Webhooks allow you to build or set up integrations that subscribe to certain events on RazorpayX API. When one of these events is triggered, we send an HTTP POST payload in JSON to the webhook's configured URL.
To avoid an event being missed, RazorpayX follows at-least-once delivery semantics. In this approach, we resend the Webhook if we do not receive a successful response from your server.
There could be situations where your server accepts the event but fails to return a response to us in 5 seconds. In such cases, the session is marked timeout. It is assumed that the Webhook has not been processed and is sent again. Ensure your server is configured to handle or receive the same event details multiple times.
You can identify duplicate events by checking the value of x-razorpay-event-id in the webhook request header. The value for this header is unique per event and can help you determine a webhook event's duplicity.
All webhook responses must return a status code in the range 2XX within a window of 5 seconds. If we receive response codes other than this or the request times out, it is considered a failure. On failure, a webhook is retried once every hour for 24 hours. If we receive failure responses consecutively for 24 hours, we disable the webhook. You then need to manually re-enable the webhook from the Dashboard after fixing the errors at your end.
For every failure, we send out an email notification that has the reason for failure and the error code received by us.
When your webhook secret is set, Razorpay uses it to create a hash signature with each payload. This hash signature is passed with each request under the X-Razorpay-Signature header that you need to validate at your end. Support for validating the signature is provided in all our language SDKs.
Do not parse or cast the webhook request body:
While generating the signature at your end, ensure that the webhook body passed as an argument is the raw webhook request body. Do not parse or cast the webhook request body.
The hash signature is calculated using HMAC with SHA256 algorithm, your webhook secret set as the key and the webhook request body as the message.
You can also validate the webhook signature yourself using an HMAC as shown below:
Copykey = webhook_secret
message = webhook_body // raw webhook request body
received_signature = webhook_signature
expected_signature = hmac('sha256', message, key)
if expected_signature != received_signature