Webhooks
Set up webhooks for Recurring Payments, check available webhook events and sample payloads for these events.
Webhooks (Web Callback, HTTP Push API or Reverse API) are one way that a web application can send information to another application in real-time when a specific event happens.
Suppose you have subscribed to the order.paid webhook event, you will receive a notification every time a user pays you for an order.
APIs send you the data when you request it. For Webhooks, you do not need to make a request. You receive the data when it is available.
Example
If you need to know whether a Payment Link is paid or not, using APIs, you need to keep polling every few seconds until someone pays. However, if you are using Webhooks, you can configure a webhook event payment_link.paid to receive notifications when a customer makes the payment using the link.
You can use Curlec Webhooks to configure and receive notifications when a specific event occurs. When one of these events is triggered, we send an HTTP POST payload in JSON to the webhook's configured URL.
- You can set up Webhooks from your Curlec Dashboard and configure separate URLs for Live mode and Test mode. Know more about setting up .
- A Test mode webhook receives events for your test transactions. Know more about .
- In webhook URLs, only port numbers 80 and 443 are currently allowed.
There could be scenarios where your endpoint might receive the same webhook event multiple times. This is an expected behaviour based on the webhook design.
To handle duplicate webhook events:
- You can identify the duplicate webhooks using the
x-razorpay-event-idheader. The value for this header is unique per event. - Check the value of
x-razorpay-event-idin the webhook request header. - Verify if an event with the same header is processed at your end.
All webhook responses must return a status code in the range 2XX within a window of 5 seconds. If we receive response codes other than this or the request times out, it is considered a failure.
On failure, a webhook is re-tried at progressive intervals of time, defined in the exponential back-off policy, for 24 hours. If the failures continue for 24 hours, the webhook is disabled. You need to enable the webhook from the
after fixing the errors at your end. Know more about .Handy Tips
When a webhook gets disabled, you receive an email notification on the email id you configured while setting up the webhooks.
To set up webhooks:
- Log in to the and navigate to Account & Settings → Webhooks.
- Click the + Add New Webhook button.
- In the Webhook Setup pop-up page:
-
Enter the URL where you want to receive the webhook payload when an event is triggered. We recommend using an HTTPS URL.
Handy Tips
- You can set up to 30 URLs to receive Webhook notifications. Webhooks can only be delivered to public URLs.
- If your URL contains
razorpayas a domain, you will not be able to add the URL and will receive an error. - If you attempt to save a localhost endpoint as part of a webhook setup, you will notice an error. Know more about .
-
Enter a Secret for the webhook endpoint. The secret is used to validate that the webhook is from Curlec. Do not expose the secret publicly. Know more about
.Handy Tips
- When setting up the webhook, you will be asked to specify a secret. Using this secret, you can validate that the webhook is from Curlec. Entering the secret is optional but recommended. The secret should never be exposed publicly.
- The webhook secret does not need to be the merchant secret key provided by Curlec.
-
In the Alert Email field, enter the email address to which the notifications should be sent in case of webhook failure. You will receive webhook related notifications like failures, deactivation and so on.
-
Select the required events from the list of Active Events.
-
- Click Create Webhook. After you set a webhook, it appears on the list of webhooks.
- You can select the webhook and click Edit to make more changes.
When your webhook secret is set, Curlec uses it to create a hash signature with each payload. This hash signature is passed with each request under the X-Razorpay-Signature header that you need to validate at your end. We provide support for validating the signature is in all of our
If you have changed your webhook secret, remember to use the old secret for webhook signature validation while retrying older requests. Using the new secret will lead to a signature mismatch.
X-Razorpay-Signature
The hash signature is calculated using HMAC with SHA256 algorithm; with your webhook secret set as the key and the webhook request body as the message.
You can also validate the webhook signature yourself using a
as shown below:Do Not Parse or Cast the Webhook Request Body
While generating the signature at your end, ensure that the webhook body passed as an argument is the raw webhook request body. Do not parse or cast the webhook request body.
You can use these webhooks to check the status of the authorization payment and subsequent payments.
Indicates that the payment has been authorized. A payment is authorized when the customer’s payment details are successfully authenticated by the bank.
Indicates that the payment has been captured.
Indicates that the payment has been captured.
Indicates that the payment has failed. If the payment fails, you need to create an authorization transaction again.
You can use the below webhooks to check the status of the token.
Indicates that the bank has completed the mandate registration. Once confirmed, you can create subsequent payments as per your business needs.
Available for tokens authorized using the following methods:
- Card
Indicates that the token is rejected. If rejected, you need to create the authorization transaction again.
This webhook is available for tokens authorized using the following methods:
- Card
- Wallets
Indicates the token has been cancelled.
You can use these webhooks to check the status of the registration link.
Indicates that a registration link has been successfully paid.
Indicates that a registration link has expired.
Was this page helpful?
ON THIS PAGE