# Verify webhook
### Validating webhook signature
When enabling your webhook, you have the option to set a *`verify_hash`*. Since webhook URLs are publicly accessible, the `verify_hash` lets you verify incoming requests are from us. You can specify any value as your secret hash, but we recommend using something random.
{% hint style="info" %} You should store your `verify_hash` as an environment variable on your server.
{% endhint %}
If you specify a `verify_hash`, we'll include it in our request to your webhook URL, in a header called `DP_HASH_VERIFY` or `DP-HASH-VERIFY.` In the webhook endpoint, check if the `DP_HASH_VERIFY` or `DP-HASH-VERIFY`header is present and it matches the *`verify_hash`* you set. If the header is missing, or the value doesn't match, you can discard the request, as it isn't from us.
#### An example of the verify hash header
header: {
'DP_HASH_VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
'DP-HASH-VERIFY': '6F4B941015BC08D44FUAMCAJ.948249SJHE',
'Content-Type': 'application/json'
}
### Responding to webhook request
You must respond with a `200 OK` status code. Any other response codes outside of the `2xx` range will be considered a failure. **We don't care about the response body or headers**.
{% hint style="info" %} If we don't get a 200 OK status code, we'll retry the webhook every one minute for the next 24 hours.
{% endhint %}
### Example
{% tabs %}
{% tab title="Node" %}
{% code overflow="wrap" lineNumbers="true" %}
```javascript
// In an Express or Express-like app:
app.post("/receive-webhook", (req, res) => {
// If you specified a verify hash, check for the signature
const verifyHash = process.env.DP_SECRET_HASH;
const signature = req.headers["DP_HASH_VERIFY"];
if (!signature || (signature !== verifyHash)) {
// This request isn't from Duplo; discard
res.status(401).end();
}
const payload = req.body;
// It's a good idea to log all received events.
log(payload);
// Do something (that doesn't take too long) with the payload
res.status(200).end()
});
```
{% endcode %}
{% endtab %}
{% tab title="PHP" %}
{% code overflow="wrap" lineNumbers="true" %}
```php
// In a Laravel-like app:
Route::post('/receive-webhook', function (\Illuminate\Http\Request $request) {
// If you specified a verify hash, check for the signature
$verifyHash = config('services.duplo.secret_hash');
$signature = $request->header('DP_HASH_VERIFY');
if (!$signature || ($signature !== $verifyHash)) {
// This request isn't from Duplo; discard
abort(401);
}
$payload = $request->all();
// It's a good idea to log all received events.
Log::info($payload);
// Do something (that doesn't take too long) with the payload
return response(200);
});
```
{% endcode %}
{% endtab %}
{% endtabs %}
## We currently support the following event notifications.
| Webhook Type | Description |
| --------------- | --------------------------------------------------------------------------------------- |
| ACCOUNT\_INFLOW | A deposit transaction has occured on one your business accounts, status is `successful` |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://developers.tryduplo.com/duplo-api-documentation/webhooks/webhooks/webhook-verification.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.