PHP Api Sandbox WebhooksubscriptionsApi Create() error - "Missing or invalid scopes for requested endpoint."

(Shawn Murphy) #1


I can’t seem to create a new webhook subscription with my app in the sandbox with PHP.

This is the response I am getting:

{“code”:“InvalidScope”,“message”:“Missing or invalid scopes for requested endpoint.”}

Here is my posted data to /webhook-subscriptions:


I can’t figure it out for the life of me :frowning: Any ideas?

Here is my PHP code:

$mainAccessToken = "MyAccessTokenGeneratedFromSandboxAccount";
DwollaSwagger\Configuration::$access_token = $mainAccessToken;

# For UAT/Sandbox
    $apiClient = new DwollaSwagger\ApiClient("");

$webhookApi = new DwollaSwagger\WebhooksubscriptionsApi($apiClient);

#Create webhook subscription
$createWebhook = $webhookApi->create(array (
    'url' => "",
    'secret' => 'mysecret',

(Andrew Toivonen) #2

Hi Shawn - /webhook-subscriptions, /webhooks, and /events require a Client Access Token. These resources belong to your application vs a specific account so they require a different type of access token.

Hope this helps, thanks!

(Shawn Murphy) #3

@andrewt Thanks for the info. Is there anything in the PHP v2 SDK that has a class/function setup to retrieve a client access token? I don’t see any code in the lib or models folders that look like what I need for this.

Is there some PHP code you can provide or point me to in order to get a Client Access Token?

Lastly, can I still subscribe to and use webhooks if I am a non white label customer who is just using the free platform/features and Dwolla Direct and facilitated accounts?


(Andrew Toivonen) #4

Hi Shawn - Unfortunately the sdk does not have built in support for creating client access tokens. The main difference when creating a client access token is to specify “client_credentials” as the grant_type when exchanging the code for an access token.

V2 webhooks will work without White Label, just ignore the “customer_*” events in the documentation as those only apply to White Label.

(Shawn Murphy) #5

Awesome! Thanks so much :slightly_smiling:

(Shawn Murphy) #6

One more follow-up question. I created my webhook subscription and have my webhook page on my site to receive a response from webhooks. But I just tested a creation of an account via “…” link and didn’t get anything sent to my webhook?

Should I get a webhook response when a user creates an Account through my link like that? Do I need to set anything now with my created webhook subscription that tells it what sort of actions I want to record with my webhook?


(Spencer Hunter) #7

@Shawn_Murphy, Since you are leveraging Dwolla accounts through our OAuth implementation in your application, then the user will already have an Account established by the time you receive an access_token.

By default, if you have an active webhook subscription and a valid access_token for a Dwolla user account then we should fire all relevant 'Events` to your webhook url if an action occurs on an account. However, we will not fire events related to Dwolla account status changes.

Here are the possible Events you can receive for an Account:
funding_source_added: A funding source was added to a Dwolla account.
funding_source_removed: A funding source was removed from a Dwolla account.
funding_source_unverified: A funding source was marked as unverified.
funding_source_verified: A funding source was marked as verified.
microdeposits_added: Two <=10¢ transfers to a Dwolla account’s linked bank account were initiated.
microdeposits_failed: The two <=10¢ transfers to a Dwolla account’s linked bank account failed to clear successfully.
microdeposits_completed: The two <=10¢ transfers to a Dwolla account’s linked bank account have cleared successfully.
bank_transfer_created: A bank transfer was created.
bank_transfer_cancelled: A pending bank transfer has been cancelled, and will not process further.
bank_transfer_failed: A transfer failed to clear successfully. Usually, this is a result of an ACH failure (insufficient funds, etc.).
bank_transfer_completed: A bank transfer has cleared successfully.
transfer_created: A transfer was created.
transfer_cancelled: A pending transfer has been cancelled, and will not process further.
transfer_failed: A transfer failed to clear successfully.
transfer_reclaimed: The transfer was returned to the sender after remaining unclaimed by the intended recipient for a period of time.
transfer_completed: A transfer has cleared successfully.
account_suspended: An account was suspended.
account_activated: A Dwolla account moves from deactive or suspended to active state of verification.

(Shawn Murphy) #8

@spencer Thank you. Let me see if I understand you correctly…

You are saying that when a user of mine creates a Dwolla account, a webhook will NOT fire telling me they created the account.
But if a bank account is added to their account afterwards, that WILL fire a webhook?

If I am correct above, I assume a webhook still will NOT fire when a funding source (bank account) is added during initial Account creation? Because by that point I have not validated the Authorization Code and swapped it for the user/account Auth Key yet? Am I correct in my understanding and logic here?


(Shawn Murphy) #9

Ok, I got the webhook working and have received a transaction through it. But I do not know how to actually retrieve the data.

I send myself an email trying to retrieve the data the webhook is sending, but I must not have the right function/syntax to be receiving the type of data the webhook is sending?

The email I get just returns: “Array()”

Here is my page that the webhook is subscribed to and sends the results to:

<?php $req_dump = print_r($_POST,true); // Send an email announcing the IPN page has been initiated $mail_Subject = "Dwolla Sandbox IPN page loaded"; $mail_Body = $_SESSION['weburl']." Dwolla Webhook ---- Results Post: " . $req_dump . " - Dwolla Sandbox - IPN page was loaded/initiated. This means some action at Dwolla has started. But also could mean you just navigated to the IPN page."; mail('', $mail_Subject, $mail_Body); exit; ?>

Thanks a million!

(Spencer Hunter) #10

Spot on. You will not receive events that occur on a user account until they have granted permission to your app and you are issued an access token for the user.

hmm, Try doing the following instead of $req_dump = print_r($_POST,true);:
$parsedBody = json_decode(file_get_contents(‘php://input’), TRUE);

(Shawn Murphy) #11

@spencer Thanks! I got it working :slight_smile: For others, here is my code below I use:

$entityBody = file_get_contents('php://input');
$entityBodyArr = json_decode($entityBody, true);
$jsonString = print_r($entityBodyArr, TRUE);
echo $jsonString;