I just finished implementing the webhook endpoint to response to the delete user call.
1. The minute I add the URL, I receive notification immediately. Does ebay filter the userids (e.g. only send relevant userids) or just send it whenever a user request the deletion (to all keyset)?
1. No sandbox test for the delete user notification. I had to use the real URL for testing.
2. The validation of the call. This is REALLY UNNECESSARY. what ebay should do is, send a checksum or digest (computed using developers appid and certid) along with the notification, and when the endpoint receives the notification, the endpoint can use the appid and certid along with the message self and to compute a digest and compare it with the digest sent with the notification. This way, the endpoint does NOT need to request the application access token (which expires in 2 hours), and no need to call the get public key api. The call to get the public key api really adds UNNESSARY traffic to our system and ebay's system. Shopify is doing exactly what I mentioned here. It sends an HMAC checksum along with the notification, no need to call shopify to validate.