webhook-integration_skill

This skill helps you implement and secure Dodo Payments webhooks in real time, including verification, idempotency, and event handling guidance.

7

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill dodopayments/skills --skill webhook-integration

  • SKILL.md13.0 KB

Overview

This skill is a complete guide for setting up and handling Dodo Payments webhooks to receive real-time payment and subscription event notifications. It explains secure signature verification, event handling patterns, and quick setup steps for common frameworks. The content focuses on production-ready practices: idempotency, replay protection, logging, and async processing.

How this skill works

The skill inspects incoming HTTP POST requests from Dodo Payments, verifies the webhook signature using the shared secret, checks the webhook-timestamp to prevent replay attacks, and parses the JSON event payload. It routes events by type (payment, subscription, refund, dispute, license_key) to handler functions, and recommends responding immediately while processing business logic asynchronously. Example implementations are provided for Next.js, Express, FastAPI, and Go.

When to use it

  • You need real-time updates about payments, refunds, disputes, or license key creation.
  • Automating order fulfillment, granting access, or updating subscription status.
  • Integrating payment state into CRMs, analytics, or notification systems.
  • Testing payment flows locally or exposing a dev endpoint with ngrok.
  • Protecting endpoints from spoofed requests and replay attacks.

Best practices

  • Always verify webhook signatures using the Dodo Payments secret and a timing-safe comparison.
  • Check webhook-timestamp and reject requests older than a short tolerance (e.g., 5 minutes).
  • Implement idempotency using webhook-id to avoid duplicate processing.
  • Respond quickly (200 OK) and process heavy work asynchronously via a queue.
  • Log events and errors with enough context to troubleshoot (event type, webhook-id, timestamp).

Example use cases

  • Grant product access and send confirmation emails when payment.succeeded arrives.
  • Retry or notify customers on payment.failed and update UI state.
  • Activate or revoke subscription access on subscription.active and subscription.cancelled events.
  • Update order status and revoke entitlements after refund.succeeded.
  • Alert support and gather evidence when dispute.opened occurs.

FAQ

Verify webhook-signature, webhook-timestamp, and use webhook-id for idempotency checks.

How do I prevent replay attacks?

Compare webhook-timestamp with current time and reject requests outside a short window (e.g., 5 minutes).

What if signature verification fails in development?

Ensure you use the raw request body, the correct webhook secret in environment variables, and the exact timestamp format (Unix seconds).

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational