Skip to main content

Best Practice

Handling HTTP Notification is crucial in order to make sure that your integration's business logic works as expected. Here are some best practices that you need to implement:

Handling Notification Implementation

Acknowledge HTTP Notification immediately

If your HTTP Notification endpoint performs complex logic, or makes network calls, it's possible that the endpoint would time out before DOKU sees its complete execution. Ideally, your HTTP Notification handler code (acknowledging receipt of an event by returning a 2xx status code) is separate of any other logic you do for that notification.

Verify HTTP Notification authenticity

You must verify the HTTP Notification to make sure that it is coming from DOKU. To do that, you need to check the Signature on the Request Header that sent to you.

Before generating Signature, merchant need to prepare all the component required.

  1. Set Client-Id, Request-Id, Request-Timestamp.

Use the Client-Id, Request-Id, Request-Timestamp that is placed on the Request Header.

  1. Set Request-Target

The Request-Target is the path of merchant Notification URL or the Inquiry URL. For instance, if merchant set the Notification URL: Therefore, the Request-Target value is /payments/notifications.

  1. Generate Digest

Digest is the hashed of the request body. To generate the Digest:

Calculate SHA256 base64 hash from the JSON Body

  1. Generating Signature

After all the Signature component has been set, merchant can now generate it:

  • Arrange the signature components to one component and its value per line by adding \n escape character. Don't add \n at the end of the string. Sample of the raw format:

This is how merchant see it:

  • Calculate HMAC-SHA256 base64 from all the components above using the Secret Key from DOKU Back Office
  • Put encoded value and prepend HMACSHA256= to the Signature. Sample:
Signature: HMACSHA256=OvIRJs/jH8BIcGsktr4d8nnYtxY6E0Uzdm9d1GVgv5s=

Update the transaction status based on the transaction.status

All of the notifications that we send always have transaction.status parameter. The possible value is SUCCESS or FAILED. Update the transaction status on your side based on this value.

Checkout Implementation

Checkout User Experience is designed to increase your payment success rate, meaning that it allows your customers to change payment method if one is failed. Therefore, if you are integrating with Checkout, you must ignore the transaction.status FAILED.

Handle duplicate events

HTTP Notification endpoints might occasionally receive the same event more than once. We advise you to guard against duplicated event receipts by making your event processing idempotent. One way of doing this is logging the events you've processed, and then not processing already-logged events.

Parse HTTP Notification in non-strict format

DOKU sends the notification body as JSON, please parse the JSON with a JSON parser. Always expect new fields will be added to the notification body, so parse it in a non strict format. This prevents the parser from throwing an exception for new fields. It should gracefully ignore the new fields. This allows us to extend our notification system for newer use cases without breaking old clients.

Sample Code

Here are the sample code on how you can handle the notification in various programming languages:


public function notifications(Request $request) {
$notificationHeader = getallheaders();
$notificationBody = file_get_contents('php://input');
$notificationPath = '/payments/notifications'; // Adjust according to your notification path
$secretKey = 'SK-e8acCt3iB1a1A0Jodfad'; // Adjust according to your secret key

$digest = base64_encode(hash('sha256', $notificationBody, true));
$rawSignature = "Client-Id:" . $notificationHeader['Client-Id'] . "\n"
. "Request-Id:" . $notificationHeader['Request-Id'] . "\n"
. "Request-Timestamp:" . $notificationHeader['Request-Timestamp'] . "\n"
. "Request-Target:" . $notificationPath . "\n"
. "Digest:" . $digest;

$signature = base64_encode(hash_hmac('sha256', $rawSignature, $secretKey, true));
$finalSignature = 'HMACSHA256=' . $signature;

if ($finalSignature == $headers['Signature']) {
// TODO: Process if Signature is Valid
return response('OK', 200)->header('Content-Type', 'text/plain');

// TODO: Do update the transaction status based on the `transaction.status`
} else {
// TODO: Response with 400 errors for Invalid Signature
return response('Invalid Signature', 400)->header('Content-Type', 'text/plain');

Plugins handles the notification for you

If you are using Plugins, the notification is handled by the plugin itself. The order status on the CMS will update accordingly based on the notification received.