Set Color Mode

Webhooks and callbacks


Whenever certain transaction actions occur on your Durianpay Checkout integration, we trigger events which your application can listen to. This is where webhooks come in. A webhook is a URL on your server where we send payloads for such events. For example, if you implement webhooks, once a disbursement is successful, we will immediately notify your server with a transfer-bank.notify event. Here is a list of events we can send to your webhook URL.

You can specify your webhook URL on your dashboard (or through your dedicated Customer success manager) where we would send POST requests to whenever an event occurs.

Valid events

transfer-bank.notify

Webhook events explained

NameDescription
transfer-bank.notifyThis event is triggered when a disbursement is completed. Only when the money is already sent to the destination.

Setting up Webhooks

  • Create Webhooks in Settings > Create New

    Durian webhook 1
  • Fill up the event you want to subscribe to, give a name to webhook event and add your url which you want us to call

    Durian webhook 2

You need to configure only the base url, the path will be appended as per the selected webhook

Durian webhook 3

Sample webhook payloads

transfer-bank.notify
{
  "originalReferenceNo": "dis_item_123",
  "originalPartnerReferenceNo": "123456789",
  "responseCode": "2000000",
  "responseMessage": "Request has been processed successfully",
  "amount": {
    "value": "12345678.00",
    "currency": "IDR"
  },
  "beneficiaryAccountNo": "1234567890",
  "beneficiaryBankCode": "002",
  "sourceAccountNo": "mer_123",
  "additionalInfo": {
    "latestTransactionStatus": "00",
    "transactionStatusDesc": "done"
  }
}

Handling webhooks

Handle the webhook by checking the following fields in the additionalInfo parameter of the webhook body

latestTransactionStatustransactionStatusDescDescription
00doneThe transaction is successfully completed
06failedThe transaction has failed

Digital Signature Verifictaion

Follow these steps to validate the digital signature of the webhook

  1. Take the signature from HTTP header "X-SIGNATURE"

The following is an example:

X-SIGNATURE: aw3o6HM68vJDLO4nxAPgK0it5nd6zik3bUgMzqLiTrIB7w1QbnCLDo/IMVjaYsbPk9s=

  1. Compose the string to verify

<HTTP METHOD> + ":" + <RELATIVE PATH URL> + ":" + LowerCase(HexEncode(SHA-256(Minify(<HTTP BODY>)))) + ":" + <X-TIMESTAMP>

For a webook url https://www.example.com/callback/v1.0/transfer/notify, the relative path url will be /callback/v1.0/transfer/notify

The following is the example

POST:/callback/v1.0/transfer/notify:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdXJpYW4gTW9uZXkiLC :f806c49e8cd175aa9dd5dd8e0a49648c885954d:2024-05-13T15:07:07+07:00

  1. Verify the correctness of the signature based on SHA-256 with RSA-2048 encryption using PKCS#8 signing against the string to sign with provided public key of the sender APIs.

  2. If the verification is correct, then consume the request