Idempotency#
Your server should be configured to handle or receive the same event details multiple times. In case you are receiving the same webhook event again, you should check for the same webhook event data and ignore it.
Webhooks allow you to build or set up integrations that subscribe to certain events on Razorpay APIs. When one of those events is triggered, we send an HTTP POST payload in JSON to the webhook's configured URL.
You can set up a webhook from your Dashboard and configure separate URLs for live mode and test mode.
A test mode webhook will only receive events for your test transactions.
In URLs, only port numbers 80 and 443 are currently allowed.
When setting up the webhook, you will be asked to specify a secret. Using this secret, you can validate that the webhook is from Razorpay. Entering the secret is optional, but recommended. The secret should never be exposed publicly.
Your server should be configured to handle or receive the same event details multiple times. In case you are receiving the same webhook event again, you should check for the same webhook event data and ignore it.
All webhook responses must return a status code in the range 2XX
within a window of 5 seconds. If we receive response codes other than this or if the request times out, it is considered a failure. On failure, a webhook is retried once every hour for 24 hours. If we keep receiving failure responses consecutively for 24 hours, we disable the webhook. You will then need to manually re-enable the webhook from the Dashboard after fixing the errors at your end.
For every failure, we send out an email notification along with the reason and the error code received by us.
There can be multiple usages of webhook events. Two of these are listed below.
Capturing payments for which you did not receive a response on client side is perhaps the most important use case for the payment.authorized
event.
Sometimes, the communication between the bank and Razorpay or between you and Razorpay may not take place. This could be due to slow network connection or closing the window when payment is being processed. This could lead to a payment being marked as Failed on Razorpay Dashboard, but changed to Authorized at a later time. You can use webhooks to get notified about payments that get authorized and analyse this data to decide whether or not to capture the payment.
When a payment attempted by your customer fails, we receive the failed payment status from the bank. This payment gets recorded in our system as Failed.
If you have enabled the payment.failed
webhook, you will receive a notification from us about the failed payment. You can then further analyse this payment and send out an email to your customer informing them about the same.
To setup webhook for various events:
Watch the short animation below for more details.
When your webhook secret
is set, Razorpay uses it to create a hash signature with
each payload.
This hash signature is passed along with each request under the X-Razorpay-Signature
header which you need to validate at your end.
X-Razorpay-Signature
Support for validating the signature is provided in all of our SDKs:
You can also validate the webhook signature yourself using an HMAC calculated as shown below:
Copykey = webhook_secret message = webhook_body received_signature = webhook_signature expected_signature = hmac('sha256', message, key) if expected_signature != received_signature throw SecurityError end
Once created, you can edit your webhook details like URL, Secret and Active Events. You can also deactivate your webhook by unselecting the Active checkbox.
In case you want to test and check webhooks before you integrate it on your server, you can do so by using any of the free webhook testing websites. A simple Google search for test webhooks online
returns multiple sites that you can use to test webhooks.
Below are steps to use one such site.
When you complete a test payment, and have enabled the appropriate webhook during setup, you will receive the webhook payload on your requestbin.com site.