Skip to main content

Use the SDK built-in WebhookHandler

We strongly recommend using the SDK method webhook().handleWebhook(), which automatically handles:
  • Signature verification
  • JSON parsing and event routing
  • Response body construction and signing

Idempotent handling

Waffo may deliver the same event multiple times. Make sure your handling logic is idempotent:

Handle final state, not delivery order

Webhooks are delivered asynchronously, so the order in which your endpoint receives related callbacks is not guaranteed. In subscription first-period scenarios, both SUBSCRIPTION_STATUS_NOTIFICATION and SUBSCRIPTION_PERIOD_CHANGED_NOTIFICATION may be sent. Do not depend on the arrival order of these two callbacks.
  • Do not update final business state based only on callback arrival order
  • Deduplicate by subscriptionId, event ID, or your business order ID
  • If you subscribe to both SUBSCRIPTION_STATUS_NOTIFICATION and SUBSCRIPTION_PERIOD_CHANGED_NOTIFICATION, call POST /api/v1/subscription/inquiry after receiving either callback, then run one unified subscription callback flow based on the final inquiry result

Fast responses

  • The SDK automatically builds the response after the handler finishes executing
  • Time-consuming operations (such as sending emails or updating external systems) should be handled asynchronously
  • If an exception is thrown in the handler, the SDK automatically returns a failure response

Security

  • Always verify X-SIGNATURE (handled automatically by the SDK)
  • Use an HTTPS endpoint
  • Verify the signature before processing the event—do not execute any business logic before verification passes
  • The response must include the X-SIGNATURE header (handled automatically by the SDK)