MemberJet

Setting Up Digistore24 IPN in WordPress: Step-by-Step Guide

Setting up Digistore24 IPN so purchases are reported to your WordPress site automatically comes down to three things: the right URL, a verified signature, and a clean test run. This guide walks through the full technical process, step by step.

If you sell a product on Digistore24 and don't want to grant access by hand for every single sale, there's no way around setting up IPN. "Digistore24 IPN setup" sounds like a technical footnote, but it's actually the interface that decides whether your membership site unlocks purchases automatically or you're stuck manually processing every order. This article takes a purely technical approach: the IPN URL in the Digistore24 backend, signature verification, event handling, and a clean test run. If you're still weighing whether Digistore24 and WordPress are the right combination for your course platform in the first place, our comparison of a Kajabi alternative for WordPress is a good place to start – this article goes deeper into the IPN mechanics themselves.

What is IPN and why do you need it?

IPN stands for Instant Payment Notification. The idea behind it is simple: whenever something relevant to your site happens on Digistore24 – a purchase, a refund, a chargeback, or a subscription cancellation – Digistore24 automatically sends an HTTP POST request to a URL you specify on your WordPress installation. Your server receives that request, verifies it, and reacts accordingly, usually by unlocking or revoking access.

For readers outside German-speaking markets: Digistore24 is a European payment processor and reseller platform built for selling digital products such as online courses, memberships, and ebooks. It handles checkout, VAT, and an affiliate marketplace on your behalf, and while it's especially popular among course creators and coaches in Germany, Austria, and Switzerland, its reseller model makes it a genuine option for creators selling internationally as well.

Without IPN, you're left with the manual route: regularly checking the Digistore24 backend, spotting new purchases, and creating members in WordPress by hand. That works fine for three sales a month, but it turns into a growing source of errors with every additional product and every additional order. The IPN connection turns that into automation: purchase comes in, access unlocks, no manual work required.

Requirements for setting up Digistore24 IPN

Before you start, you should have three things in place:

  • A Digistore24 vendor account registered as a seller, with at least one product already set up.
  • A WordPress site with HTTPS. Digistore24 only sends IPN notifications to encrypted endpoints. A site without a valid SSL certificate cannot receive IPN notifications at all.
  • An endpoint that processes IPN requests. That can be a custom script, a custom plugin, or – considerably less error-prone – a ready-made membership plugin with native Digistore24 support, like MemberJet.

Worth noting: Digistore24's own interface refers to this depending on context as "IPN," "callback URL," or "webhook." Technically, they all mean the same thing. The exact wording and location in the Digistore24 backend can change over time, but as a rule you'll find the IPN configuration under the settings for your product or your vendor account.

Step by step: adding the IPN URL in the Digistore24 backend

Here's the general process for setting up the IPN connection manually:

  1. Provide an IPN endpoint on your WordPress site. This is a fixed URL where your server accepts and processes POST requests from Digistore24, for example a REST endpoint or a dedicated script.
  2. Log in to the Digistore24 backend and go to the settings for your vendor account, or the relevant product, where the IPN or callback configuration lives.
  3. Enter the complete IPN URL. Make sure it starts with HTTPS, uses the correct domain, and has an exact path with no typos – even one missing character means not a single notification will ever arrive.
  4. Set and save a passphrase. More on this in the next section – this step is security-critical and not optional.
  5. Enable the events you want. Digistore24 lets you define which events trigger an IPN notification, such as purchase, refund, or chargeback.
  6. Save, then test with the IPN simulator before the first real purchase runs through it.
Practical tip: Write down the IPN URL you entered somewhere else too, like your password manager. If you later switch domains or renew an SSL certificate and paths shift as a result, it's easy to forget to update the setting in the Digistore24 backend – and the result is purchases that quietly stop unlocking access.

Passphrase and SHA signature verification: the most important security step

An IPN endpoint is reachable from the outside, that's the nature of a webhook. Which is exactly why you can't just trust every incoming request at face value. Without verification, anyone who knows or guesses your IPN URL could in theory send a fake "purchase successful" notification to your server and get free access as a result.

Digistore24 solves this with a passphrase that you set in the backend and that only you and Digistore24 know. From that passphrase and the data in each notification, Digistore24 calculates a SHA signature, which is sent along with every IPN request. Your endpoint has to recalculate that signature itself for every incoming notification and compare it against the one that was sent. If they match, the notification is provably genuine. If they don't match, you discard the request, no matter how plausible its content looks.

  • Never store the passphrase in plain text in your code or in a publicly reachable file. If it ends up in the wrong hands, anyone can calculate valid signatures.
  • Compare signatures in constant time, using a function like hash_equals rather than a plain string comparison, to avoid timing attacks.
  • Think fail-closed, not fail-open: if the signature can't be verified, or it's invalid, nothing gets unlocked. When in doubt, access stays locked rather than accidentally open.

This signature check is not an optional extra, it's the core of your entire IPN security. Skip it, or implement it incorrectly, and in the worst case you've opened a door to free access to paid content.

The IPN events and what your site should do with them

Digistore24 distinguishes between several event types, each triggering its own IPN notification. For a membership site or course access, these matter most:

EventWhat happensYour site's response
Payment / purchaseA customer has paid successfullyCreate or activate the member, unlock access to the purchased product
RefundThe purchase price was fully or partially refundedLock access or deactivate the membership
ChargebackThe customer reversed the payment through their bankLock access immediately, since this usually needs additional follow-up
Subscription cancellationAn ongoing subscription was cancelledLock access only at the end of the already-paid period, not immediately

That last point is where custom IPN implementations most often go wrong: a cancellation is not a refund. Someone who cancels for the upcoming period has already paid for their current period and should still be able to use it. If you lock access the moment a cancellation notification arrives, you're punishing customers for declining a renewal, and generating unnecessary support requests in the process. When processing notifications, also make sure every event is handled idempotently: if the same IPN notification arrives twice for technical reasons, say because your server responded too slowly the first time, that must never create a duplicate member or extend access twice.

Testing with the Digistore24 IPN simulator

Before the first real customer runs through your IPN endpoint, you should verify it with test data. Digistore24 provides an IPN simulator in the backend that lets you send test notifications to your configured URL without a real purchase taking place.

  1. Open the simulator in the Digistore24 backend and select your configured IPN URL along with the test event you want to trigger.
  2. Trigger the test notification and check whether your server responds with a 200 OK. Any other response, a timeout, or an error code, is treated by Digistore24 as a failed delivery.
  3. Check on your WordPress site whether the expected action actually happened, for example whether a test member was created or access was unlocked.
  4. Test multiple events, not just the purchase. Simulate a refund too, and a cancellation if available, so you know for certain the access-revoking logic works as well.

Take your time with this step. In practice, an IPN error often only surfaces once your first paying customer reaches out because their access never unlocked, which is about the worst possible moment to start debugging.

Common mistakes when setting up Digistore24 IPN

Most IPN problems trace back to a handful of recurring causes.

  • Wrong or incomplete URL: a missing "https://", a typo in the path, or a URL that still points to an old domain. Check the URL you entered character by character.
  • Signature mismatch: the passphrase in the Digistore24 backend doesn't match the one your code uses to calculate the signature, often because it picked up a stray space on copy or wasn't updated everywhere after a change.
  • Caching blocks the response: a caching plugin or server-side caching intercepts the POST request or serves a stale response instead of passing it through to your processing code. IPN endpoints should always be excluded from caching entirely.
  • A firewall or security plugin blocks POST requests: some web application firewalls flag unrecognized POST requests as suspicious by default. Check whether your IPN endpoint needs to be added as an exception there.
  • No 200 OK returned: if your script throws an error or takes too long, Digistore24 treats it as a failed delivery. Your endpoint should respond quickly with a clean 200 status, even if the actual processing continues in the background.

Debugging tips

If an IPN notification isn't arriving as expected, a systematic approach helps: first check your server logs to see whether the POST request arrives at all – if it never arrives, the cause is usually the URL, a firewall, or a redirect. Temporarily log the raw incoming data on your endpoint to see what's actually arriving before the signature check kicks in. Independently recalculate the expected signature with a small test script to separate passphrase errors from calculation errors. Temporarily disable caching and security plugins and trigger the IPN simulation again – if the notification gets through, you've isolated the cause. And where possible, move expensive processing steps like sending a welcome email out of the immediate response, so your server can reply quickly with a 200 OK.

The easy way: MemberJet handles the IPN connection for you

Everything you've read so far – building the endpoint, verifying the signature, handling events cleanly and idempotently – you can absolutely implement yourself. But it's exactly the part of a Digistore24 integration where most mistakes creep in, because a single overlooked detail like a missing hash_equals comparison or a late 200 OK is enough to either lock out paying customers or open a security hole.

That's exactly what MemberJet exists for. The plugin ships with the complete Digistore24 IPN connection built in: you copy the IPN URL MemberJet provides, paste it into the Digistore24 backend, add your passphrase in MemberJet, and you're done. SHA-512 signature verification runs automatically, processing is idempotent, and purchases unlock memberships and courses automatically just as refunds or chargebacks lock them back down, while a plain cancellation deliberately doesn't lock access right away. MemberJet also stores your passphrase and other credentials encrypted with libsodium instead of in plain text. If you want to see the full picture of building a membership site with WordPress and Digistore24, our Kajabi alternative for WordPress comparison is a good next read.

IPN integration without the debugging

MemberJet connects WordPress to Digistore24 fully configured and SHA-512 verified – copy the IPN URL, enter your passphrase, and automatic unlocking just works.

See MemberJet

Conclusion

Setting up Digistore24 IPN comes down to this: enter a correct URL in the Digistore24 backend, reliably verify every incoming notification with an SHA signature, and handle each event – purchase, refund, chargeback, and cancellation – correctly on its own terms. If you build it yourself, use the IPN simulator consistently and debug systematically, from the server logs through signature verification to response time. If you'd rather skip the failure points altogether, MemberJet gives you a ready-made, security-reviewed connection that has already done exactly this work for you.

Frequently asked questions about Digistore24 IPN setup

What's the difference between IPN and a regular webhook?

Technically, an IPN notification is nothing more than a webhook – an automatic HTTP POST request that Digistore24 sends to a URL you specify whenever a particular event happens. "IPN" is simply the term Digistore24 uses for this concept, similar to naming conventions used by other payment processors. The notification carries information about a purchase, refund, chargeback, or cancellation so your site can react automatically. What matters most is that you verify every incoming notification with a signature check before you trust it.

Where do I enter the IPN URL in the Digistore24 backend?

You'll find the IPN configuration in the Digistore24 backend under the settings for your vendor account or for the individual product, depending on whether you want a global or a product-specific IPN URL. Since the exact labeling and location in the Digistore24 interface can change over time, it's worth checking the current Digistore24 documentation or support if you're unsure. What matters is that the URL you enter is exact – correct HTTPS, correct domain, and a path with no typos. Even a small mismatch means no notification will ever arrive.

How important is the SHA signature check, really?

It's the single most important security step in the entire IPN setup. Without signature verification, anyone who knows or guesses your IPN URL could send a fake "purchase successful" notification to your server and gain free access to paid content. With a correctly implemented SHA signature check, ideally using a constant-time comparison like hash_equals, you only accept notifications that are provably signed with your secret passphrase by Digistore24. Never skip this step, not even temporarily or "just for testing."

How do I test my IPN setup without triggering a real purchase?

Digistore24 provides an IPN simulator in the backend that lets you send test notifications for different events to your configured URL without any money changing hands. Check both that your server responds with a 200 OK and that the expected action actually happens on your WordPress site, such as unlocking a test account. Test more than just the purchase event if you can – simulate a refund too, so you know the access-revoking logic works as well. Only go live once both directions are working reliably.

Why aren't my IPN notifications arriving even though the URL looks correct?

The most common causes are a caching plugin or server-side caching intercepting the POST request, a firewall or security plugin blocking unrecognized POST requests, or a server that doesn't respond quickly enough with a clean 200 OK. Start by checking your server logs to see whether the request arrives at all. If it arrives but processing fails, the problem is usually the signature check, often a passphrase that wasn't copied correctly. Exclude your IPN endpoint from caching entirely, and add it as an exception in your security plugin if needed.

Back to blog A post by hafenstudios