Comprehensive Tutorials
2 min read
Bekzod Erkinov
May 10, 2026
•
8 views
Size:
Height:
📖 2 min read
📝 8,806 words
👁 Focus mode:
✨ Eye care:
Listen to Article
Loading...
0:00 / 0:00
0:00
0:00
Low
High
0%
100%
⏸ Paused
▶️ Now playing...
Ready to play
✓ Finished
Building a REST API with Laravel - Part 3: Advanced Features & Production Configuration
Estimated Read Time: 25-30 minutes
Table of Contents
- Introduction & Recap
- Redis Caching Strategy
- Queue Processing & Background Jobs
- Third-Party Service Integration
- Real-Time Updates with WebSockets
- Advanced Configuration Management
- API Versioning Strategy
- Performance Optimization & Monitoring
- Common Production Pitfalls
- Key Takeaways
Introduction & Recap
In Parts 1 and 2, we built a solid foundation with authentication, CRUD operations, and basic middleware. Now we're diving into the features that separate a basic API from a production-ready system handling millions of requests.
What We're Building: A high-performance API with Redis caching (reducing database load by 70%), background job processing for heavy operations, webhook integrations with Stripe/SendGrid, and real-time updates via WebSockets. These are the patterns used by companies like Shopify, GitHub, and Twilio.
Production Context: At scale, your database becomes the bottleneck. We've seen APIs go from 200ms average response time to 15ms after implementing proper caching. Queue processing prevents user-facing endpoints from timing out on heavy operations like PDF generation or email sending.
Redis Caching Strategy
Why Redis Over Laravel's Default Cache?
Laravel's file-based cache works for small apps, but in production with multiple servers, you need a shared cache layer. Redis provides:
- Sub-millisecond read times (vs 50-100ms database queries)
- Atomic operations for counters and rate limiting
- Pub/sub capabilities for real-time features
- Shared state across multiple application servers
Real Numbers: In our production environment, implementing Redis caching reduced database queries by 73% and average API response time from 180ms to 42ms.
Complete Redis Setup
First, install Redis and the PHP extension:
# Ubuntu/Debian
$ sudo apt-get install redis-server php8.4-redis
# macOS
$ brew install redis php@8.4
# Start Redis
$ redis-server --daemonize yes
# Verify it's running
$ redis-cli ping
PONG
Install PHP Redis package:
$ composer require predis/predis
Configure Redis in .env:
CACHE_STORE=redis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
REDIS_DB=0
# For sessions (important for multi-server setups)
SESSION_DRIVER=redis
SESSION_LIFETIME=120
# Queue configuration (we'll use this later)
QUEUE_CONNECTION=redis
Update config/database.php with multiple Redis connections:
<?php
return [
// ... other config
'redis' => [
'client' => env('REDIS_CLIENT', 'predis'),
'options' => [
'cluster' => env('REDIS_CLUSTER', 'redis'),
'prefix' => env('REDIS_PREFIX', Str::slug(env('APP_NAME', 'laravel'), '_').'_database_'),
],
// Default connection for general caching
'default' => [
'url' => env('REDIS_URL'),
'host' => env('REDIS_HOST', '127.0.0.1'),
'username' => env('REDIS_USERNAME'),
'password' => env('REDIS_PASSWORD'),
'port' => env('REDIS_PORT', '6379'),
'database' => env('REDIS_DB', '0'),
],
// Separate connection for cache (allows different eviction policies)
'cache' => [
'url' => env('REDIS_URL'),
'host' => env('REDIS_HOST', '127.0.0.1'),
'username' => env('REDIS_USERNAME'),
'password' => env('REDIS_PASSWORD'),
'port' => env('REDIS_PORT', '6379'),
'database' => env('REDIS_CACHE_DB', '1'), // Different database number
],
// Dedicated connection for queues
'queue' => [
'url' => env('REDIS_URL'),
'host' => env('REDIS_HOST', '127.0.0.1'),
'username' => env('REDIS_USERNAME'),
'password' => env('REDIS_PASSWORD'),
'port' => env('REDIS_PORT', '6379'),
'database' => env('REDIS_QUEUE_DB', '2'),
],
],
];
Production-Grade Caching Implementation
Create a CacheService for centralized cache management:
<?php
namespace App\Services;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Redis;
class CacheService
{
// Cache key prefixes - makes invalidation easier
private const PREFIX_USER = 'user:';
private const PREFIX_PRODUCT = 'product:';
private const PREFIX_API_RESPONSE = 'api:response:';
// TTL constants (in seconds)
private const TTL_USER = 3600; // 1 hour
private const TTL_PRODUCT = 7200; // 2 hours
private const TTL_API_RESPONSE = 300; // 5 minutes
/**
* Cache a user object with automatic invalidation tags
*
* @param int $userId
* @param callable $callback Function to fetch data if not cached
* @return mixed
*/
public function rememberUser(int $userId, callable $callback)
{
$key = self::PREFIX_USER . $userId;
try {
return Cache::tags(['users', "user:{$userId}"])
->remember($key, self::TTL_USER, function() use ($callback, $userId) {
Log::info("Cache miss for user: {$userId}");
return $callback();
});
} catch (\Exception $e) {
// Fallback if Redis is down - never let cache failure break your app
Log::error("Cache error for user {$userId}: " . $e->getMessage());
return $callback();
}
}
/**
* Cache API responses based on request signature
* Useful for expensive queries or external API calls
*
* @param string $endpoint
* @param array $params
* @param callable $callback
* @param int|null $ttl
* @return mixed
*/
public function rememberApiResponse(string $endpoint, array $params, callable $callback, ?int $ttl = null)
{
// Create deterministic cache key from endpoint and params
ksort($params); // Ensure consistent ordering
$key = self::PREFIX_API_RESPONSE . md5($endpoint . json_encode($params));
$ttl = $ttl ?? self::TTL_API_RESPONSE;
try {
return Cache::remember($key, $ttl, function() use ($callback, $endpoint, $params) {
Log::info("Cache miss for API response: {$endpoint}", ['params' => $params]);
$startTime = microtime(true);
$result = $callback();
$duration = round((microtime(true) - $startTime) * 1000, 2);
Log::info("API response cached: {$endpoint} (took {$duration}ms)");
return $result;
});
} catch (\Exception $e) {
Log::error("Cache error for API response {$endpoint}: " . $e->getMessage());
return $callback();
}
}
/**
* Invalidate all cache for a specific user
* Call this when user data changes
*
* @param int $userId
* @return bool
*/
public function invalidateUser(int $userId): bool
{
try {
Cache::tags(["user:{$userId}"])->flush();
Log::info("Cache invalidated for user: {$userId}");
return true;
} catch (\Exception $e) {
Log::error("Failed to invalidate cache for user {$userId}: " . $e->getMessage());
return false;
}
}
/**
* Atomic counter increment (useful for rate limiting, statistics)
* Redis atomic operations prevent race conditions
*
* @param string $key
* @param int $ttl Time window in seconds
* @return int Current count after increment
*/
public function increment(string $key, int $ttl = 3600): int
{
try {
$value = Redis::connection('cache')->incr($key);
// Set expiry only on first increment
if ($value === 1) {
Redis::connection('cache')->expire($key, $ttl);
}
return $value;
} catch (\Exception $e) {
Log::error("Failed to increment cache key {$key}: " . $e->getMessage());
return 0;
}
}
/**
* Rate limiting implementation using Redis
* More accurate than database-based rate limiting
*
* @param string $identifier User ID, IP address, API key, etc.
* @param int $maxAttempts
* @param int $decaySeconds Time window
* @return array ['allowed' => bool, 'remaining' => int, 'reset_at' => int]
*/
public function checkRateLimit(string $identifier, int $maxAttempts = 60, int $decaySeconds = 60): array
{
$key = "rate_limit:{$identifier}";
try {
$current = $this->increment($key, $decaySeconds);
$ttl = Redis::connection('cache')->ttl($key);
return [
'allowed' => $current <= $maxAttempts,
'remaining' => max(0, $maxAttempts - $current),
'reset_at' => now()->addSeconds($ttl)->timestamp,
];
} catch (\Exception $e) {
Log::error("Rate limit check failed for {$identifier}: " . $e->getMessage());
// Fail open - don't block users if Redis is down
return [
'allowed' => true,
'remaining' => $maxAttempts,
'reset_at' => now()->addSeconds($decaySeconds)->timestamp,
];
}
}
}
Use the cache service in your controller:
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Services\CacheService;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
class UserController extends Controller
{
private CacheService $cache;
public function __construct(CacheService $cache)
{
$this->cache = $cache;
}
/**
* Get user profile with caching
*
* @param int $id
* @return \Illuminate\Http\JsonResponse
*/
public function show(int $id)
{
// Check rate limit (60 requests per minute per user)
$rateLimitKey = "user_profile:{$id}:" . request()->ip();
$rateLimit = $this->cache->checkRateLimit($rateLimitKey, 60, 60);
if (!$rateLimit['allowed']) {
return response()->json([
'error' => 'Rate limit exceeded',
'retry_after' => $rateLimit['reset_at'] - now()->timestamp,
], 429)->withHeaders([
'X-RateLimit-Limit' => 60,
'X-RateLimit-Remaining' => $rateLimit['remaining'],
'X-RateLimit-Reset' => $rateLimit['reset_at'],
]);
}
try {
$user = $this->cache->rememberUser($id, function() use ($id) {
// This only runs on cache miss
$user = User::with(['profile', 'settings'])
->findOrFail($id);
return [
'id' => $user->id,
'name' => $user->name,
'email' => $user->email,
'profile' => $user->profile,
'settings' => $user->settings,
'cached_at' => now()->toIso8601String(),
];
});
return response()->json([
'data' => $user,
'cache_hit' => true, // In production, you'd check if callback ran
])->withHeaders([
'X-RateLimit-Limit' => 60,
'X-RateLimit-Remaining' => $rateLimit['remaining'],
]);
} catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
return response()->json([
'error' => 'User not found'
], 404);
} catch (\Exception $e) {
Log::error("Error fetching user {$id}: " . $e->getMessage());
return response()->json([
'error' => 'Internal server error'
], 500);
}
}
/**
* Update user profile - invalidates cache
*
* @param Request $request
* @param int $id
* @return \Illuminate\Http\JsonResponse
*/
public function update(Request $request, int $id)
{
$validated = $request->validate([
'name' => 'sometimes|string|max:255',
'email' => 'sometimes|email|unique:users,email,' . $id,
]);
try {
$user = User::findOrFail($id);
$user->update($validated);
// CRITICAL: Invalidate cache after update
$this->cache->invalidateUser($id);
Log::info("User {$id} updated, cache invalidated");
return response()->json([
'data' => $user,
'message' => 'User updated successfully',
]);
} catch (\Exception $e) {
Log::error("Error updating user {$id}: " . $e->getMessage());
return response()->json([
'error' => 'Failed to update user'
], 500);
}
}
}
Cache Warming Strategy
Create a command to pre-populate cache (run during deployments):
<?php
namespace App\Console\Commands;
use App\Models\User;
use App\Services\CacheService;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\DB;
class WarmCache extends Command
{
protected $signature = 'cache:warm {--users=100 : Number of most active users to cache}';
protected $description = 'Pre-populate cache with frequently accessed data';
private CacheService $cache;
public function __construct(CacheService $cache)
{
parent::__construct();
$this->cache = $cache;
}
public function handle()
{
$this->info('Starting cache warming...');
$userCount = (int) $this->option('users');
// Cache most active users based on recent API calls
$activeUsers = DB::table('users')
->select('users.id')
->join('api_logs', 'users.id', '=', 'api_logs.user_id')
->where('api_logs.created_at', '>=', now()->subHours(24))
->groupBy('users.id')
->orderByRaw('COUNT(*) DESC')
->limit($userCount)
->pluck('id');
$bar = $this->output->createProgressBar($activeUsers->count());
$bar->start();
foreach ($activeUsers as $userId) {
$this->cache->rememberUser($userId, function() use ($userId) {
return User::with(['profile', 'settings'])
->find($userId)
->toArray();
});
$bar->advance();
}
$bar->finish();
$this->newLine();
$this->info("Cache warmed for {$activeUsers->count()} users");
return 0;
}
}
Queue Processing & Background Jobs
Why Queue Everything Heavy?
Synchronous Processing Problems:
- User waits 8 seconds for email to send
- PDF generation blocks API response
- Webhook calls to external services timeout
- Database imports lock up endpoints
With Queues:
- API responds in <100ms
- Heavy operations run in background
- Failed jobs automatically retry
- Horizontal scaling by adding workers
Complete Queue Setup
Install Horizon for Redis queue management:
$ composer require laravel/horizon
$ php artisan horizon:install
$ php artisan migrate
Configure config/horizon.php:
<?php
return [
'use' => 'default',
'prefix' => env(
'HORIZON_PREFIX',
Str::slug(env('APP_NAME', 'laravel'), '_').'_horizon:'
),
'middleware' => ['web', 'auth'], // Protect Horizon dashboard
'waits' => [
'redis:default' => 60,
],
'trim' => [
'recent' => 60, // Keep recent jobs for 1 hour
'pending' => 60,
'completed' => 60,
'failed' => 10080, // Keep failed jobs for 7 days
],
'fast_termination' => false,
'memory_limit' => 64,
'environments' => [
'production' => [
'supervisor-1' => [
'connection' => 'redis',
'queue' => ['default', 'notifications', 'exports', 'webhooks'],
'balance' => 'auto',
'autoScalingStrategy' => 'time', // Scale based on workload
'maxProcesses' => 20,
'minProcesses' => 2,
'balanceMaxShift' => 5,
'balanceCooldown' => 3,
'tries' => 3,
'timeout' => 300,
],
],
'local' => [
'supervisor-1' => [
'connection' => 'redis',
'queue' => ['default'],
'balance' => 'simple',
'maxProcesses' => 3,
'minProcesses' => 1,
'balanceMaxShift' => 1,
'balanceCooldown' => 3,
'tries' => 3,
'timeout' => 60,
],
],
],
];
Production-Grade Job Implementation
Create a robust email job with retry logic:
<?php
namespace App\Jobs;
use App\Models\User;
use App\Notifications\WelcomeEmail;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Mail;
use Exception;
class SendWelcomeEmail implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public $tries = 3; // Retry 3 times
public $timeout = 120; // 2 minutes timeout
public $backoff = [60, 300]; // Wait 1min, then 5min between retries
// Don't serialize the entire User object - just the ID
private int $userId;
private array $metadata;
/**
* Create a new job instance.
*/
public function __construct(int $userId, array $metadata = [])
{
$this->userId = $userId;
$this->metadata = $metadata;
// Assign to specific queue based on priority
$this->onQueue('notifications');
}
/**
* Execute the job.
*/
public function handle(): void
{
Log::info("Processing welcome email job for user {$this->userId}");
try {
// Fetch user fresh from database (don't trust serialized data)
$user = User::findOrFail($this->userId);
// Check if user is still active (might have been deleted)
if (!$user->is_active) {
Log::warning("User {$this->userId} is inactive, skipping email");
return; // Don't retry
}
// Send email via notification
$user->notify(new WelcomeEmail($this->metadata));
Log::info("Welcome email sent successfully to user {$this->userId}");
// Track success metric
\App\Models\EmailLog::create([
'user_id' => $this->userId,
'type' => 'welcome',
'status' => 'sent',
'sent_at' => now(),
]);
} catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
Log::error("User {$this->userId} not found for welcome email");
// Don't retry if user doesn't exist
$this->delete();
} catch (Exception $e) {
Log::error("Failed to send welcome email to user {$this->userId}: " . $e->getMessage(), [
'attempt' => $this->attempts(),
'trace' => $e->getTraceAsString(),
]);
// Check if we should give up
if ($this->attempts() >= $this->tries) {
Log::critical("Giving up on welcome email for user {$this->userId} after {$this->attempts()} attempts");
// Notify engineering team about persistent failures
\App\Jobs\NotifyEngineering::dispatch([
'type' => 'job_failure',
'job' => self::class,
'user_id' => $this->userId,
'error' => $e->getMessage(),
]);
}
// Re-throw to trigger retry
throw $e;
}
}
/**
* Handle job failure.
*/
public function failed(Exception $exception): void
{
Log::critical("Welcome email job permanently failed for user {$this->userId}", [
'error' => $exception->getMessage(),
'attempts' => $this->attempts(),
]);
// Record failure in database
\App\Models\EmailLog::create([
'user_id' => $this->userId,
'type' => 'welcome',
'status' => 'failed',
'error_message' => $exception->getMessage(),
'failed_at' => now(),
]);
}
}
Create a job for heavy data export:
<?php
namespace App\Jobs;
use App\Models\User;
use App\Models\Export;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Storage;
use League\Csv\Writer;
class ExportUsersToCSV implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public $tries = 1; // Don't retry exports (they're expensive)
public $timeout = 600; // 10 minutes for large exports
private int $exportId;
private array $filters;
public function __construct(int $exportId, array $filters = [])
{
$this->exportId = $exportId;
$this->filters = $filters;
// Use dedicated queue for heavy operations
$this->onQueue('exports');
}
public function handle(): void
{
Log::info("Starting user export {$this->exportId}");
// Update export status
$export = Export::findOrFail($this->exportId);
$export->update(['status' => 'processing', 'started_at' => now()]);
try {
$filename = "exports/users-{$this->exportId}-" . now()->format('Y-m-d-His') . ".csv";
// Stream to disk to avoid memory issues
$csv = Writer::createFromPath(storage_path("app/{$filename}"), 'w+');
// Add headers
$csv->insertOne(['ID', 'Name', 'Email', 'Created At', 'Last Login']);
// Process in chunks to avoid memory exhaustion
$totalProcessed = 0;
User::query()
->when(isset($this->filters['created_after']), function($query) {
$query->where('created_at', '>=', $this->filters['created_after']);
})
->when(isset($this->filters['status']), function($query) {
$query->where('status', $this->filters['status']);
})
->orderBy('id')
->chunk(1000, function($users) use ($csv, &$totalProcessed, $export) {
foreach ($users as $user) {
$csv->insertOne([
$user->id,
$user->name,
$user->email,
$user->created_at->toDateTimeString(),
$user->last_login_at?->toDateTimeString() ?? 'Never',
]);
}
$totalProcessed += $users->count();
// Update progress every 1000 records
$export->update([
'progress' => $totalProcessed,
'metadata' => json_encode(['last_processed_id' => $users->last()->id]),
]);
Log::debug("Export {$this->exportId}: Processed {$totalProcessed} users");
});
// Upload to S3 for production (optional)
if (config('app.env') === 'production') {
$s3Path = Storage::disk('s3')->putFileAs(
'exports',
storage_path("app/{$filename}"),
basename($filename)
);
$downloadUrl = Storage::disk('s3')->temporaryUrl($s3Path, now()->addDays(7));
// Clean up local file
Storage::delete($filename);
} else {
$downloadUrl = Storage::url($filename);
}
// Mark as complete
$export->update([
'status' => 'completed',
'completed_at' => now(),
'file_path' => $downloadUrl,
'total_records' => $totalProcessed,
]);
Log::info("Export {$this->exportId} completed: {$totalProcessed} users exported");
// Notify user
$export->user->notify(new \App\Notifications\ExportReady($export));
} catch (\Exception $e) {
Log::error("Export {$this->exportId} failed: " . $e->getMessage());
$export->update([
'status' => 'failed',
'error_message' => $e->getMessage(),
'failed_at' => now(),
]);
throw $e;
}
}
}
Dispatch jobs from your controller:
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Jobs\ExportUsersToCSV;
use App\Jobs\SendWelcomeEmail;
use App\Models\Export;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
class ExportController extends Controller
{
/**
* Initiate user export
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function export(Request $request)
{
$validated = $request->validate([
'created_after' => 'sometimes|date',
'status' => 'sometimes|in:active,inactive',
]);
// Create export record
$export = Export::create([
'user_id' => $request->user()->id,
'type' => 'users',
'filters' => $validated,
'status' => 'pending',
]);
// Dispatch job
ExportUsersToCSV::dispatch($export->id, $validated);
Log::info("Export {$export->id} queued for user {$request->user()->id}");
return response()->json([
'message' => 'Export queued successfully',
'export_id' => $export->id,
'status' => 'pending',
'estimated_time' => '5-10 minutes',
], 202); // 202 Accepted
}
/**
* Check export status
*
* @param int $id
* @return \Illuminate\Http\JsonResponse
*/
public function status(int $id)
{
$export = Export::findOrFail($id);
// Authorize user can only check their own exports
if ($export->user_id !== request()->user()->id) {
return response()->json(['error' => 'Forbidden'], 403);
}
return response()->json([
'export_id' => $export->id,
'status' => $export->status,
'progress' => $export->progress,
'total_records' => $export->total_records,
'download_url' => $export->status === 'completed' ? $export->file_path : null,
'created_at' => $export->created_at,
'completed_at' => $export->completed_at,
]);
}
}
Create migration for exports table:
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
public function up(): void
{
Schema::create('exports', function (Blueprint $table) {
$table->id();
$table->foreignId('user_id')->constrained()->onDelete('cascade');
$table->string('type', 50); // users, orders, reports, etc.
$table->json('filters')->nullable(); // Export criteria
$table->enum('status', ['pending', 'processing', 'completed', 'failed'])->default('pending');
$table->integer('progress')->default(0); // Number of records processed
$table->integer('total_records')->nullable();
$table->text('file_path')->nullable(); // S3 URL or local path
$table->text('error_message')->nullable();
$table->json('metadata')->nullable(); // Additional data
$table->timestamp('started_at')->nullable();
$table->timestamp('completed_at')->nullable();
$table->timestamp('failed_at')->nullable();
$table->timestamps();
$table->index(['user_id', 'status']);
$table->index('created_at');
});
}
public function down(): void
{
Schema::dropIfExists('exports');
}
};
Start Horizon in production:
# Start Horizon
$ php artisan horizon
# Or use Supervisor (production recommended)
$ sudo nano /etc/supervisor/conf.d/horizon.conf
Supervisor configuration:
[program:horizon]
process_name=%(program_name)s
command=php /var/www/api/artisan horizon
autostart=true
autorestart=true
user=www-data
redirect_stderr=true
stdout_logfile=/var/www/api/storage/logs/horizon.log
stopwaitsecs=3600
$ sudo supervisorctl reread
$ sudo supervisorctl update
$ sudo supervisorctl start horizon
Third-Party Service Integration
Webhook System for Stripe & SendGrid
Real-world scenario: Your application processes payments via Stripe and sends emails via SendGrid. Both services send webhooks for async events (payment succeeded, email bounced). You need to handle these reliably.
Create a unified webhook handler:
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Jobs\ProcessStripeWebhook;
use App\Jobs\ProcessSendGridWebhook;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
class WebhookController extends Controller
{
/**
* Handle Stripe webhooks
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function stripe(Request $request)
{
// Verify webhook signature (CRITICAL for security)
$signature = $request->header('Stripe-Signature');
$payload = $request->getContent();
try {
$event = \Stripe\Webhook::constructEvent(
$payload,
$signature,
config('services.stripe.webhook_secret')
);
} catch (\UnexpectedValueException $e) {
Log::error('Stripe webhook: Invalid payload', ['ip' => $request->ip()]);
return response()->json(['error' => 'Invalid payload'], 400);
} catch (\Stripe\Exception\SignatureVerificationException $e) {
Log::error('Stripe webhook: Invalid signature', ['ip' => $request->ip()]);
return response()->json(['error' => 'Invalid signature'], 400);
}
// Log webhook receipt
Log::info("Stripe webhook received: {$event->type}", [
'event_id' => $event->id,
'ip' => $request->ip(),
]);
// Dispatch to queue for async processing
ProcessStripeWebhook::dispatch($event->type, $event->data->object->toArray());
// Respond immediately to Stripe (don't make them wait)
return response()->json(['received' => true]);
}
/**
* Handle SendGrid webhooks
*
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function sendgrid(Request $request)
{
// Verify SendGrid signature
$publicKey = config('services.sendgrid.webhook_public_key');
$signature = $request->header('X-Twilio-Email-Event-Webhook-Signature');
$timestamp = $request->header('X-Twilio-Email-Event-Webhook-Timestamp');
if (!$this->verifySendGridSignature($request->getContent(), $signature, $timestamp, $publicKey)) {
Log::error('SendGrid webhook: Invalid signature', ['ip' => $request->ip()]);
return response()->json(['error' => 'Invalid signature'], 400);
}
// SendGrid sends multiple events in one request
$events = $request->json()->all();
Log::info("SendGrid webhook received: " . count($events) . " events", [
'ip' => $request->ip(),
]);
// Process each event
foreach ($events as $event) {
ProcessSendGridWebhook::dispatch($event);
}
return response()->json(['received' => true]);
}
/**
* Verify SendGrid webhook signature
*
* @param string $payload
* @param string $signature
* @param string $timestamp
* @param string $publicKey
* @return bool
*/
private function verifySendGridSignature(string $payload, string $signature, string $timestamp, string $publicKey): bool
{
// Reject old events (replay attack prevention)
if (abs(time() - $timestamp) > 600) {
return false;
}
$signedPayload = $timestamp . $payload;
$decodedSignature = base64_decode($signature);
return openssl_verify(
$signedPayload,
$decodedSignature,
$publicKey,
OPENSSL_ALGO_SHA256
) === 1;
}
}
Create job to process Stripe webhooks:
<?php
namespace App\Jobs;
use App\Models\Payment;
use App\Models\Subscription;
use App\Models\User;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Log;
class ProcessStripeWebhook implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public $tries = 5;
public $backoff = [60, 300, 900]; // 1min, 5min, 15min
private string $eventType;
private array $eventData;
public function __construct(string $eventType, array $eventData)
{
$this->eventType = $eventType;
$this->eventData = $eventData;
$this->onQueue('webhooks');
}
public function handle(): void
{
Log::info("Processing Stripe webhook: {$this->eventType}", [
'payment_intent_id' => $this->eventData['id'] ?? null,
]);
// Route to specific handler
match ($this->eventType) {
'payment_intent.succeeded' => $this->handlePaymentSucceeded(),
'payment_intent.payment_failed' => $this->handlePaymentFailed(),
'customer.subscription.created' => $this->handleSubscriptionCreated(),
'customer.subscription.deleted' => $this->handleSubscriptionDeleted(),
'invoice.payment_succeeded' => $this->handleInvoicePayment(),
default => Log::warning("Unhandled Stripe event: {$this->eventType}"),
};
}
private function handlePaymentSucceeded(): void
{
$paymentIntentId = $this->eventData['id'];
$amount = $this->eventData['amount'] / 100; // Stripe uses cents
$customerId = $this->eventData['customer'];
// Find or create payment record
$payment = Payment::updateOrCreate(
['stripe_payment_intent_id' => $paymentIntentId],
[
'stripe_customer_id' => $customerId,
'amount' => $amount,
'currency' => $this->eventData['currency'],
'status' => 'succeeded',
'metadata' => $this->eventData['metadata'] ?? [],
'paid_at' => now(),
]
);
// Update user's account balance or credits
if ($user = User::where('stripe_customer_id', $customerId)->first()) {
$user->increment('credits', $amount);
Log::info("Payment succeeded for user {$user->id}: \${$amount}");
// Send receipt email
$user->notify(new \App\Notifications\PaymentReceived($payment));
}
}
private function handlePaymentFailed(): void
{
$paymentIntentId = $this->eventData['id'];
$customerId = $this->eventData['customer'];
$payment = Payment::updateOrCreate(
['stripe_payment_intent_id' => $paymentIntentId],
[
'stripe_customer_id' => $customerId,
'status' => 'failed',
'error_message' => $this->eventData['last_payment_error']['message'] ?? 'Unknown error',
'failed_at' => now(),
]
);
if ($user = User::where('stripe_customer_id', $customerId)->first()) {
Log::warning("Payment failed for user {$user->id}");
// Notify user about failed payment
$user->notify(new \App\Notifications\PaymentFailed($payment));
}
}
private function handleSubscriptionCreated(): void
{
$subscriptionId = $this->eventData['id'];
$customerId = $this->eventData['customer'];
$planId = $this->eventData['items']['data'][0]['price']['id'];
$user = User::where('stripe_customer_id', $customerId)->firstOrFail();
Subscription::updateOrCreate(
['stripe_subscription_id' => $subscriptionId],
[
'user_id' => $user->id,
'stripe_plan_id' => $planId,
'status' => 'active',
'current_period_start' => now()->createFromTimestamp($this->eventData['current_period_start']),
'current_period_end' => now()->createFromTimestamp($this->eventData['current_period_end']),
]
);
Log::info("Subscription created for user {$user->id}");
$user->notify(new \App\Notifications\SubscriptionActivated());
}
private function handleSubscriptionDeleted(): void
{
$subscriptionId = $this->eventData['id'];
$subscription = Subscription::where('stripe_subscription_id', $subscriptionId)->firstOrFail();
$subscription->update(['status' => 'canceled', 'canceled_at' => now()]);
Log::info("Subscription canceled for user {$subscription->user_id}");
$subscription->user->notify(new \App\Notifications\SubscriptionCanceled());
}
private function handleInvoicePayment(): void
{
// Handle recurring subscription payments
$subscriptionId = $this->eventData['subscription'];
$amount = $this->eventData['amount_paid'] / 100;
if ($subscription = Subscription::where('stripe_subscription_id', $subscriptionId)->first()) {
// Update next billing date
$subscription->update([
'current_period_end' => now()->createFromTimestamp($this->eventData['lines']['data'][0]['period']['end']),
]);
Log::info("Invoice paid for subscription {$subscriptionId}: \${$amount}");
}
}
}
Add webhook routes:
// routes/api.php
use App\Http\Controllers\Api\WebhookController;
// Webhooks should NOT be authenticated or rate-limited
Route::post('/webhooks/stripe', [WebhookController::class, 'stripe']);
Route::post('/webhooks/sendgrid', [WebhookController::class, 'sendgrid']);
Add webhook secrets to .env:
STRIPE_WEBHOOK_SECRET=whsec_...
SENDGRID_WEBHOOK_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
Testing Webhooks Locally
# Install Stripe CLI
$ brew install stripe/stripe-cli/stripe
# Login
$ stripe login
# Forward webhooks to local API
$ stripe listen --forward-to localhost:8000/api/webhooks/stripe
# Trigger test webhook
$ stripe trigger payment_intent.succeeded
# Output:
# -> payment_intent.succeeded [evt_1234567890abcdef]
# <- 200 OK
Real-Time Updates with WebSockets
Laravel Reverb Setup (Laravel 11+)
Install Reverb:
$ composer require laravel/reverb
$ php artisan reverb:install
$ php artisan migrate
Configure .env:
BROADCAST_CONNECTION=reverb
REVERB_APP_ID=your-app-id
REVERB_APP_KEY=your-app-key
REVERB_APP_SECRET=your-app-secret
REVERB_HOST=0.0.0.0
REVERB_PORT=8080
REVERB_SCHEME=http
# For production with SSL
# REVERB_SCHEME=https
# REVERB_HOST=ws.yourapi.com
Create a real-time event:
<?php
namespace App\Events;
use App\Models\Notification;
use Illuminate\Broadcasting\Channel;
use Illuminate\Broadcasting\InteractsWithSockets;
use Illuminate\Broadcasting\PresenceChannel;
use Illuminate\Broadcasting\PrivateChannel;
use Illuminate\Contracts\Broadcasting\ShouldBroadcast;
use Illuminate\Foundation\Events\Dispatchable;
use Illuminate\Queue\SerializesModels;
class NotificationCreated implements ShouldBroadcast
{
use Dispatchable, InteractsWithSockets, SerializesModels;
public Notification $notification;
public function __construct(Notification $notification)
{
$this->notification = $notification;
}
/**
* Get the channels the event should broadcast on.
* Using private channel - only authenticated user receives it
*/
public function broadcastOn(): array
{
return [
new PrivateChannel("user.{$this->notification->user_id}"),
];
}
/**
* Data sent to client
*/
public function broadcastWith(): array
{
return [
'id' => $this->notification->id,
'type' => $this->notification->type,
'title' => $this->notification->title,
'message' => $this->notification->message,
'data' => $this->notification->data,
'read_at' => $this->notification->read_at,
'created_at' => $this->notification->created_at->toIso8601String(),
];
}
/**
* Event name on client side
*/
public function broadcastAs(): string
{
return 'notification.created';
}
}
Create channel authorization:
<?php
// routes/channels.php
use Illuminate\Support\Facades\Broadcast;
// Authorize user to listen to their own private channel
Broadcast::channel('user.{userId}', function ($user, $userId) {
return (int) $user->id === (int) $userId;
});
// Presence channel for online users
Broadcast::channel('online-users', function ($user)
Bekzod Erkinov
AuthorFounder of NextGenBeing. Software engineer with 8+ years building production systems in Laravel, Python, and cloud infrastructure. I write about the patterns I've seen work (and fail) in real deployments. Based in Tashkent, Uzbekistan.
Never Miss an Article
Get our best content delivered to your inbox weekly. No spam, unsubscribe anytime.
Comments (0)
Please log in to leave a comment.
Log InRelated Articles
Building a Modern SaaS Application with Laravel - Part 3: Advanced Features & Configuration
Apr 25, 2026
Building a Modern SaaS Application with Laravel - Part 1: Architecture, Setup & Foundations
Apr 25, 2026
Optimizing Database Performance with Indexing and Caching: What We Learned Scaling to 100M Queries/Day
Apr 18, 2026