Webhook configuration
Webhooks provide real-time notifications about verification session status changes. Instead of polling the API, you register an endpoint URL to which the DPay HUB sends events as soon as they occur.
POST/api/v1/webhooksComplete contract: parameters, one-time secret and response codes.Full contract in the API Reference
GET/api/v1/webhooksThe tenant's registered endpoints and their current state.Full contract in the API Reference
Registering an endpoint
POST /api/v1/webhooks
curl -X POST https://hub.dpay.pl/api/v1/webhooks \
-H "Authorization: Bearer deid_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"url": "https://twoja-strona.pl/webhooks/dpay",
"events": ["verification.completed", "verification.failed"],
"description": "Production endpoint"
}'
Parameters
| Field | Type | Required | Description |
|---|---|---|---|
url | string (URL) | Yes | Your endpoint URL; HTTPS is required in production |
events | array | Yes | Event list, or ["*"] for all events |
description | string | No | Endpoint description displayed in the panel |
Response (201)
{
"data": {
"id": "wh-uuid",
"url": "https://twoja-strona.pl/webhooks/dpay",
"events": ["verification.completed", "verification.failed"],
"description": "Production endpoint",
"is_active": true,
"failure_count": 0,
"last_triggered_at": null,
"last_success_at": null,
"last_failure_at": null,
"disabled_at": null,
"created_at": "2026-04-07T10:00:00+00:00",
"updated_at": "2026-04-07T10:00:00+00:00"
},
"meta": {
"secret": "whsec_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6"
}
}
The meta.secret field is returned only once, in the response to POST /webhooks. Store it securely, for example in a secrets vault. It cannot be retrieved again. If you lose the secret, you must create a new webhook.
The secret is used to verify webhook authenticity. See HMAC signature.
Updating an endpoint
PATCH /api/v1/webhooks/{id}
This is a partial update: send only the fields you want to change.
curl -X PATCH https://hub.dpay.pl/api/v1/webhooks/{id} \
-H "Authorization: Bearer deid_live_xxx" \
-H "Content-Type: application/json" \
-d '{"is_active": false}'
Updatable fields
| Field | Description |
|---|---|
url | New endpoint URL |
events | New subscribed event list |
description | New description |
is_active | Enable or disable the endpoint (true/false) |
Listing endpoints
curl https://hub.dpay.pl/api/v1/webhooks \
-H "Authorization: Bearer deid_live_xxx"
Returns all webhook endpoints registered for the tenant.
Endpoint details
curl https://hub.dpay.pl/api/v1/webhooks/{id} \
-H "Authorization: Bearer deid_live_xxx"
Sending a test payload
POST /api/v1/webhooks/{id}/test
Sends an asynchronous test payload with the verification.test event type to the registered endpoint. This is ideal for checking the configuration without creating a real session.
curl -X POST https://hub.dpay.pl/api/v1/webhooks/{id}/test \
-H "Authorization: Bearer deid_live_xxx"
Deleting an endpoint
DELETE /api/v1/webhooks/{id}
curl -X DELETE https://hub.dpay.pl/api/v1/webhooks/{id} \
-H "Authorization: Bearer deid_live_xxx"
Returns 204 No Content on success.
Endpoint requirements
- HTTPS is required in production; HTTP is allowed only in the sandbox
- A 2xx response must be returned within 10 seconds, or the webhook is retried; see Retry policy
- Idempotency is required because the endpoint may receive the same event more than once during retries
- Signature verification is mandatory: always verify
X-Signature; see HMAC signature
Next steps
- Events - available webhook event types
- HMAC signature - verify authenticity
- Retry policy - delivery failure behavior