PartnershipsBook Demo
Loading...
Guides
Markdown
Webhooks

Diddo uses webhooks to notify your application when important events occur in real time β€” such as checkout initialization, payment updates, or fulfillment changes.

Webhooks are delivered as HTTPS POST requests to your configured endpoint and allow your system to stay in sync without polling.

This section covers:

  • Webhook overview
  • Setting up a webhook endpoint
  • Event payload structure
  • Verifying webhook signatures
  • Idempotency & retries
  • Security best practices

πŸ“˜ Note: Full request/response schemas for webhook management are available in the API reference

πŸ” Webhook Overview

  • Webhooks are sent as HTTPS POST requests
  • Each request represents one event
  • Events are signed to ensure authenticity
  • Deliveries may be retried if your endpoint does not acknowledge receipt

Typical use cases:

  • Track checkout lifecycle events
  • Trigger internal workflows (orders, fulfillment, analytics)
  • Keep downstream systems in sync with Diddo

πŸ’‘Event Types

Event TypeDescription
checkout.initializedCheckout session has been created and initialized.
checkout.in_progressCustomer has started interacting with the checkout (e.g., selected payment_option).
checkout.succeededCheckout completed successfully and payment was confirmed.
checkout.failedCheckout attempt failed (e.g., payment declined or error occurred).
checkout.cancelledCustomer attempted multiple failed payments.
order.submittedOrder has been successfully submitted/created after checkout.

🧩 Set Up a Webhook Endpoint

Create an endpoint in your application that accepts POST requests with a JSON body.

Once your endpoint is live, register it in Diddo using the Create Webhook Subscription endpoint and store the returned webhook signing secret securely.

⚠️ The webhook secret is shown only once. Store it safely.

Operational requirements:

  • Endpoint must be publicly accessible
  • Must respond within 20 seconds
  • Must return a 2xx status code to acknowledge receipt

πŸ“¨ Webhook Requests

HTTP Method = POST

Headers

HeaderDescription
X-Webhook-EventEvent type (e.g. checkout.initialized, checkout.in_progress, checkout.succeeded, checkout.failed, checkout.cancelled, order.submitted)
X-Webhook-IdUnique event ID (use for idempotency)
X-Webhook-DeliveryUnique delivery attempt ID
X-Diddo-Webhook-SignatureHMAC-SHA256 signature of the payload
X-Webhook-TimestampTime the webhook was sent

πŸ“¦ Event Object

Each webhook delivers a single event with the following structure:

json

Examples

Event Type: checkout.initialized

sql

Event Type: checkout.in_progress

sql

Event Type: checkout.succeeded

json

Event Type: checkout.failed

sql

πŸ” Verifying Webhook Signatures

Always verify webhook signatures before processing events.

Diddo signs each webhook payload using HMAC-SHA256 with your webhook secret.

Verification Flow

  1. Read the raw request body
  2. Compute an HMAC-SHA256 hash using your webhook secret
  3. Compare it to the value in X-Diddo-Webhook-Signature
  4. Reject the request if the signatures don’t match

πŸ§ͺ Signature Verification Examples

Python

python

Node.js

javascript

Important: Use the raw request body. Do not stringify parsed JSON.

Go

go

βœ… Responding to Webhooks

  • Return a 2xx status code to acknowledge receipt
  • Do not perform long-running work in the request handler
  • Queue the event and process it asynchronously

⏱️ Requests must be processed within 20 seconds

♻️ Idempotency

Webhook events may be delivered more than once.

Use the X-Webhook-Id header as an idempotency key to deduplicate events in your system.

Recommended approach:

  • Store processed webhook IDs
  • Ignore events you’ve already handled

πŸ”„ Retries

If your endpoint fails or returns a non-2xx response, Diddo retries delivery using exponential backoff:

AttemptDelay
1Immediate
21 minute
35 minutes
415 minutes
51 hour
6+Every 6 hours

After all retries are exhausted, the delivery is marked as failed_permanent.

πŸ”’ Security Best Practices

  • Always use HTTPS
  • Verify webhook signatures
  • Store webhook secrets securely
  • Reject invalid or unsigned requests
  • Avoid logging raw secrets or payloads

πŸ”§ Managing Webhook Subscriptions

Diddo provides APIs to manage webhook subscriptions:

  • Create new webhook subscriptions
  • List all webhook subscriptions
  • Get a specific webhook subscription
  • Update webhook subscription
  • Delete webhook subscription

See the Webhook API reference for details.