Webhook Relevant
Webhook Signature Verification
payments_response_hash_key which will be used for signing webhook deliveries.Ensure that you store payments_response_hash_key in a secure location that your server can access.
Webhook Signature Generation
Creating a signature for the webhook involves these steps:
- Webhook payload is encoded to JSON string.
Hmac-SHA512signatured is generated using the payload andpayment_response_hash_key.- The obtained digest is included as
x-webhook-signature-512in the headers of the outgoing webhook.
Webhook Validation
To validate the webhook’s authenticity:
- Retrieve the content of the webhook and encode it as a JSON string.
- Generate a
Hmac-SHA512signature using the payload andpayment_response_hash_key. - Compare the obtained digest with the
x-webhook-signature-512received in the webhook’s header. If the hashes match, the webhook data is untampered and authentic.
Troubleshooting Signature Verification Failures
If you are sure that the payload is from Doo Payment but the signature verification fails:
- Make sure you are using the correct header. Doo Payment recommends that you use the
x-webhook-signature-512header, which uses the HMAC-SHA512 algorithm. If your machine does't support HMAC-SHA256, you can usex-webhook-signature-256header, which uses the HMAC-SHA256 algorithm. - Make sure you are using the correct algorithm. If you are using the
x-webhook-signature-256header , you should use the HMAC-SHA256 algorithm.
Webhook Delivery Behavior
To consider a webhook delivery as successful, Doo Payment expects the HTTP status code to be 2XX from your server. If Doo Payment doesn't receive a 2XX status code, the delivery of the webhook is retried with an increasing delay over the next 24 hours.
The intervals at which webhooks will be retried are:
| Retry Attempt | Interval |
|---|---|
| 1st | 1 minute |
| 2nd, 3rd | 5 minutes |
| 4th, 5th, 6th, 7th, 8th | 10 minutes |
| 9th, 10th, 11th, 12th, 13th | 1 hour |
| 14th, 15th, 16th | 6 hours |
The interval for the first retry attempt in the above table is the duration since the original webhook delivery attempt, while the intervals for the subsequent retry attempts are the durations since the previous webhook delivery attempt.