Merchant Onboarding Webhooks

This is list of webhooks triggered from the Cashfree system. These webhooks allow partners to remain alert to state changes for their merchants.

Configure Webhook

To configure the webhook, go to Partner Dashboard > Developers > Webhooks. Add your webhook endpoint where you want to receive alerts. Ensure you do not process duplicate events.

Webhook will be sent to your configured endpoint as a POST request with the body containing the various parameters specifying the details of each event. Each request contains an event parameter that identifies its type.

We support webhooks in both encoded and JSON formats.

Webhook header parameters and descriptions are available below:

x-cashfree-timestampTimestamp in ISO format. Time at which the webhook is triggered.
x-cashfree-signatureString. It is a base64 encoded entity of the hash (SHA256) of the raw payload sorted by alphabetical order of keys and the latest partner api key.
This signature should be used to verify authenticity of the webhook.

Webhook parameters and descriptions are available below:

data.merchant_idUnique merchant id provided by the partner at the time of merchant creation.
data.merchant_nameName of the merchant
data.created_atTimestamp in ISO format for when the merchant was created in CF system.
data.onboarding_statusOnboarding status for the merchant
event_timeTimestamp in ISO format. Time when event was created.
typeType of webhook. Value is “MERCHANT_ONBOARDING_STATUS”
versionVersion of webhook. Default is 1.


 "data": {
    “merchant_id” : “CF89797”,
    “created_at” : “2021-06-23T23:15:20+0530”,
    “merchant_name” : “Business A”,
    “onboarding_status” : “ACTIVE”
 "event_time": "2021-04-16T14:10:36+05:30",
 "version": 1

Verify Signature

Verifying the signature (passed along with the POST parameters as header) is mandatory before you process any response. We also recommending whitelisting only our IP address on your webhook endpoint.

Follow steps below to calculate and verify the signature passed:

  1. Get all the POST parameters assign it to an array as key-value pair.
  2. Sort the array based on keys.
  3. Concatenate all the values in this array and the resultant is the post data (say, postData).
  4. postData needs to be encrypted using SHA-256 and then base64 encoded.
  5. For the SHA-256 encryption use the latest api key as the secret key.
  6. Now verify if the signature calculated and the signature received a match. Proceed further if it matches.

Do not go live without verifying the signature.

Following code snippets show you how to generate and verify the signature. This should not be assumed production-ready, kindly consider adding necessary validation before processing.

$data = $_POST;
  $signature = $_POST["signature"];
  // $data now has all the POST parameters except signature
  ksort($data);  // Sort the $data array based on keys
  $postData = "";
  foreach ($data as $key => $value){
    if (strlen($value) > 0) {
      $postData .= $value;
  $hash_hmac = hash_hmac('sha256', $postData, $apiKey, true) ;
  // Use the clientSecret from the oldest active Key Pair.
  $computedSignature = base64_encode($hash_hmac);
  if ($signature == $computedSignature) {
    // Proceed based on $event 
  } else {
    // Reject this call 
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.Mac;
import org.apache.commons.codec.binary.Base64;
public class ComputedSignature {
    public static String generateHMAC(String clientSecret, String data) {
        String hash = null; //data is a string which has the json sorted through keys and concatenated values
        try {
            String secret = apiKey;
            String message = data;
            Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(),"HmacSHA256");
            hash = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));
        catch (Exception e){ //Log it
        return hash;

Activation Lifecycle

Onboarding Status

Pending Email Verification: The Merchant must first verify their registered email address. An email is sent automatically from Cashfree Payments (from [email protected]) to the merchant email ID you specified when you added the merchant details.
If the merchant has not received the email in their Primary inbox, please ask them to check it in the Spam folder. If the merchant has not received the email you can use the Resend Email email to send the verification email again.

Email Verified: This means that Merchant has verified their email address, and can now start their KYC verification process.

KYC Status

Min KYC Pending: Merchant must submit the required KYC details and documents.
Min KYC Submitted: Merchant has submitted their KYC details and documents and the documents are being reviewed by Cashfree Payments
Min KYC Rejected: Merchant KYC has discrepancies and corresponding KYC details and documents need to be provided.
Min KYC Approved: Merchant KYC has been approved and Payment Gateway product is activated.



If the merchants have verified their email you can fill out the KYC on behalf of the merchant and activate the account for your merchants.