Introduction
This guide will walk you through setting up and securely handling webhooks.
Our implementation follows the Standard Webhooks specification.
Getting Started
Access Webhook Settings
Navigate to the DodoPayments Dashboard and go to Settings > Webhooks
.
Create Webhook Endpoint
Click on Add Webhook
to create a new webhook endpoint.You can create up to 5 webhook endpoints to receive notifications at different URLs or for different purposes.
Configure Endpoint
Enter the URL where you want to receive webhook events.
Get Secret Key
Obtain your webhook Secret Key
from the settings page. You’ll use this to verify the authenticity of received webhooks.Keep your webhook secret key secure and never expose it in client-side code or public repositories.
Rotate Secret (Optional)
If needed, you can rotate your webhook secret for enhanced security. Click the Rotate Secret button in your webhook settings.Rotating the secret will expire it and replace it with a new one. The old secret will only be valid for the next 24 hours. Afterward, trying to verify with the old secret will fail.
Use secret rotation periodically or immediately if you suspect your current secret has been compromised.
Configuring Subscribed Events
Merchants can configure which specific events they want to receive for each webhook endpoint.
Accessing Event Configuration
Navigate to Webhook Details
Go to your Dodo Payments Dashboard and navigate to Settings > Webhooks
.
Select Your Endpoint
Click on the webhook endpoint you want to configure.
Open Event Settings
In the webhook details page, you’ll see a “Subscribed events” section. Click the Edit button to modify your event subscriptions.
Managing Event Subscriptions
View Available Events
The interface displays all available webhook events organized in a hierarchical structure. Events are grouped by category (e.g., dispute
, payment
, subscription
).
Search and Filter
Use the search bar to quickly find specific events by typing event names or keywords.
Select Events
Check the boxes next to the events you want to receive. You can:
- Select individual sub-events (e.g.,
dispute.accepted
, dispute.challenged
)
- Select parent events to receive all related sub-events
- Mix and match specific events based on your needs
Review Event Details
Hover over the information icon (ⓘ) next to each event to see a description of when that event is triggered.
Save Configuration
Click Save to apply your changes, or Cancel to discard modifications.
By default, webhook endpoints are configured to listen to all events. You can customize this to receive only the events relevant to your integration.
If you deselect all events, your webhook endpoint will not receive any notifications. Make sure to select at least the events your application needs to function properly.
Webhook Delivery
Timeouts
- Webhooks have a
15-second
timeout window, including both connection and read timeouts.
- If a webhook delivery attempt fails, we will retry sending the event using exponential backoff to avoid overloading your system.
Retries
- We will attempt a maximum of 8 retries for each failed webhook delivery.
- Each retry follows a specific schedule based on the failure of the preceding attempt:
Retry Schedule
The retry attempts follow this schedule:
- Immediately (first retry)
- 5 seconds after the first failure
- 5 minutes after the second failure
- 30 minutes after the third failure
- 2 hours after the fourth failure
- 5 hours after the fifth failure
- 10 hours after the sixth failure
- 10 hours after the seventh failure (final retry)
Total Timeline
For example, if a webhook fails three times before succeeding, it will be delivered roughly 35 minutes and 5 seconds following the first attempt.
If a webhook endpoint is removed or disabled, all delivery attempts to that endpoint will be stopped immediately.
You can also use the Dodo Payments dashboard to manually retry each message at any time, or automatically retry (“Recover”) all failed messages.
Idempotency
- Each webhook event contains a unique
webhook-id
header. Use this to implement idempotency and avoid processing the same event multiple times.
- Even if you receive the same event more than once (due to retries), your system should handle it gracefully without causing errors or duplicate actions.
Ordering
- Webhook delivery order is not guaranteed, as webhooks may be delivered out of order due to retries or network issues.
- Ensure your system can handle events arriving out of order by using the
webhook-id
header to process events correctly.
Please note that you will receive the latest payload at the time of delivery, regardless of when the webhook event was emitted.
Securing Webhooks
To ensure the security of your webhooks, always validate the payloads and use HTTPS.
Verifying Signatures
Each webhook request includes a webhook-signature
header — an HMAC SHA256 signature of the webhook payload and timestamp, signed with your secret key.
To verify a webhook came from DodoPayments:
-
Compute the HMAC SHA256 of this string using your webhook secret key obtained from the DodoPayments Dashboard
-
Concatenate the
webhook-id
, webhook-timestamp
, and stringified payload
values from the webhook with periods (.
)
The respective payloads for outgoing webhooks can be found in the Webhook Payload.
-
Compare the computed signature to the received
webhook-signature
header value. If they match, the webhook is authentic.
Since we follow the Standard Webhooks specification, you can use one of their libraries to verify the signature: https://github.com/standard-webhooks/standard-webhooks/tree/main/libraries
Responding to Webhooks
- Your webhook handler must return a
2xx status code
to acknowledge receipt of the event.
- Any other response will be treated as a failure, and the webhook will be retried.
Outgoing Webhook Payload Structure
The following section describes the structure of the outgoing webhook request sent to your endpoint. This helps you understand what to expect and how to parse the payload.
Endpoint
Unique identifier for the webhook.
Signature of the Webhook (HMAC SHA256).
Unix timestamp when the webhook was sent.
Request Body
The request body is a JSON object with the following structure:
{
"business_id": "string",
"type": "payment.succeeded | payment.failed |...",
"timestamp": "2024-01-01T12:00:00Z",
"data": {
"payload_type": "Payment | Subscription | Refund | Dispute | LicenseKey",
// ... event-specific fields (see below)
}
}
Responses
Webhook processed successfully. You must return a 2xx status code to acknowledge receipt.
Invalid request. The payload or headers are malformed.
Invalid webhook signature. The signature verification failed.
Testing Webhooks
You can test your webhook integration directly from the Dodo Payments dashboard to ensure your endpoint is working correctly before going live.
Accessing the Testing Interface
Navigate to Webhooks
Go to your Dodo Payments Dashboard and navigate to Settings > Webhooks
.
Select Your Endpoint
Click on your webhook endpoint to access its details page.
Open Testing Tab
Click on the Testing tab to access the webhook testing interface.
Testing Your Webhook
The testing interface provides a comprehensive way to test your webhook endpoint:
Select Event Type
Use the dropdown menu to select the specific event type you want to test (e.g., payment.succeeded
, payment.failed
, etc.).The dropdown contains all available webhook event types that your endpoint can receive.
Review Schema and Example
The interface displays both the Schema (data structure) and Example (sample payload) for the selected event type.
Send Test Event
Click the Send Example button to send a test webhook to your endpoint.Important: Failed messages sent through the testing interface will not be retried. This is for testing purposes only.
Verifying Your Test
Check Your Endpoint
Monitor your webhook endpoint logs to confirm the test event was received.
Verify Signature
Ensure your signature verification is working correctly with the test payload.
Test Response
Confirm your endpoint returns a 2xx
status code to acknowledge receipt.
Example code
An Express.js
code snippet on how you can listen and verify our webhooks.
// index.ts in express
const { Webhook } = require("standardwebhooks");
const webhook = new Webhook('DODO_PAYMENTS_WEBHOOK_KEY');
// Add this endpoint in the Dodo Payments Website | Side Bar -> Developer -> Webhooks -> create
app.post('/webhook/dodo-payments', async (req: any, res: any) => {
try {
const body = req.body;
const webhookHeaders: WebhookUnbrandedRequiredHeaders = {
"webhook-id": (req.headers["webhook-id"] || "") as string,
"webhook-signature": (req.headers["webhook-signature"] || "") as string,
"webhook-timestamp": (req.headers["webhook-timestamp"] || "") as string,
};
const raw = JSON.stringify(body);
const samePayloadOutput = await webhook.verify(raw, webhookHeaders);
// ... Rest of your code HERE ...
res.status(200).json({ received: true });
} catch (error) {
console.error('Error processing webhook:', error);
res.status(400).json({ error: 'Webhook handler failed' });
}
});
Use the testing interface to verify your webhook handler logic before processing real events. This helps catch issues early and ensures your integration is robust.
Advanced Settings
The Advanced Settings tab provides additional configuration options for fine-tuning your webhook endpoint behavior.
Rate Limiting (Throttling)
Control the rate at which webhook events are delivered to your endpoint to prevent overwhelming your system.
Access Rate Limit Settings
In the Advanced tab, locate the “Rate Limit (throttling)” section.
Configure Rate Limit
Click the Edit button to modify the rate limit settings.By default, webhooks have “No rate limit” applied, meaning events are delivered as soon as they occur.
Set Limits
Configure your desired rate limit to control webhook delivery frequency and prevent system overload.
Use rate limiting when your webhook handler needs time to process events or when you want to batch multiple events together.
Add custom HTTP headers to all webhook requests sent to your endpoint. This is useful for authentication, routing, or adding metadata to your webhook requests.
Add Custom Header
In the “Custom Headers” section, enter a Key and Value for your custom header.
Add Multiple Headers
Click the + button to add additional custom headers as needed.
Save Configuration
Your custom headers will be included in all webhook requests to this endpoint.
Transformations allow you to modify a webhook’s payload and redirect it to a different URL. This powerful feature enables you to:
- Modify the payload structure before processing
- Route webhooks to different endpoints based on content
- Add or remove fields from the payload
- Transform data formats
Enable Transformations
Toggle the Enabled switch to activate the transformation feature.
Configure Transformation
Click Edit transformation to define your transformation rules.You can use JavaScript to transform the webhook payload and specify a different target URL.
Test Transformation
Use the testing interface to verify your transformation works correctly before going live.
Transformations can significantly impact webhook delivery performance. Test thoroughly and keep transformation logic simple and efficient.
Transformations are particularly useful for:
- Converting between different data formats
- Filtering events based on specific criteria
- Adding computed fields to the payload
- Routing events to different microservices
Monitoring Webhook Logs
The Logs tab provides comprehensive visibility into your webhook delivery status, allowing you to monitor, debug, and manage webhook events effectively.
Activity Monitoring
The Activity tab provides real-time insights into your webhook delivery performance with visual analytics.
We look forward to helping you implement seamless real-time notifications with webhooks! If you have any questions, please don’t hesitate to reach out to our support team.