LogoLogo
  • GET STARTED
    • Integration Guide
    • Quick Start
  • Webhooks
    • Webhooks
      • Register a webhook
      • Webhook notification
      • Verify webhook
  • Payment APIs
    • Collect Payments
      • Virtual Accounts
        • Create a single-use virtual account
        • Create a multi-use virtual account
        • Update a virtual account
        • Delete a virtual account
        • List all virtual accounts
        • Get details of a virtual account
      • Digital Wallets
        • Create a wallet
        • List all wallets
        • Get details of a wallet
        • Transfer between wallets
        • Transfer to business
        • Sweep wallet balances
        • Get wallet balance
      • Customers
        • Create a customer
        • List all customers
        • Get customer details
      • Invoices
        • Create an invoice
        • Edit invoice
        • Resend invoice
        • List all invoices
        • Get invoice details
    • Make Payments
      • Request OTP to initiate payout
      • Get a list of registered banks
      • Get Wallet Balance
      • Verify account number
      • Initiate a payout
      • Get all transactions
      • Get details of a transaction
      • Recipients
        • Create a recipient
        • List all recipient
        • Get a recipient's details
        • Delete a recipient
        • Get recipients summary
    • Duplo Checkout
      • Checkout Redirect
        • Generate a checkout URL
      • Checkout SDK
      • Verify checkout transaction
    • Make Payments v2
      • Initiate a Payout v2
      • Resend OTP
      • Process Payout
      • Get details of a Transaction v2
Powered by GitBook
On this page
  • Validating webhook signature
  • Responding to webhook request
  • Example
  • We currently support the following event notifications.

Was this helpful?

  1. Webhooks
  2. Webhooks

Verify webhook

Confirm a webhook is coming from Duplo

Validating webhook signature

When enabling your webhook, you have the option to set a verify_hash. Since webhook URLs are publicly accessible, the verify_hash lets you verify incoming requests are from us. You can specify any value as your secret hash, but we recommend using something random.

You should store your verify_hash as an environment variable on your server.

If you specify a verify_hash, we'll include it in our request to your webhook URL, in a header called DP_HASH_VERIFY or DP-HASH-VERIFY. In the webhook endpoint, check if the DP_HASH_VERIFY or DP-HASH-VERIFYheader is present and it matches the verify_hash you set. If the header is missing, or the value doesn't match, you can discard the request, as it isn't from us.

An example of the verify hash header

header: {
    'DP_HASH_VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
    'DP-HASH-VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
    'Content-Type': 'application/json'
}

Responding to webhook request

You must respond with a 200 OK status code. Any other response codes outside of the 2xx range will be considered a failure. We don't care about the response body or headers.

If we don't get a 200 OK status code, we'll retry the webhook every one minute for the next 24 hours.

Example

// In an Express or Express-like app:

app.post("/receive-webhook", (req, res) => {
    // If you specified a verify hash, check for the signature
    const verifyHash = process.env.DP_SECRET_HASH;
    const signature = req.headers["DP_HASH_VERIFY"];
    if (!signature || (signature !== verifyHash)) {
        // This request isn't from Duplo; discard
        res.status(401).end();
    }
    const payload = req.body;
    // It's a good idea to log all received events.
    log(payload);
    // Do something (that doesn't take too long) with the payload
    res.status(200).end()
});
// In a Laravel-like app:

Route::post('/receive-webhook', function (\Illuminate\Http\Request $request) {
    // If you specified a verify hash, check for the signature
    $verifyHash = config('services.duplo.secret_hash');
    $signature = $request->header('DP_HASH_VERIFY');
    if (!$signature || ($signature !== $verifyHash)) {
        // This request isn't from Duplo; discard
        abort(401);
    }
    $payload = $request->all();
    // It's a good idea to log all received events.
    Log::info($payload);
    // Do something (that doesn't take too long) with the payload
    return response(200);
});

We currently support the following event notifications.

Webhook Type
Description

ACCOUNT_INFLOW

A deposit transaction has occured on one your business accounts, status is successful

PreviousWebhook notificationNextCollect Payments

Last updated 1 year ago

Was this helpful?