Verify webhook
Confirm a webhook is coming from Duplo
Validating webhook signature
When enabling your webhook, you have the option to set a verify_hash
. Since webhook URLs are publicly accessible, the verify_hash
lets you verify incoming requests are from us. You can specify any value as your secret hash, but we recommend using something random.
If you specify a verify_hash
, we'll include it in our request to your webhook URL, in a header called DP_HASH_VERIFY
or DP-HASH-VERIFY.
In the webhook endpoint, check if the DP_HASH_VERIFY
or DP-HASH-VERIFY
header is present and it matches the verify_hash
you set. If the header is missing, or the value doesn't match, you can discard the request, as it isn't from us.
An example of the verify hash header
header: {
'DP_HASH_VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
'DP-HASH-VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
'Content-Type': 'application/json'
}
Responding to webhook request
You must respond with a 200 OK
status code. Any other response codes outside of the 2xx
range will be considered a failure. We don't care about the response body or headers.
Example
// In an Express or Express-like app:
app.post("/receive-webhook", (req, res) => {
// If you specified a verify hash, check for the signature
const verifyHash = process.env.DP_SECRET_HASH;
const signature = req.headers["DP_HASH_VERIFY"];
if (!signature || (signature !== verifyHash)) {
// This request isn't from Duplo; discard
res.status(401).end();
}
const payload = req.body;
// It's a good idea to log all received events.
log(payload);
// Do something (that doesn't take too long) with the payload
res.status(200).end()
});
We currently support the following event notifications.
ACCOUNT_INFLOW
A deposit transaction has occured on one your business accounts, status is successful
Last updated
Was this helpful?