Create a PayPal billing plan subscription and verify webhook authenticity

Verified steps

1. Obtain an access token: POST /v1/oauth2/token with client_id and client_secret as HTTP Basic auth and grant_type=client_credentials in the body; use the returned 'access_token' as a Bearer token for subsequent calls.
2. Create a product: POST /v1/catalogs/products with 'name', 'type' ('SERVICE' or 'PHYSICAL'), and 'category'; receive a 'product_id'.
3. Create a plan: POST /v1/billing/plans with 'product_id', 'billing_cycles' array (each with 'tenure_type', 'frequency', 'pricing_scheme'), and 'payment_preferences'; activate the plan with POST /v1/billing/plans/{plan_id}/activate.
4. Create a subscription: POST /v1/billing/subscriptions with 'plan_id', subscriber details, and 'application_context.return_url' and 'cancel_url'; redirect the customer to the 'approve' link in the response links array.
5. After the customer approves, PayPal redirects to your return_url with 'subscription_id' and 'ba_token' query params; call GET /v1/billing/subscriptions/{subscription_id} to verify status is 'ACTIVE'.
6. Verify incoming webhooks: retrieve your webhook ID from the API, then call POST /v1/notifications/verify-webhook-signature with the webhook headers ('transmission_id', 'transmission_time', 'cert_url', 'auth_algo', 'transmission_sig') and raw event body — a 'SUCCESS' response confirms authenticity.