Callbacks Details

Callbacks allow you to receive events related to your Orders, Exports, and Address Verifications via HTTP request.

Configure a callback_url and callback_method attributes when these objects using the REST API, and DIDWW will make an HTTP request (webhook) to that URL whenever an event takes place for them. callback_url can be set to any valid URL. callback_method can be either GET or POST.

With GET request you will receive payload as query parameters. POST request will set the “Content-Type” header to “application/x-www-form-urlencoded” with body formatted according to content type.

Order Callback Request Parameters

In case of order status change DIDWW makes an HTTP request to the callback_url you’ve set with following parameters:

Parameter	Description
id	ID of an order
type	‘orders’
status	‘completed’ or ‘canceled’

Export Callback Request Parameters

In case of export complete DIDWW makes an HTTP request to the callback_url you’ve set with following parameters:

Parameter	Description
id	ID of an export
type	‘cdr_exports’
status	‘completed’

Address Verification Callback Request Parameters

In case of address verification status change DIDWW makes an HTTP request to the callback_url you’ve set with following parameters:

Parameter	Description
id	ID of an address verification
type	‘address_verifications’
status	‘approved’ or ‘rejected’
reject_reason	only for rejected status

HTTP Request Validation

If your application exposes sensitive data or is possibly mutative to your data, then you may want to be sure that the HTTP requests to your web application are indeed coming from DIDWW, and not a malicious third party. To allow you this level of security, DIDWW cryptographically signs its requests. Here’s how it works:

1. Turn on TLS on your server and configure your DIDWW account to use HTTPS URLs in callback_url.

2. DIDWW assembles and normalizes the payload.

   • If your request is a POST, DIDWW takes all the POST fields, sorts them alphabetically by their name, and concatenates the parameters name and value (with no delimiters).

   • If your request is a GET, DIDWW takes all the GET query fields (except the query added to the URL itself), sorts them alphabetically by their name, and concatenates the parameters name and value (with no delimiters).

3. DIDWW normalizes the URL (the full URL with a scheme, port, query string, and fragments), concatenates with normalized payload and sign it using HMAC-SHA1 and your API key as the key.

4. DIDWW sends this signature in an HTTP header called X-DIDWW-Signature.

Note

Only an API key with the enable_callbacks option enabled will be used. If there is no API key with this option enabled, then no callback will be performed. Therefore, it’s crucial to make sure that the correct API key is being used to generate the X-DIDWW-Signature for the validation process to function properly. Callbacks can be enabled only for a single API key.

Then, on your end, if you want to verify the authenticity of the request, you can leverage the built-in request validation method provided by all of our helper libraries:

• didww-v3 Ruby gem

• didww/didww-api-3-php-sdk PHP library

Note

We highly recommend you use the helper libraries to do signature validation.

Algorithm implementation details

Steps to perform validation manually:

1. Take the full URL of the request URL you specify in the callback_url attribute, from the protocol (https…) through the end of the query string (everything after the ?).

2. If the request is a POST, sort all of the POST parameters alphabetically (using Unix-style case-sensitive sorting order).

3. If the request is a GET, sort all of the query parameters alphabetically (except that are specifically set in callback_url, using Unix-style case-sensitive sorting order).

4. For POST requests iterate through the sorted list of POST parameters, and append the variable name and value (with no delimiters) to the end of the URL string.

5. For GET requests iterate through the sorted list of GET parameters (except that are specifically set in callback_url) and append the variable name and value (with no delimiters) to the end of the URL string.

6. Sign the resulting string with HMAC-SHA1 using your API key as the key (remember, your API key’s case matters!).

7. Encode the resulting hash as a hex-encoded string (each byte of result data transformed into hex from 00 to ff, most encryption libraries have a function that returns hex digest on the previous step).

8. Compare your hash to ours, submitted in the X-DIDWW-Signature header. If they match, then you’re good to go.

Here’s an example. DIDWW made a POST to your application as part of an order callback: .. code-block:

https://mycompany.com/didww_callbacks?opaque=123

And DIDWW posted the following POST fields:

• type: orders

• status: completed

• id: bf2cee72-6caa-4ae2-917e-bea01945691e

Create a string that is your URL with the full query string and explicitly set the port: .. code-block:

https://mycompany.com:443/didww_callbacks?opaque=123

Then, sort the list of POST variables by the parameter name (using Unix-style case-sensitive sorting order):

• id: bf2cee72-6caa-4ae2-917e-bea01945691e

• status: completed

• type: orders

Next, append each POST variable, name and value, to the string with no delimiters: .. code-block:

https://mycompany.com:443/didww_callbacks?opaque=123idbf2cee72-6caa-4ae2-917e-bea01945691estatuscompletedtypeorders

Hash the resulting string using HMAC-SHA1, using following test API key szrdgh6547umt7tht7xbqhj6g9gdbyp7 and encode as a hex-encoded string

The resulting signature should be 30f66e9d72eb5e193051fd02952f70d8e934b4ff

Note

Concerned about SHA1 security issues? DIDWW does not use SHA-1 alone. In short, the critical component of HMAC-SHA1 that distinguishes it from SHA-1 alone is the use of your DIDWW API key as a complex secret key. While there are possible collision-based attacks on SHA-1, HMACs are not affected by those same attacks - it’s the combination of the underlying hashing algorithm (SHA-1) and the strength of the secret key (API key) that protects you in this case.

IP addresses

Requests are being sent from IPv4 network 46.19.208.0/21 and IPv6 network 2a01:ad00::/32

HTTP Response Error Handling

When DIDWW receives non 2XX response status code from an HTTP request to the callback_url it will re-attempt to send it again up to 9 times.

After 10 attempt DIDWW will stop sending callback event.

HTTP request timeout more than 60 seconds will consider as failed response.

Callback attempt	Wait interval
2	1 minute
3	10 minutes
4	30 minutes
5	1 hour
6	3 hours
7	6 hours
8	12 hours
9	1 day
10	2 days

Testing Callbacks on local machine behind NAT

In order to test Callbacks feature on local servers behind NAT, tools such as ngrock or localtunnel could be used. These tools allows you to expose a web server running on your local machine to the internet.