Platform Module
Developer System
Integrate Dotva with your stack. The full REST API, real-time webhook events, and RSA-encrypted card secret delivery give engineering teams complete programmatic access.
Module Features
API Tokens
Create named, scoped API tokens with optional expiry. Revoke instantly from the developer dashboard.
Webhook Endpoints
Register up to 10 webhook endpoints per workspace. Configure which events each endpoint receives.
Delivery & Retry
View full delivery history. Failed deliveries auto-retry 4 times. Manually re-trigger any delivery.
HMAC Signing
Every webhook payload is signed with your endpoint's HMAC secret. Rotate anytime.
RSA Public Key
Upload an RSA-4096 public key. Card secrets are delivered as JWE-encrypted payloads — only you can decrypt.
Notification Preferences
Configure which events trigger in-app and email notifications at the workspace level.
Webhook Verification
Every webhook delivery includes an HMAC-SHA256 signature in the X-Dotva-Signature header. Always verify before processing.
- Signed with HMAC-SHA256
- Secret rotatable anytime
- Timing-safe comparison required
- Re-verify on every delivery
// Verify webhook signature (Node.js)
const crypto = require('crypto')
function verifyWebhook(rawBody, signature, secret) {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(rawBody)
.digest('hex')
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
)
}
// Express handler
app.post('/webhook', (req, res) => {
const sig = req.headers['x-dotva-signature']
if (!verifyWebhook(req.rawBody, sig, process.env.WEBHOOK_SECRET)) {
return res.status(401).send('Invalid signature')
}
const { event, data } = req.body
console.log('Event:', event, data)
res.status(200).send('ok')
})