Skip to main content
Dubu Pay sends webhook events to URLs you register whenever something significant happens — a deposit settles, a withdrawal completes, or a checkout link payment clears. This guide explains how to register an endpoint, verify signatures, handle the events you care about, and follow best practices for reliable delivery.

Events Dubu Pay sends

Register a webhook endpoint

1

Create the endpoint

Send a POST /webhooks/endpoints request with your HTTPS URL and the list of events you want to receive. Pass an empty array to subscribe to all events.
Response:
The secret is returned only once, at creation time. Save it securely (e.g. as an environment variable). You cannot retrieve it again — only rotate it.
2

Store the secret securely

Save the secret value as an environment variable in your server:
You’ll use this value to verify that incoming requests actually come from Dubu Pay.
3

Verify the signature on every request

Every request Dubu Pay sends to your endpoint includes an X-Dubu-Signature header containing an HMAC-SHA256 digest of the raw request body:
Verify it by computing the expected HMAC using your endpoint secret and comparing it to the header value. Always use a constant-time comparison to prevent timing attacks.
Node.js
You must use the raw request body (before any JSON parsing) to compute the HMAC. If your framework parses the body first and you re-serialize it, the bytes may differ and verification will fail.
4

Handle the event

Each event payload has the same envelope structure:
Route events by the event field:
Node.js

Manage your endpoints

List all endpoints

Update an endpoint

Change the URL, event subscriptions, or active status:

Delete an endpoint

cURL

Rotate the webhook secret

If your secret is ever exposed, rotate it immediately. The new secret is returned once and replaces the old one:
Rotating the secret immediately invalidates the previous one. Update your server’s environment variable before rotating to avoid a gap in signature verification.

Test an endpoint

Send a test event to confirm your endpoint is reachable and handling signatures correctly:
If you omit the event field, Dubu Pay sends a generic test.webhook event. The test request is signed with X-Dubu-Signature and marked with X-Dubu-Test-Mode: true so you can distinguish test events from live ones.

View webhook logs

Inspect the delivery history for your endpoints to debug failures:
You can filter logs by event, endpoint_id, and success (true or false). Results are paginated with page and limit (max 100 per page, default 50). Each log entry includes:

Best practices

Respond fast, process async. Your endpoint must return a 2xx status code within 10 seconds. If processing takes longer, acknowledge the request immediately and handle the event in a background job.
Use idempotency keys on your end. Dubu Pay deduplicates events internally, but network issues can still result in a delivery being retried. Store the event ID and skip processing if you’ve seen it before.
Only act on terminal statuses. For deposits, only fulfil orders when status is SETTLED. Do not take irreversible actions on PENDING_FX or PENDING_WITHDRAWAL.
Never expose your webhook secret in client-side code. The secret lives only on your server. If it is ever committed to version control or logged, rotate it immediately.