Notifications

Notifications will be sent in every change of status of a payment to the notification URL specified by the merchant. This URL is taken from the notification_url field of the payment, if it differs from the one specified in the merchant panel. The body of the request will always be the payment object.

ℹ️

Until dLocal receives a 200 status code confirmation on these notifications, it will retry once an hour for 7 days.

Example Notification POST

POST: {payment.notification_url}

{
    "id": "D-4-be8eda8c-5fe7-49dd-8058-4ddaac00611b",
    "amount": 72.00,
    "status": "PAID",
    "status_detail": "The payment was paid.",
    "status_code": "200",
    "currency": "USD",
    "country": "AR",
    "payment_method_id": "RP",
    "payment_method_type": "TICKET",
    "payment_method_flow": "REDIRECT",
    "payer": {
        "name": "Nino Deicas",
        "user_reference": "US-jmh3gb4kj5h34",
        "email": "[email protected]",
    },
    "order_id": "4m1OdghPUQtg",
    "notification_url": "http://www.merchant.com/notifications",
    "created_date": "2019-06-26T15:17:31.000+0000"
}

Signature of notifications

An HMAC signature is calculated using a request's key-value pairs and a secret key, which is known only to you and dLocal. By verifying this signature, you'll confirm that the notification was not modified during transmission.
dLocal will be signing each POST notification using the same method described on the Security section (HMAC-SHA256 hash function).

Simply take the Authorization HTTP header from the notification, and compare it with the one generated by you using your X-Login and secretKey, and the X-Date and Request body of the notification received. If the signature generated by you matched the one received on the Authorization HTTP header, then it is safe to assume that this is a valid message from dLocal.