laravel-doku-gateway maintained by rublex
Laravel DOKU Gateway
A Laravel payment gateway package for DOKU (DOKU Checkout, Non-SNAP) integration.
Features
- Payment initiation (hosted DOKU Checkout / Redirect flow)
- Independent transaction verification via the Check Status API
- Secure callback route with single-use keys and idempotent forwarding
- Configurable via environment variables
- Built on
rublex/laravel-core-gatewaycontracts
Installation
composer require rublex/laravel-doku-gateway
Configuration
Publish the configuration file:
php artisan vendor:publish --provider="Doku\DokuServiceProvider" --tag="doku-config"
Add credentials to your .env file:
DOKU_BASE_URL=https://api-sandbox.doku.com
DOKU_CLIENT_ID=
DOKU_SECRET_KEY=
Use
https://api.doku.comfor production. TheClient IDandSecret Keyare found in the DOKU Back Office. The Secret Key is the HMAC signing key — it is not the Client ID.
Quick Start
use Doku\Services\DokuGatewayService;
use Rublex\CoreGateway\Data\DynamicDataBag;
use Rublex\CoreGateway\Data\PaymentRequestData;
$gateway = app(DokuGatewayService::class);
$result = $gateway->initiate(new PaymentRequestData(
gatewayCode: $gateway->code(),
orderId: 'INV-1774369486',
amount: '150000',
currency: 'IDR',
callbackUrl: 'https://example.com/payment/final-callback',
meta: new DynamicDataBag([
'return_url' => 'https://example.com/thank-you',
'cancel_url' => 'https://example.com/cancelled',
'payment_due_date' => 60,
'buyer_name' => 'Putu Made',
'buyer_email' => 'buyer@example.com',
'buyer_phone' => '628121212121',
])
));
// PaymentInitResultData:
// status() => PaymentStatus::PENDING
// transactionId() => DOKU session_id
// redirectUrl() => DOKU Checkout page URL (redirect the payer here)
// gatewayReference() => DOKU token_id
// raw() => full provider payload
Redirect the payer to redirectUrl(). DOKU sends an HTTP Notification to the
package callback route when the payment completes; the verified outcome is then
forwarded to your callbackUrl.
Currency
DOKU settles in IDR only. initiate() throws a ValidationException for any
other currency. The amount is expected to already be denominated in IDR and is
rounded to a whole rupiah (IDR has no minor units).
Signature (Non-SNAP)
Both request and notification signatures use the same scheme:
component = "Client-Id:...\nRequest-Id:...\nRequest-Timestamp:...\nRequest-Target:<path>[\nDigest:<base64(sha256(body))>]"
Signature = "HMACSHA256=" . base64(hmac_sha256(component, SECRET_KEY))
- The
Digestline is present for requests carrying a body (POST) only. Request-Targetis the endpoint path (for notifications, the callback path).- The secret is the DOKU Secret Key, not the Client ID.
Backward Compatibility
verifyPayment()andgetPaymentStatus()are explicit package methods and still throw not-implemented exceptions — status is confirmed internally via the Check Status API during callback handling.
Documentation
For installation and usage instructions, see USAGE.md.
License
This package is open-sourced software licensed under the MIT license.