How do we make sure that webhook events are coming only from Digio. IP Whitelisting ?
1 - You may allow webhooks only from below IPs:
Sandbox : 35.154.20.28
Production : 13.126.198.236
2 - Provide a secret key and validate. Use X-Digio-Checksum header.
On the client side, HmacSHA256 hex string of payload can be generated using the secret key and compared with the checksum provided in X-Digio-Checksum header.
Check below link to calculate HmacSHA256 in your preferred coding language:
https://github.com/danharper/hmac-examples
Related Articles
Do I need to provide my IP address to Digio for whitelisting to consume webhooks ?
No, not required. Webhook endpoint is sufficient.
For the period my webhooks were disabled, will I still be receiving the old webhook events or events created within this duration when my webhooks are enabled again?
Yes, webhook events are queued and processed separately when webhook endpoint is working.
My webhook endpoint keeps getting disabled due to various reasons, any best practices should I follow?
Do not execute business logic while receiving webhooks. Even if you execute, make sure a 200 response is returned always. For example an entity not found in your database (due to data archival), or state change of an object where this webhook is not ...
I am not able to identify why my webhook is failing, is there a way to find out what error Digio is receiving while hitting my webhook?
Yes. When an email notification is sent about webhook failure, it contains HTTP Error code, Error message received and The Entity id (eg. Document id or Mandate id) for which the webhook attempt is continuously failing.
My endpoint is different for each type of webhook and only one type of event is throwing error, will other events also be stopped when webhooks are disabled?
Yes, the queue is maintained at account level. While endpoints can be different but any failure impacts all types of events