Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.cashfree.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Webhooks are event-based notifications that are received when a specific event related to async bank account verification occurs.
In rare cases, such as network retries, read timeouts, processing delays, or delivery failures, the same webhook might be sent more than once for the same event. To prevent unintended side effects, implement idempotency in your webhook handler to handle duplicate deliveries.

Add webhooks

Add your webhook URL in our system for us to deliver webhook events. Follow the instructions below to configure the webhook URL. Ensure to provide the publicly accessible HTTPS URL to your webhook endpoint.
  1. Log in to the Merchant Dashboard and click Developers.
  2. Click Webhooks listed under the Secure ID card.
  3. Click Add Webhook URL in the Webhook screen.
  4. In the Add Webhook popup, fill in the following information:
    • Webhook URL: Enter the URL in this field.
  5. Click Test & Add Webhook.

Webhook event

The following events are triggered at different stages of the bank account verification process:
EventDescription
BANK_ACCOUNT_VERIFICATION_SUCCESSBank account verification is a success.
BANK_ACCOUNT_VERIFICATION_REJECTEDBank account verification is rejected.
BANK_ACCOUNT_VERIFICATION_FAILEDBank account verification is a failure.
{
   "signature":"signature",    
   "event_type":"BANK_ACCOUNT_VERIFICATION_SUCCESS",    
   "event_time":"2023-07-19 10:46:16",
   "version":"v2",
   "data":{
        "reference_id": 1294785793,
        "user_id" : "123123",
        "name_at_bank": "John Doe",
        "amount_deposited": "1.04",
        "bank_name": "YES BANK",
        "utr": "404223241811",
        "city": "MUMBAI",
        "branch": "SANTACRUZ, MUMBAI",
        "micr": 400532038,
        "name_match_score": "90.00",
        "name_match_result": "GOOD_PARTIAL_MATCH",
        "account_status": "VALID",
        "account_status_code": "ACCOUNT_IS_VALID"
    }
}

{
   "signature":"signature",    
   "event_type":"BANK_ACCOUNT_VERIFICATION_REJECTED",    
   "event_time":"2023-07-19 10:46:16",
   "version":"v2",
   "data":{
        "reference_id": 1294785793,
        "user_id" : "123123",
        "account_status": "REJECTED",
        "account_status_code": "INSUFFICIENT_BALANCE"
    }
}

{
   "signature":"signature",    
   "event_type":"BANK_ACCOUNT_VERIFICATION_FAILED",    
   "event_time":"2023-07-19 10:46:16",
   "version":"v2",
   "data":{
        "reference_id": 1294785793,
        "user_id" : "123123",
        "account_status": "FAILED",
        "account_status_code": "SOURCE_BANK_DECLINED"
    }
}

Webhook payload fields

The webhook payload contains important metadata in its top-level fields.
FieldTypeDescription
signaturestringA Base64-encoded HMAC-SHA256 signature of the payload, generated using a shared client secret.
event_typestringIndicates the type of event that triggered the webhook.
event_timestringThe UTC timestamp of when the event occurred, formatted in ISO 8601 (YYYY-MM-DDTHH:MM:SSZ).
versionstringIndicates the webhook format being used. Default version is “v1”.
dataobjectContains event-specific details related to this feature.

Signature Verification

Verifying the signature is mandatory before processing any response. It helps authenticate that the webhook is from Cashfree Payments. Follow the steps to verify the signature:
  1. Sort the array based on keys.
  2. Concatenate all the values in this array and the resultant is the post data (postData).
  3. postData needs to be encrypted using SHA-256 and then base64 encoded.
  4. Verify if both the signature calculated and the signature received match.
  5. Proceed further only if the signatures match. If not, discard the request.
  6. Ensure clientSecret you use is from the oldest active key pair.
For example, from the webhook received, extract the data and pass it to generate HMAC function: 
{bank_account=026291800001191, ifsc=YESB0000262, upi=, name_at_bank=John Doe,
verification_id=fadsfdsf, ref_id=332, utr=332, status=SUCCESS,
added_on=2023-09-06T07:48:53+05:30, processed_on=2023-09-06 07:49:03,
penny_collected_on=2023-09-06 07:48:53}
Java code - for reference
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Map;
import java.util.TreeMap;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.codec.binary.Base64;

public class ComputedSignature {
public static String generateHMAC(String clientSecret, String data) {
        String hash = null;
        ObjectMapper objectMapper = new ObjectMapper();
        try {
            Map<String, Object> jsonMap = objectMapper.readValue(data, new TypeReference<Map<String, Object>>() {
            });
            Map<String, Object> sortedMap = new TreeMap<>(jsonMap);

            // sort the map based on keys
            String postDataString = "";

            for (Map.Entry<String, Object> entry : sortedMap.entrySet()) {
                postDataString = postDataString + entry.getValue();
            }

            // encode the post data on sha256
            Mac sha256HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(clientSecret.getBytes(), "HmacSHA256");
            sha256HMAC.init(secretKey);

            hash = Base64.encodeBase64String(sha256HMAC.doFinal(postDataString.getBytes()));
        } catch (Exception e) {
            e.printStackTrace();

        }
        return hash;
    }
}

IPs to whitelist

When you decide to consume the webhooks, first, you need to verify if your systems need an IP whitelisting to be done at your end or not. Accordingly you can whitelist the below IPs of Cashfree:
Sandbox
52.66.25.127
15.206.45.168
Prod
52.66.101.190
3.109.102.144
18.60.134.245
18.60.183.142
Port
443 (secured)