APIs send you the data when you request for it. For Webhooks, you do not need to make a request. You receive the data when it is available.
Example If you need to know whether a payment link is paid or not, using APIs you need to keep polling every few seconds until someone pays. While if you are using Webhooks, you can configure a webhook event payment_link.paid to receive notifications when a customer makes the payment using the link.
You can use Razorpay Webhooks to configure and receive notifications when a specific event occurs.
When one of these events is triggered, we send an HTTP POST payload in JSON to the webhook's configured URL.
You can set up Webhooks from your Razorpay Dashboard and configure separate URLs for Live mode and Test mode. Know more about setting up Payments webhooks and RazorpayX webhooks.
A Test mode webhook receives events for your test transactions. Know more about testing Webhooks.
In webhook URLs, only port numbers 80 and 443 are currently allowed.
All webhook responses must return a status code in the range 2XX within a window of 5 seconds. If we receive response codes other than this or if the request times out, it is considered a failure.
On failure, a webhook is re-tried at progressive intervals of time, defined in the exponential back-off policy, for 24 hours. If the failures continue for 24 hours, the webhook is disabled. You need to enable the webhook from the Razorpay Dashboard after fixing the errors at your end. Know more about enabling Webhooks.
When a webhook gets disabled, you receive an email notification on the email id that you configured while setting up the webhooks.
Enter the URL where you want to receive the webhook payload when an event is triggered. We recommended using an HTTPS URL.
You can set up to 5 URLs to receive Webhook notifications. Webhooks can only be delivered to public URLs. If you attempt to save a localhost endpoint as part of a webhook setup, you will notice an error. Know more about testing Webhooks on an application running on localhost.
Enter a Secret for the webhook endpoint. The secret is used to validate that the webhook is from Razorpay. Do not expose the secret publicly. Know more about how to validate webhooks.
Secret for Webhooks
When setting up the Webhooks, you will be asked to specify a secret. Using this secret, you can validate that the webhook is from Razorpay. Entering the secret is optional, but recommended. The secret should never be exposed publicly.
It is not necessary that the webhoook secret should be the merchant secret key provided by Razorpay.
In the Alert Email field, enter the email address to which the notifications should be sent in case of webhook failure. You will receive webhook deactivation notifications to this email address.
Select the required events from the list of Active Events.
Click Create Webhook.
After you set a webhook, it appears on the list of webhooks.
You can click Edit to make changes to the webhooks.
When your webhook secret is set, Razorpay uses it to create a hash signature with each payload. This hash signature is passed with each request under the X-Razorpay-Signature header that you need to validate at your end. We provide support for validating the signature is in all of our language SDKs.
If you have changed your webhook secret, remember to use the old secret for webhook signature validation while retrying older requests. Using the new secret will lead to signature mismatch.
Do Not Parse or Cast the Webhook Request Body
While generating the signature at your end, ensure that the webhook body passed as an argument is the raw webhook request body. Do not parse or cast the webhook request body.
The hash signature is calculated using HMAC with SHA256 algorithm; with your webhook secret set as the key and the webhook request body as the message.
You can also validate the webhook signature yourself using an HMAC as shown below:
Copykey = webhook_secret
message = webhook_body // raw webhook request body
received_signature = webhook_signature
expected_signature = hmac('sha256', message, key)
if expected_signature != received_signature