IP Whitelisting

The IP of the system from which you make your request has to be whitelisted to connect with the Cashfree production server. If the IP is not whitelisted, Cashfree rejects all incoming requests. To whitelist your IP go to the IP Whitelist section in Access Control. If you are using the new product dashboard, go to the Developers section on the left-side navigation > Payouts > Two Factor Authentication > IP Whitelist and whitelist the IP's.

All IP's in TEST environment are automatically whitelisted, while those in PROD need approval from Cashfree Payments. The approval process takes around 24 hours.

Static IP

Depending on your operating system, you can retrieve the IP of the system via multiple methods. You can also find your IP using helper sites such as https://whatismyipaddress.com/.

Please note that the IPv4 has to be whitelisted, not IPv6.

Dynamic IP

In the case where IP cannot be whitelisted, follow the below steps:

  • Pass the signature while generating the Authorization Bearer token.
  • Pass the signature as an HTTP header 'X­-Cf­-Signature'.
  • Make all other API requests with this token, and these requests do not require a signature to be passed as an HTTP header again.

Obtain Public Key: Contact your account manager or write to [email protected] requesting a public key for the payout service. A key gets generated by Cashfree's backend and sent to you over email, usually within 2-3 hours.

Signature Generation using public key: Consider the below steps only if you have a Dynamic IP use case.

Below are the steps to generate your signature:

  1. Retrieve your clientId (one which you are passing through the header X-Client-Id )
  2. Append this with CURRENT UNIX timestamp separated by a period (.)
  3. Encrypt this data using RSA encrypt with Public key you received – this is the signature.
  4. Pass this signature through the header X-Cf-Signature.

In the case of using our library, go through the libraries section. During the initialization process, you need to pass the key as a parameter.

public static function getSignature() {
    $clientId = "<your clientId here>";
    $publicKey =
    $encodedData = $clientId.".".strtotime("now");
    return static::encrypt_RSA($encodedData, $publicKey);
private static function encrypt_RSA($plainData, $publicKey) { if (openssl_public_encrypt($plainData, $encrypted, $publicKey,
      $encryptedData = base64_encode($encrypted);
    else return NULL;
    return $encryptedData;
private static String generateEncryptedSignature(String clientIdWithEpochTimestamp) {
    // clientIdWithEpochTimeStamp = clientId+"."+Instant.now().getEpochSecond();
    String encrytedSignature = "";
    try {
        byte[] keyBytes = Files
            .readAllBytes(new File("/Users/sameera/Downloads/payout_test_public_key.pem").toPath()); // Absolute Path to be replaced
        String publicKeyContent = new String(keyBytes);
        publicKeyContent = publicKeyContent.replaceAll("[\\t\\n\\r]", "")
            .replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
        KeyFactory kf = KeyFactory.getInstance("RSA");
        X509EncodedKeySpec keySpecX509 = new X509EncodedKeySpec(
        RSAPublicKey pubKey = (RSAPublicKey) kf.generatePublic(keySpecX509);
        final Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
        cipher.init(Cipher.ENCRYPT_MODE, pubKey);
        encrytedSignature = Base64.getEncoder().encodeToString(cipher.doFinal(clientIdWithEpochTimestamp.getBytes()));
    } catch (Exception e) {
    return encrytedSignature;
from cashfree_sdk.payouts import Payouts
// Initialise the SDK, pass public key for dynamic IP
Payouts.init("<client_id>", "<client_secret>", "PROD", public_key= b'public key')
//require CashfreeSDK
const cfSdk = require('cashfree-sdk');

//access the PayoutsSdk from CashfreeSDK
const {Payouts} = cfSdk;

// Instantiate Cashfree Payouts
const payoutsInstance = new Payouts({
  env: 'TEST',
  clientId: '<CLIENT_ID>',
  clientSecret: '<CLIENT_SECRET>',
  pathToPublicKey: '/path/to/your/public/key/file.pem',