DOKU WebsiteDOKU DocsAPI Reference
Page cover

Refund Service - Passcode Authentication

Effective Date: November 17th, 2025

To strengthen refund security and protect customers from unauthorized access, DOKU Refund Service now introduces a mandatory passcode authentication step before the refund process begins. This ensures every refund request is verified and secure from the start.

Beginning 17 November 2025, all refund processes will require customers to enter a unique passcode sent via SMS or email.

🔍 What’s New?

Refund processing now includes a unique passcode sent to the customer along with the refund link.

This update ensures:

  • Higher security on each refund request

  • Minimized risk of unauthorized actions

  • Verified-user protection for approval and initiation steps

Delivery Method
Description
Before
New

SMS

Sent based on customer’s registered phone number

Email

Sent when an email address is available

How the Refund Process is Changing

🔄 Current Process

Today the refund flow begins directly with account selection and input. While functional this flow includes a potential risk. If an unauthorized individual gains access to the refund link they may attempt to redirect the refund to another bank account.

Steps:

  1. Customer chooses refund destination account

  2. Customer inputs bank account number

  3. Bank account validation

  4. Customer confirms bank account information

  5. Refund processed and customer is redirected to tracker page

Risk

Without an authentication layer an unauthorized user could obtain the link and misuse it.

🆕 Future Process

With the new authentication step the refund journey begins with passcode entry. This ensures only the rightful customer can access and complete the refund.

Steps:

  1. Customer inputs passcode

  2. Customer chooses refund destination account

  3. Customer inputs bank account number

  4. Bank account validation

  5. Customer confirms bank account information

  6. Refund processed and customer is redirected to tracker page

Benefit

The passcode adds a stronger layer of protection right at the start.

✅ Usage & Validity

One Passcode per Refund A passcode is generated uniquely for every refund process.

Validity Period Follows the Refund Link If the refund link expires in 7 days, the passcode also follows the same 7-day validity.

Incorrect Attempts Lockout Entering the wrong passcode three times will lock the refund page for 30 minutes before retry is allowed.

Passcode Format Each code consists of 6 random alphanumeric characters (e.g., A1B2C3).

📌 Important Notes

Refunds created before the implementation date (without passcode) and still in link sent/opened status will be re-processed. The system will automatically resend the refund link to customers, now complete with the required passcode.

We recommend informing your customers so they can complete the refund process smoothly.

For assistance, contact our Care Team at [email protected] or (021) 1500963.

Thank you and best regards, DOKU Product Team

Last updated

Was this helpful?