Verify webhook
Confirm a webhook is coming from Duplo
When enabling your webhook, you have the option to set a
verify_hash
. Since webhook URLs are publicly accessible, the verify_hash
lets you verify incoming requests are from us. You can specify any value as your secret hash, but we recommend using something random. You should store your
verify_hash
as an environment variable on your server.If you specify a
verify_hash
, we'll include it in our request to your webhook URL, in a header called DP_HASH_VERIFY
. In the webhook endpoint, check if the DP_HASH_VERIFY
header is present and that it matches the verify_hash
you set. If the header is missing, or the value doesn't match, you can discard the request, as it isn't from us.header: {
'DP_HASH_VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
'Content-Type': 'application/json'
}
You must respond with a
200 OK
status code. Any other response codes outside of the 2xx
range, will be considered a failure. We don't care about the response body or headers.If we don't get a 200 OK status code, we'll retry the webhook every one minute for the next 24 hours.
Node
PHP
1
// In an Express or Express-like app:
2
3
app.post("/receive-webhook", (req, res) => {
4
// If you specified a verify hash, check for the signature
5
const verifyHash = process.env.DP_SECRET_HASH;
6
const signature = req.headers["DP_HASH_VERIFY"];
7
if (!signature || (signature !== verifyHash)) {
8
// This request isn't from Duplo; discard
9
res.status(401).end();
10
}
11
const payload = req.body;
12
// It's a good idea to log all received events.
13
log(payload);
14
// Do something (that doesn't take too long) with the payload
15
res.status(200).end()
16
});
1
// In a Laravel-like app:
2
3
Route::post('/receive-webhook', function (\Illuminate\Http\Request $request) {
4
// If you specified a verify hash, check for the signature
5
$verifyHash = config('services.duplo.secret_hash');
6
$signature = $request->header('DP_HASH_VERIFY');
7
if (!$signature || ($signature !== $verifyHash)) {
8
// This request isn't from Duplo; discard
9
abort(401);
10
}
11
$payload = $request->all();
12
// It's a good idea to log all received events.
13
Log::info($payload);
14
// Do something (that doesn't take too long) with the payload
15
return response(200);
16
});
Webhook Type | Description |
---|---|
ACCOUNT_INFLOW | A deposit transaction has occured on one your business accounts, status is successful |
Last modified 5mo ago