2FA - IP Whitelisting and Public Keys

IP Whitelist

The IP of the system from which you make your request has to be whitelisted to connect with the Cashfree Payments production server. If the IP is not whitelisted, Cashfree Payments will reject all incoming requests.

To whitelist your IP,

  1. Go to Payouts Dashboard > Developers section on the left-side navigation > Payouts > Two-Factor Authentication > IP Whitelist.
  2. Click Add IP Address.
  3. Enter the IP Address you want to whitelist and save the details. All the IP's you have whitelisted will be displayed as shown below. You can whitelist a maximum of 10 IPs.

IP Whitelist

All IP's in the TEST environment are automatically whitelisted, while those in PROD need approval from Cashfree Payments.


Depending on your operating system, you can retrieve the IP of the system via multiple methods. You can also find your IP using helper sites such as https://whatismyipaddress.com/.

Please note that the IPv4 has to be whitelisted, not IPv6.

Public Key

If you do not have a static IP, you can generate a public key and pass it with the API request.

To generate a public key,

  1. Go Payouts Dashboard > Developers section on the left-side navigation > Payouts > Two-Factor Authentication > Public Key.
  2. Click Generate Public Key. The public key will be downloaded to your computer and the password to access it will be your email ID registered with Cashfree Payments. Only one Public Key can be generated at a time.

Public Key

Below are the steps to generate your signature:

  1. Retrieve your clientId (one which you are passing through the header X-Client-Id )
  2. Append this with CURRENT UNIX timestamp separated by a period (.)
  3. Encrypt this data using RSA encrypt with Public key you received – this is the signature.
  4. Pass this signature through the header X-Cf-Signature.

In the case of using our library, go through the libraries section. During the initialization process, you need to pass the key as a parameter.

public static function getSignature() {
    $clientId = "<your clientId here>";
    $publicKey =
    $encodedData = $clientId.".".strtotime("now");
    return static::encrypt_RSA($encodedData, $publicKey);
private static function encrypt_RSA($plainData, $publicKey) { if (openssl_public_encrypt($plainData, $encrypted, $publicKey,
      $encryptedData = base64_encode($encrypted);
    else return NULL;
    return $encryptedData;
private static String generateEncryptedSignature(String clientIdWithEpochTimestamp) {
    // String clientIdWithEpochTimeStamp = clientId+"."+Instant.now().getEpochSecond();
    String encrytedSignature = "";
    try {
        byte[] keyBytes = Files
            .readAllBytes(new File("/Users/sameera/Downloads/payout_test_public_key.pem").toPath()); // Absolute Path to be replaced
        String publicKeyContent = new String(keyBytes);
        publicKeyContent = publicKeyContent.replaceAll("[\\t\\n\\r]", "")
            .replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
        KeyFactory kf = KeyFactory.getInstance("RSA");
        X509EncodedKeySpec keySpecX509 = new X509EncodedKeySpec(
        RSAPublicKey pubKey = (RSAPublicKey) kf.generatePublic(keySpecX509);
        final Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
        cipher.init(Cipher.ENCRYPT_MODE, pubKey);
        encrytedSignature = Base64.getEncoder().encodeToString(cipher.doFinal(clientIdWithEpochTimestamp.getBytes()));
    } catch (Exception e) {
    return encrytedSignature;
from cashfree_sdk.payouts import Payouts
// Initialise the SDK, pass public key for dynamic IP
Payouts.init("<client_id>", "<client_secret>", "PROD", public_key= b'public key')
//require CashfreeSDK
const cfSdk = require('cashfree-sdk');

//access the PayoutsSdk from CashfreeSDK
const {Payouts} = cfSdk;

// Instantiate Cashfree Payouts
const payoutsInstance = new Payouts({
  env: 'TEST',
  clientId: '<CLIENT_ID>',
  clientSecret: '<CLIENT_SECRET>',
  pathToPublicKey: '/path/to/your/public/key/file.pem',