Technical - FAQs

A: The payment.succeeded webhook event for subscription products does not include a product_id. Instead, it provides the subscription_id associated with the subscription, along with other relevant details.

A: To verify that the webhooks you receive are genuinely from Dodo Payments and not from malicious actors, follow these steps:

1. Check the Signature: Each webhook sent by Dodo Payments includes a unique signature in the webhook-signature header. This signature is generated using your webhook’s secret key and the payload of the event.
2. Retrieve the Secret Key: Ensure you have the secret key for your webhook, which can be found in your Dodo Payments dashboard under the Webhooks settings.
3. Recompute the Signature: Use the same signing algorithm (HMAC-SHA256) as Dodo Payments to compute the signature on your server. Use the payload of the webhook and your webhook secret key.
4. Compare Signatures: Compare the recomputed signature with the one provided in the webhook-signature header. If they match, the webhook is authentic; if not, it should be rejected.
5. Use HTTPS: Ensure your webhook endpoint uses HTTPS to secure communication and prevent tampering during data transmission. By implementing these steps, you can confidently verify the authenticity of webhooks sent by Dodo Payments.

A: For subscriptions, subscription.renew will be triggered whenever the subscription amount is deducted. So yes, this is expected behavior.

A: To test webhooks locally, you can follow these steps:

1. Use a Tunneling Tool: Tools like ngrok, LocalTunnel, or Cloudflare Tunnel can expose your local server to the internet. This provides a public URL that Dodo Payments can use to send webhook events to your local environment.
2. Set Up the Webhook Endpoint: Create a webhook endpoint in your local application to handle incoming webhook events. Ensure it listens for HTTP POST requests.
3. Configure the Webhook in Dodo Payments: Go to your Dodo Payments dashboard, navigate to the Webhooks settings, and update the webhook URL to the public URL generated by the tunneling tool.
4. Trigger Events: Perform actions in your environment to trigger webhook events. For example, you can simulate payments or subscription renewals.
5. Inspect Incoming Requests: Use the tunneling tool’s logs or your application’s logging to inspect the incoming webhook payloads. This allows you to verify that your endpoint is receiving the events and processing them correctly.
6. Verify Signature: Ensure you validate the webhook-signature header to confirm that the webhook events are authentic and sent by Dodo Payments.

By following these steps, you can easily test and debug webhooks in your local development environment.