Instrument Webhook

Instrument webhooks can be configured by merchants to receive asynchronous notifications for every update on the instrument status. Merchants must use the instrument status updates to change the status on their servers because of the actions taken by entities apart from the merchant. For example, if the card instrument is deactivated by the issuing bank, then notification would be sent to Cashfree Payments by the issuing bank via the respective card network. Cashfree Payments would update the instrument status to deactivated but the merchant would not have visibility of the instrument deactivation. In this case, merchants can subscribe to the instrument webhooks to stay updated with the recent instrument status update.

The Instrument webhooks can be configured in such a way that each instrument status update can be consumed on a different URL. For example, for Instrument Active status update and Instrument Deactivated status update merchants can configure different URLs and consume the webhook response. Currently, we support webhook only for instrument active notifications.

The webhook notification will be sent on all the URLs added and enabled under instrument webhook. Merchants can add new URLs and enable or disable existing URLs for instrument webhook at any point in time, and it will reflect instantly.

Click here to know how to configure webhooks.

Sample Payload

            "card_bank_name":"HDFC BANK",

Payload Field Description

customer_id (String)The customer ID associated with the save instrument request. It is sent by the merchant as a part of create order request in the customer id field.user199721
afa_reference (String)cf_payment_id of the successful transaction done while saving instrument.887316963
instrument_id (String)The reference id of the saved instrument. Unique for a save instrument request but not unique for a particular instrument like card number or VPA.af250dc5-e5e5-4e7d-a7cf-3f446741fa54
instrument_type (String)Type of instrument - card, vpacard
instrument_uid (String)Unique identifier for the instrument. For example, if a same card is saved by 2 different customers the instrument_uid would be same for both the cards.680cd7171583f9f64b426983d4501d6941b462932ce5f626be78392d5ec42660
instrument_display (String)The display text for the saved instrument. For example, in case of saved cards the first 12 digits would be masked and only the last 4 digits would be visible in the instrument display string. It can be displayed to the customer for selecting a saved instrument for payment.XXXXXXXXXXXX6854
instrument_status (String)The status of saved instrument - INACTIVE, ACTIVEACTIVE
added_at (String)Timestamp at which instrument was saved.2022-04-14T10:42:59+05:30
card_network (String)The card network to which the saved card belongs. Visa, Mastercard, Rupay,
card_bank_name (String)Card issuing bank name.HDFC BANK
card_country (String)Card issuing country code.IN
card_type (String)debit, credit, prepaid, etc.debit
card_token_details (Object)Additional card token details like card token expiry, card token would be passed in this object. Note: Currently, the field is always passed as null.null
event_time (String)Time at which webhook was initiated.2022-02-28T13:04:28+05:30
type (String)Type of the instrument webhook.INSTRUMENT_ACTIVE_WEBHOOK

Compute Signature and Verify

Sample Code

Verify Signature using SDK

var express = require('express')
import { Cashfree } from "cashfree-pg"; 
var app = express()

Cashfree.XClientId = "<x-client-id>";
Cashfree.XClientSecret = "<x-client-secret>";
Cashfree.XEnvironment = Cashfree.Environment.SANDBOX;'/webhook', function (req, res) {
    try {
        Cashfree.PGVerifyWebhookSignature(req.headers["x-webhook-signature"], req.rawBody, req.headers["x-webhook-timestamp"]))
    } catch (err) {
import (
  cashfree ""

// Route
e.POST("/webhook", _this.Webhook)

// Controller
func (_this *WebhookRoute) Webhook(c echo.Context) error {
  	clientId := "<x-client-id>"
		clientSecret := "<x-client-secret>"
		cashfree.XClientId = &clientId
		cashfree.XClientSecret = &clientSecret
		cashfree.XEnvironment = cashfree.SANDBOX
    signature := c.Request().Header.Get("x-webhook-signature")
    timestamp := c.Request().Header.Get("x-webhook-timestamp")
    body, _ := ioutil.ReadAll(c.Request().Body)
    rawBody := string(body)
    webhookEvent, err := cashfree.PGVerifyWebhookSignature(signature, rawBody, timestamp)
    if err != nil {
	} else {

$inputJSON = file_get_contents('php://input');

$expectedSig = getallheaders()['x-webhook-signature'];
$ts = getallheaders()['x-webhook-timestamp'];

if(!isset($expectedSig) || !isset($ts)){
    echo "Bad Request";

\Cashfree\Cashfree::$XClientId = "<x-client-id>";
\Cashfree\Cashfree::$XClientSecret = "<x-client-secret>";
$cashfree = new \Cashfree\Cashfree();

try {
 $response =  cashfree->PGVerifyWebhookSignature($expectedSig, $inputJSON, $ts);
} catch(Exception $e) {
  // Error if signature verification fails
from cashfree_pg.api_client import Cashfree

@app.route('/webhook', methods = ['POST'])
def disp():
		# Get the raw body from the request
    raw_body =
    # Decode the raw body bytes into a string
    decoded_body = raw_body.decode('utf-8')

    timestamp = request.headers['x-webhook-timestamp']
    signature = request.headers['x-webhook-signature'
		cashfree = Cashfree()
		cashfree.XClientId = "<app_id>"
		cashfree.XClientSecret = "<secret_key>"
			cashfreeWebhookResponse = cashfree.PGVerifyWebhookSignature(signature, decoded_body, timestamp)
			# If Signature mis-match
import com.cashfree.*;

public String handlePost(HttpServletRequest request) throws IOException {      
    Cashfree.XClientId = "<x-client-id>";
		Cashfree.XClientSecret = "<x-client-secret>";
		Cashfree.XEnvironment = Cashfree.SANDBOX;
  	StringBuilder stringBuilder = new StringBuilder();
    BufferedReader bufferedReader = null;

    try {           
      bufferedReader = request.getReader();
      String line;
      while ((line = bufferedReader.readLine()) != null) {
      String rawBody = stringBuilder.toString();
      String signature = request.getHeader("x-webhook-signature");
      String timestamp = request.getHeader("x-webhook-timestamp");
      Cashfree cashfree = new Cashfree();
      PGWebhookEvent webhook = cashfree.PGVerifyWebhookSignature(signature, rawBody, timestamp);
    } catch (Exception e) {
            // Error if verification fails
    } finally {
         if (bufferedReader != null) {
using cashfree_pg.Client;
using cashfree_pg.Model;

    public class YourController : ControllerBase
        public async Task<IActionResult> Post()
            // Read the raw body of the POST request
            using (StreamReader reader = new StreamReader(Request.Body, Encoding.UTF8))
                string requestBody = await reader.ReadToEndAsync();
                var headers = Request.Headers;
                var signature = headers["x-webhook-signature"];
                var timestamp = headers["x-webhook-timestamp"];
                Cashfree.XClientId = "<x-client-id>";
                Cashfree.XClientSecret = "<x-client-secret>";
                Cashfree.XEnvironment = Cashfree.SANDBOX;
								var cashfree = new Cashfree();
                try {
                var response = cashfree.PGVerifyWebhookSignature(signature, requestBody, timestamp);
                } catch(Exception e) {
                // Error if signature mis matches

Compute Signature and Verify manually

function verify(ts, rawBody){
    const body = req.headers["x-webhook-timestamp"] + req.rawBody;
    const secretKey = "<your secret key>";
    let genSignature = crypto.createHmac('sha256',secretKey).update(body).digest("base64");
    return genSignature
func VerifySignature(expectedSig string, ts string, body string) (string, error) {
	t := time.Now()
	currentTS := t.Unix()
	if currentTS-ts > 1000*300 {
		return "", errors.New("webhook delivered too late")
	signStr := strconv.FormatInt(ts, 10) + body
	fmt.Println("signing String: ", signStr)
	key := ""
	h := hmac.New(sha256.New, []byte(key))
	b := h.Sum(nil)
	return base64.StdEncoding.EncodeToString(b), nil

timestamp := c.Request().Header.Get("x-webhook-timestamp")
body, _ := ioutil.ReadAll(c.Request().Body)
rawBody := string(body)
signature := c.Request().Header.Get("x-webhook-signature")

VerifySignature(signature, timestamp, rawBody)
function computeSignature($ts, $rawBody){
    $rawBody = file_get_contents('php://input');
		$ts = getallheaders()['x-webhook-timestamp'];
    $signStr = $ts . $rawBody;
    $key = "";
    $computeSig = base64_encode(hash_hmac('sha256', $signStr, $key, true));
    return $computeSig;
public String generateSignature() {

	bufferedReader = request.getReader();
  String line;
  while ((line = bufferedReader.readLine()) != null) {
  String payload = stringBuilder.toString();
  String timestamp = request.getHeader("x-webhook-timestamp");
  String data = timestamp+payload;

  String secretKey = "SECRET-KEY"; // Get secret key from Cashfree Merchant Dashboard;
  Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
  SecretKeySpec secret_key_spec = new SecretKeySpec(secretKey.getBytes(),"HmacSHA256");
  String computed_signature = Base64.getEncoder().encodeToString(sha256_HMAC.doFinal(data.getBytes()));
  return computed_signature; // compare with "x-webhook-signature"
import base64
import hashlib
import hmac

def generateSignature():    
    # Get the raw body from the request
    raw_body =
    # Decode the raw body bytes into a string
    payload = raw_body.decode('utf-8')

    timestamp = request.headers['x-webhook-timestamp']
    signatureData = timestamp+payload
    message = bytes(signatureData, 'utf-8')
    secretkey=bytes("Secret_Key",'utf-8') #Get Secret_Key from Cashfree Merchant Dashboard.
    signature = base64.b64encode(, message, digestmod=hashlib.sha256).digest())
    computed_signature = str(signature, encoding='utf8')
    return computed_signature #compare with "x-webhook-signature"

Subscribe to Developer Updates