You can integrate webhooks and receive webhook payloads as and when an event occurs.

Setting up#

To setup webhook for various events

  1. Go to Razorpay Dashboard> Settings > Webhooks.

  2. Click Setup your Live Webhook.

  3. Enter the Webhook URL where you will receive the webhook payload when the event is triggered.

  4. Enter Secret. This field is optional.

    Note: The secret that you enter here can be used to validate that the webhook is from Razorpay. This should not be exposed publicly. The details about how webhooks can be validated using the secret are mentioned in the following section.

  5. Select events from the list of Active Events that you would like to activate.

  6. Click Save to enable the webhook.


When your webhook secret is set, Razorpay uses it to create a hash signature with each payload.

This hash signature is passed along with each request under the X-Razorpay-Signature header which you need to validate at your end.

The hash signature is calculated using HMAC with SHA256 algorithm; with your webhook secret set as the key, and the webhook request body as the message.

Support for validating the signature is provided in all of our SDKs:

// PHP SDK: use Razorpay\Api\Api; $api = new Api("<YOUR_API_KEY>", "<YOUR_API_SECRET>"); $api->utility->verifyWebhookSignature($webhookBody, $webhookSignature, $webhookSecret);
# Python SDK: import razorpay client = razorpay.Client(auth=("<YOUR_API_KEY>", "<YOUR_API_SECRET>")) client.utility.verify_webhook_signature(webhook_body, webhook_signature, webhook_secret)
# Ruby SDK: require razorpay Razorpay::Utility.verify_webhook_signature(webhook_body, webhook_signature, webhook_secret)
// C# SDK: Utils.verifyWebhookSignature(webhookBody, webhookSignature, webhookSecret);
// Java SDK: Utils.verifyWebhookSignature(webhookBody, webhookSignature, webhookSecret);

You can also validate the webhook signature yourself using an HMAC calculated as shown below:

key = webhook_secret message = webhook_body received_signature = webhook_signature expected_signature = hmac('sha256', message, key) if expected_signature != received_signature throw SecurityError end