Webhooks and callbacks
Whenever certain transaction actions occur on your Durianpay Checkout integration, we trigger events which your application can listen to. This is where webhooks come in. A webhook is a URL on your server where we send payloads for such events. For example, if you implement webhooks, once a disbursement is successful, we will immediately notify your server with a transfer-bank.notify
event. Here is a list of events we can send to your webhook URL.
You can specify your webhook URL on your dashboard (or through your dedicated Customer success manager) where we would send POST requests to whenever an event occurs.
Valid events
transfer-bank.notify
Webhook events explained
Name | Description |
---|---|
transfer-bank.notify | This event is triggered when a disbursement is completed. Only when the money is already sent to the destination. |
Setting up Webhooks
Create Webhooks in Settings > Create New
Fill up the event you want to subscribe to, give a name to webhook event and add your url which you want us to call
You need to configure only the base url, the path will be appended as per the selected webhook
Sample webhook payloads
{
"originalReferenceNo": "dis_item_123",
"originalPartnerReferenceNo": "123456789",
"responseCode": "2000000",
"responseMessage": "Request has been processed successfully",
"amount": {
"value": "12345678.00",
"currency": "IDR"
},
"beneficiaryAccountNo": "1234567890",
"beneficiaryBankCode": "002",
"sourceAccountNo": "mer_123",
"additionalInfo": {
"latestTransactionStatus": "00",
"transactionStatusDesc": "done"
}
}
Handling webhooks
Handle the webhook by checking the following fields in the additionalInfo
parameter of the webhook body
latestTransactionStatus | transactionStatusDesc | Description |
---|---|---|
00 | done | The transaction is successfully completed |
06 | failed | The transaction has failed |
Digital Signature Verifictaion
Follow these steps to validate the digital signature of the webhook
- Take the signature from HTTP header "X-SIGNATURE"
The following is an example:
X-SIGNATURE: aw3o6HM68vJDLO4nxAPgK0it5nd6zik3bUgMzqLiTrIB7w1QbnCLDo/IMVjaYsbPk9s=
- Compose the string to verify
<HTTP METHOD> + ":" + <RELATIVE PATH URL> + ":" + LowerCase(HexEncode(SHA-256(Minify(<HTTP BODY>)))) + ":" + <X-TIMESTAMP>
For a webook url https://www.example.com/callback/v1.0/transfer/notify
, the relative path url will be /callback/v1.0/transfer/notify
The following is the example
POST:/callback/v1.0/transfer/notify:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdXJpYW4gTW9uZXkiLC
:f806c49e8cd175aa9dd5dd8e0a49648c885954d:2024-05-13T15:07:07+07:00
Verify the correctness of the signature based on SHA-256 with RSA-2048 encryption using PKCS#8 signing against the string to sign with provided public key of the sender APIs.
If the verification is correct, then consume the request