Drip Dashboard

Authentication

Using API Keys

All API requests must include your API key in the Authorization header using Bearer token format.

Authorization: Bearer sk_live_your_api_key_here

Important: API keys provide full access to your account. Keep them secure and never expose them in client-side code.

Rate Limits

API requests are rate limited to protect the service and ensure fair usage.

100 requests per minute per API key
Rate limit headers are included in all responses
X-RateLimit-Limit: Maximum requests allowed
X-RateLimit-Remaining: Requests remaining in current window
X-RateLimit-Reset: Unix timestamp when limit resets

Customers

Usage

Charges

Balances

Usage Caps

Webhooks

Webhook Events

Subscribe to events to receive real-time notifications. All webhooks are signed with HMAC-SHA256.

Core Billing

charge.succeeded
charge.failed
usage.recorded
customer.balance.low

Deposits & Withdrawals

customer.deposit.confirmed
customer.withdraw.confirmed

Operations

customer.usage_cap.reached
webhook.endpoint.unhealthy

Integration

customer.created
api_key.created
pricing_plan.updated

API Keys

Verifying Webhook Signatures

All webhooks include an X-Drip-Signature header. Verify it using HMAC-SHA256.

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expectedSig = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSig)
  );
}

// In your webhook handler
app.post('/webhooks/drip', (req, res) => {
  const signature = req.headers['x-drip-signature'];
  const isValid = verifyWebhookSignature(
    JSON.stringify(req.body),
    signature,
    process.env.DRIP_WEBHOOK_SECRET
  );

  if (!isValid) {
    return res.status(401).send('Invalid signature');
  }

  // Process the webhook...
  res.status(200).send('OK');
});

API Reference