diff --git a/server.py b/server.py
index 86e5cf1d..4a32f5c4 100644
--- a/server.py
+++ b/server.py
@@ -10,6 +10,7 @@ from flask_debugtoolbar import DebugToolbarExtension
 from flask_login import current_user
 from sentry_sdk.integrations.flask import FlaskIntegration
 
+from app import paddle_utils
 from app.admin_model import SLModelView, SLAdminIndexView
 from app.api.base import api_bp
 from app.auth.base import auth_bp
@@ -277,7 +278,13 @@ def setup_paddle_callback(app: Flask):
             request.form.get("subscription_id"),
             request.form.get("subscription_plan_id"),
         )
-        LOG.debug("paddle full request %s", request.form)
+
+        # make sure the request comes from Paddle
+        if not paddle_utils.verify_incoming_request(dict(request.form)):
+            LOG.error(
+                "request not coming from paddle. Request data:%s", dict(request.form)
+            )
+            return "KO", 400
 
         if (
             request.form.get("alert_name") == "subscription_created"