You can test the webhooks to verify payloads or check if your webhook integration is working. Test events get triggered on a transaction done in the Test mode. As the payload structure remains the same in the Live and Test modes, you can rely on your stage testing.
You cannot use localhost directly to receive webhook events as webhook delivery requires a public URL. You can handle this by creating a tunnel to your localhost using tools such as ngrok or localtunnel.
You can refer to the ngrok documentation to get started. Use the URL endpoint generated by these tools in the webhook URL while setting up your webhooks.
You can test your webhook integration in the staging environment before taking it live. You should set up webhooks in the Test mode. You can configure your staging host endpoint in test mode and receive test events on it.
When your webhook secret is set, Razorpay uses it to create a hash signature with each payload. This hash signature is passed with each request under the X-Razorpay-Signature header that you need to validate at your end. We provide support for validating the signature is in all of our language SDKs.
If you have changed your webhook secret, remember to use the old secret for webhook signature validation while retrying older requests. Using the new secret will lead to signature mismatch.
Do Not Parse or Cast the Webhook Request Body
While generating the signature at your end, ensure that the webhook body passed as an argument is the raw webhook request body. Do not parse or cast the webhook request body.
The hash signature is calculated using HMAC with SHA256 algorithm; with your webhook secret set as the key and the webhook request body as the message.
You can also validate the webhook signature yourself using an HMAC as shown below:
Copykey = webhook_secret
message = webhook_body // raw webhook request body
received_signature = webhook_signature
expected_signature = hmac('sha256', message, key)
if expected_signature != received_signature
The above order may not be followed at all times. You should configure your webhook URL to not expect delivery of these events in this order and handle such scenarios.
The processed and reversed states are the last states for a payout. Their corresponding webhooks payout.processed or payout.reversed indicate this state change. Any webhook received after these should be ignored.