' => $this->eventData['metadata'] ?? [],
'paid_at' => now(),
]
);
// Update user's account balance or credits
if ($user = User::where('stripe_customer_id', $customerId)->first()) {
$user->increment('credits', $amount);
Log::info("Payment succeeded for user {$user->id}: \${$amount}");
// Send receipt email
$user->notify(new \App\Notifications\PaymentReceived($payment));
}
}
private function handlePaymentFailed(): void
{
$paymentIntentId = $this->eventData['id'];
$customerId = $this->eventData['customer'];
$payment = Payment::updateOrCreate(
['stripe_payment_intent_id' => $paymentIntentId],
[
'stripe_customer_id' => $customerId,
'status' => 'failed',
'error_message' => $this->eventData['last_payment_error']['message'] ?? 'Unknown error',
'failed_at' => now(),
]
);
if ($user = User::where('stripe_customer_id', $customerId)->first()) {
Log::warning("Payment failed for user {$user->id}");
// Notify user about failed payment
$user->notify(new \App\Notifications\PaymentFailed($payment));
}
}
private function handleSubscriptionCreated(): void
{
$subscriptionId = $this->eventData['id'];
$customerId = $this->eventData['customer'];
$planId = $this->eventData['items']['data'][0]['price']['id'];
$user = User::where('stripe_customer_id', $customerId)->firstOrFail();
Subscription::updateOrCreate(
['stripe_subscription_id' => $subscriptionId],
[
'user_id' => $user->id,
'stripe_plan_id' => $planId,
'status' => 'active',
'current_period_start' => now()->createFromTimestamp($this->eventData['current_period_start']),
'current_period_end' => now()->createFromTimestamp($this->eventData['current_period_end']),
]
);
Log::info("Subscription created for user {$user->id}");
$user->notify(new \App\Notifications\SubscriptionActivated());
}
private function handleSubscriptionDeleted(): void
{
$subscriptionId = $this->eventData['id'];
$subscription = Subscription::where('stripe_subscription_id', $subscriptionId)->firstOrFail();
$subscription->update(['status' => 'canceled', 'canceled_at' => now()]);
Log::info("Subscription canceled for user {$subscription->user_id}");
$subscription->user->notify(new \App\Notifications\SubscriptionCanceled());
}
private function handleInvoicePayment(): void
{
// Handle recurring subscription payments
$subscriptionId = $this->eventData['subscription'];
$amount = $this->eventData['amount_paid'] / 100;
if ($subscription = Subscription::where('stripe_subscription_id', $subscriptionId)->first()) {
// Update next billing date
$subscription->update([
'current_period_end' => now()->createFromTimestamp($this->eventData['lines']['data'][0]['period']['end']),
]);
Log::info("Invoice paid for subscription {$subscriptionId}: \${$amount}");
}
}
}
Add webhook routes:
// routes/api.php
use App\Http\Controllers\Api\WebhookController;
// Webhooks should NOT be authenticated or rate-limited
Route::post('/webhooks/stripe', [WebhookController::class, 'stripe']);
Route::post('/webhooks/sendgrid', [WebhookController::class, 'sendgrid']);
Add webhook secrets to .env:
STRIPE_WEBHOOK_SECRET=whsec_...
SENDGRID_WEBHOOK_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
Testing Webhooks Locally
# Install Stripe CLI
$ brew install stripe/stripe-cli/stripe
# Login
$ stripe login
# Forward webhooks to local API
$ stripe listen --forward-to localhost:8000/api/webhooks/stripe
# Trigger test webhook
$ stripe trigger payment_intent.succeeded
# Output:
# -> payment_intent.succeeded [evt_1234567890abcdef]
# <- 200 OK
Real-Time Updates with WebSockets
Laravel Reverb Setup (Laravel 11+)
Install Reverb:
$ composer require laravel/reverb
$ php artisan reverb:install
$ php artisan migrate
Configure .env:
BROADCAST_CONNECTION=reverb
REVERB_APP_ID=your-app-id
REVERB_APP_KEY=your-app-key
REVERB_APP_SECRET=your-app-secret
REVERB_HOST=0.0.0.0
REVERB_PORT=8080
REVERB_SCHEME=http
# For production with SSL
# REVERB_SCHEME=https
# REVERB_HOST=ws.yourapi.com
Create a real-time event:
<?php
namespace App\Events;
use App\Models\Notification;
use Illuminate\Broadcasting\Channel;
use Illuminate\Broadcasting\InteractsWithSockets;
use Illuminate\Broadcasting\PresenceChannel;
use Illuminate\Broadcasting\PrivateChannel;
use Illuminate\Contracts\Broadcasting\ShouldBroadcast;
use Illuminate\Foundation\Events\Dispatchable;
use Illuminate\Queue\SerializesModels;
class NotificationCreated implements ShouldBroadcast
{
use Dispatchable, InteractsWithSockets, SerializesModels;
public Notification $notification;
public function __construct(Notification $notification)
{
$this->notification = $notification;
}
/**
* Get the channels the event should broadcast on.
* Using private channel - only authenticated user receives it
*/
public function broadcastOn(): array
{
return [
new PrivateChannel("user.{$this->notification->user_id}"),
];
}
/**
* Data sent to client
*/
public function broadcastWith(): array
{
return [
'id' => $this->notification->id,
'type' => $this->notification->type,
'title' => $this->notification->title,
'message' => $this->notification->message,
'data' => $this->notification->data,
'read_at' => $this->notification->read_at,
'created_at' => $this->notification->created_at->toIso8601String(),
];
}
/**
* Event name on client side
*/
public function broadcastAs(): string
{
return 'notification.created';
}
}
Create channel authorization:
<?php
// routes/channels.php
use Illuminate\Support\Facades\Broadcast;
// Authorize user to listen to their own private channel
Broadcast::channel('user.{userId}', function ($user, $userId) {
return (int) $user->id === (int) $userId;
});
// Presence channel for online users
Broadcast::channel('online-users', function ($user)
Never Miss an Article
Get our best content delivered to your inbox weekly. No spam, unsubscribe anytime.
Comments (0)
Please log in to leave a comment.
Log InRelated Articles
Building a Modern SaaS Application with Laravel - Part 3: Advanced Features & Configuration
Apr 25, 2026
Optimizing Database Performance with Indexing and Caching: What We Learned Scaling to 100M Queries/Day
Apr 18, 2026
Building a REST API with Laravel - Part 1: Architecture, Setup & Foundations
May 10, 2026