Events Dubu Pay sends
Register a webhook endpoint
1
Create the endpoint
Send a Response:
POST /webhooks/endpoints request with your HTTPS URL and the list of events you want to receive. Pass an empty array to subscribe to all events.2
Store the secret securely
Save the You’ll use this value to verify that incoming requests actually come from Dubu Pay.
secret value as an environment variable in your server:3
Verify the signature on every request
Every request Dubu Pay sends to your endpoint includes an Verify it by computing the expected HMAC using your endpoint secret and comparing it to the header value. Always use a constant-time comparison to prevent timing attacks.
X-Dubu-Signature header containing an HMAC-SHA256 digest of the raw request body:Node.js
4
Handle the event
Each event payload has the same envelope structure:Route events by the
event field:Node.js
Manage your endpoints
List all endpoints
Update an endpoint
Change the URL, event subscriptions, or active status:Delete an endpoint
cURL
Rotate the webhook secret
If your secret is ever exposed, rotate it immediately. The new secret is returned once and replaces the old one:Test an endpoint
Send a test event to confirm your endpoint is reachable and handling signatures correctly:event field, Dubu Pay sends a generic test.webhook event. The test request is signed with X-Dubu-Signature and marked with X-Dubu-Test-Mode: true so you can distinguish test events from live ones.
View webhook logs
Inspect the delivery history for your endpoints to debug failures:event, endpoint_id, and success (true or false). Results are paginated with page and limit (max 100 per page, default 50).
Each log entry includes:
Best practices
Only act on terminal statuses. For deposits, only fulfil orders when
status is SETTLED. Do not take irreversible actions on PENDING_FX or PENDING_WITHDRAWAL.