Verify webhook

Confirm a webhook is coming from Duplo

Validating webhook signature 
When enabling your webhook, you have the option to set a verify_hash. Since webhook URLs are publicly accessible, the verify_hash lets you verify incoming requests are from us. You can specify any value as your secret hash, but we recommend using something random. 
You should store your verify_hash as an environment variable on your server.
If you specify a verify_hash, we'll include it in our request to your webhook URL, in a header called DP_HASH_VERIFY. In the webhook endpoint, check if the DP_HASH_VERIFY header is present and that it matches the verify_hash you set. If the header is missing, or the value doesn't match, you can discard the request, as it isn't from us.
An example of the verify hash header
header: {
    'DP_HASH_VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
    'Content-Type': 'application/json'
}
Responding to webhook request 
You must respond with a 200 OK status code. Any other response codes outside of the 2xx range, will be considered a failure. We don't care about the response body or headers.
If we don't get a 200 OK status code, we'll retry the webhook every one minute for the next 24 hours. 
Example
Node
PHP
1
// In an Express or Express-like app:
2
​
3
app.post("/receive-webhook", (req, res) => {
4
    // If you specified a verify hash, check for the signature
5
    const verifyHash = process.env.DP_SECRET_HASH;
6
    const signature = req.headers["DP_HASH_VERIFY"];
7
    if (!signature || (signature !== verifyHash)) {
8
        // This request isn't from Duplo; discard
9
        res.status(401).end();
10
    }
11
    const payload = req.body;
12
    // It's a good idea to log all received events.
13
    log(payload);
14
    // Do something (that doesn't take too long) with the payload
15
    res.status(200).end()
16
});
1
// In a Laravel-like app:
2
​
3
Route::post('/receive-webhook', function (\Illuminate\Http\Request $request) {
4
    // If you specified a verify hash, check for the signature
5
    $verifyHash = config('services.duplo.secret_hash');
6
    $signature = $request->header('DP_HASH_VERIFY');
7
    if (!$signature || ($signature !== $verifyHash)) {
8
        // This request isn't from Duplo; discard
9
        abort(401);
10
    }
11
    $payload = $request->all();
12
    // It's a good idea to log all received events.
13
    Log::info($payload);
14
    // Do something (that doesn't take too long) with the payload
15
    return response(200);
16
});
​
​
We currently support the following event notifications. 
Webhook Type
Description
ACCOUNT_INFLOW
A deposit transaction has occured on one your business accounts, status is successful
​
​

Webhook Type	Description
ACCOUNT_INFLOW	A deposit transaction has occured on one your business accounts, status is `successful`

Webhook notification

Next - Payment APIs

Collect Payments

Last modified 5mo ago