Webhooks

Learn how to set up webhooks for recurring payments, available webhook events and sample payloads for these events. Webhooks are the best ways to receive alerts about the authorization payment, the status of tokens and subsequent recurring payments.


Webhooks (Web Callback, HTTP Push API or Reverse API) are one way that a web application can send information to another application in real-time when a specific event happens.

Suppose you have subscribed to the order.paid webhook event, you will receive a notification every time a user pays you for an order.

APIs send you the data when you request it. For Webhooks, you do not need to make a request. You receive the data when it is available.

Example

If you need to know whether a Payment Link is paid or not, using APIs, you need to keep polling every few seconds until someone pays. However, if you are using Webhooks, you can configure a webhook event payment_link.paid to receive notifications when a customer makes the payment using the link.

You can use Razorpay Webhooks to configure and receive notifications when a specific event occurs. When one of these events is triggered, we send an HTTP POST payload in JSON to the webhook's configured URL.

  • You can set up Webhooks from your Razorpay Dashboard and configure separate URLs for Live mode and Test mode. Know more about setting up and .
  • A Test mode webhook receives events for your test transactions. Know more about .
  • In webhook URLs, only port numbers 80 and 443 are currently allowed.

There could be scenarios where your endpoint might receive the same webhook event multiple times. This is an expected behaviour based on the webhook design.

To handle duplicate webhook events:

  1. You can identify the duplicate webhooks using the x-razorpay-event-id header. The value for this header is unique per event.
  2. Check the value of x-razorpay-event-id in the webhook request header.
  3. Verify if an event with the same header is processed at your end.

All webhook responses must return a status code in the range 2XX within a window of 5 seconds. If we receive response codes other than this or the request times out, it is considered a failure.

On failure, a webhook is re-tried at progressive intervals of time, defined in the exponential back-off policy, for 24 hours. If the failures continue for 24 hours, the webhook is disabled. You need to enable the webhook from the

after fixing the errors at your end. Know more about .

Handy Tips

When a webhook gets disabled, you receive an email notification on the email id you configured while setting up the webhooks.

Watch this video to see how to set up a webhook.

To set up webhooks:

  1. Log in to the

    and navigate to Accounts & Settings.

  2. Click Webhooks under Website and app settings.

  3. Click the + Add New Webhook button.

    Add a new webhooks button on the Razorpay dashboard
  4. In the Webhook Setup pop-up page:

    • Enter the URL where you want to receive the webhook payload when an event is triggered. We recommend using an HTTPS URL.

      Handy Tips

      • You can set up to 30 URLs to receive Webhook notifications. Webhooks can only be delivered to public URLs.
      • If your URL contains razorpay as a domain, you will not be able to add the URL and will receive an error.
      • If you attempt to save a localhost endpoint as part of a webhook setup, you will notice an error. Know more about .
    • Enter a Secret for the webhook endpoint. The secret is used to validate that the webhook is from Razorpay. Do not expose the secret publicly. Know more about

      .

      Handy Tips

      • When setting up the webhook, specify a secret. Use this secret to validate that the webhook is from Razorpay. Entering the secret is optional but recommended. The secret should never be exposed publicly.
      • The webhook secret does not need to be the Razorpay API key secret.
    • In the Alert Email field, enter the email address to which the notifications should be sent in case of webhook failure. You will receive webhook related notifications like failures, deactivation and so on.

    • Select the required events from the list of Active Events.

    List of active webhook events on dashboard

  5. Click Create Webhook. After you set a webhook, it appears on the list of webhooks.

    List of webhooks on dashboard
  6. You can select the webhook and click Edit to make more changes.

When your webhook secret is set, Razorpay uses it to create a hash signature with each payload. This hash signature is passed with each request under the X-Razorpay-Signature header that you need to validate at your end. We provide support for validating the signature is in all of our

.

If you have changed your webhook secret, remember to use the old secret for webhook signature validation while retrying older requests. Using the new secret will lead to a signature mismatch.

X-Razorpay-Signature

The hash signature is calculated using HMAC with SHA256 algorithm; with your webhook secret set as the key and the webhook request body as the message.

You can also validate the webhook signature yourself using a

as shown below:

Do Not Parse or Cast the Webhook Request Body

While generating the signature at your end, ensure that the webhook body passed as an argument is the raw webhook request body. Do not parse or cast the webhook request body.

You can use these webhooks to check the status of the authorization payment and subsequent payments.

Indicates that the payment has been authorized. A payment is authorized when the customer’s payment details are successfully authenticated by the bank.

Watch Out!

For Emandate, the 'acquirer_data' is populated as an empty object in the webhook.

Indicates that the payment has been captured.

Watch Out!

For Emandate, the 'acquirer_data' is populated as an empty object in the webhook.

Indicates that the payment has been captured.

Watch Out!

For Emandate, the 'acquirer_data' is populated as an empty object in the webhook.

Indicates that the payment has failed. If the payment fails, you need to create an authorization transaction again.

Watch Out!

For Emandate, the 'acquirer_data' is populated as an empty object in the webhook.

You can use the below webhooks to check the status of the token.

Indicates that the bank has completed the mandate registration. Once confirmed, you can create subsequent payments as per your business needs.

Available for tokens authorized using the following methods:

  • Emandate
  • Card
  • Paper NACH
  • UPI

Indicates that the token is rejected. If rejected, you need to create the authorization transaction again.

This webhook is available for tokens authorized using the following methods:

  • Emandate
  • Card
  • Paper NACH
  • UPI

Indicates the token has been cancelled.

Indicates the token has been paused by your customer.

Available only for tokens authorized via UPI.

Indicates the token has been unpaused by your customer.

Available only for tokens authorized via UPI.

You can use these webhooks to check the status of the registration link.

Indicates that a registration link has been successfully paid.

Watch Out!

For Emandate, the 'acquirer_data' is populated as an empty object in the webhook.

Indicates that a registration link has expired.


Was this page helpful?