Webhooks

Webhooks are server callbacks to your server from Cashfree. Webhooks are event-based and are sent when specific events related to the transaction happen.

Configure Webhook

  • Write to [email protected] to add your Webhook endpoint.
  • Ensure you do not process duplicate events.

Webhook will be sent to your configured endpoint as a POST request with the body containing the various parameters specifying the details of each event. Each request contains an event parameter that identifies its type.

Below are the various events that can be sent to your webhook endpoint.

  • SUBSCRIPTION_STATUS_CHANGE
  • SUBSCRIPTION_NEW_PAYMENT
  • SUBSCRIPTION_PAYMENT_DECLINED
  • SUBSCRIPTION_AUTH_STATUS

SUBSCRIPTION_STATUS_CHANGE

Parameter

Type

Description

cf_event

String

The event for which the subscription was authorized. The value for this event is SUBSCRIPTION_STATUS_CHANGE.

cf_subReferenceId

Float

A unique Id which was generated when the subscription was created.

cf_status

String

The new status of the subscription. Click here for information on subscription statuses.

cf_lastStatus

String

The old status of the subscription. Click here for information on subscription statuses.

cf_eventTime

String

The time when the event was dispatched.

signature

String

The hash of all parameters in request generated using secretKey.


SUBSCRIPTION_NEW_PAYMENT

Parameter

Type

Description

cf_event

String

The event for which the subscription was authorized. The value for this event is SUBSCRIPTION_NEW_PAYMENT.

cf_subReferenceId

Float

A unique Id which was generated when the subscription was created

cf_paymentId

String

The unique paymentId for the payment

cf_amount

Float

The amount of money charged for payment.

cf_eventTime

String

The time when the event was dispatched

signature

String

The hash of all parameters in request generated using secretKey.

retryAttempts

Float

The number of payment retries. This is applicable for failed payments.


SUBSCRIPTION_PAYMENT_DECLINED

Parameter

Type

Description

cf_event

String

The event for which the subscription was authorized. The value for this event is SUBSCRIPTION_PAYMENT_DECLINED.

cf_subReferenceId

Float

A unique Id which was generated when the subscription was created.

cf_paymentId

String

The unique paymentId for the payment.

cf_amount

Float

The amount of money charged for payment.

cf_reasons

String

A possible reason for failure.

cf_eventTime

String

The time when the event was dispatched.

signature

String

The hash of all parameters in request generated using secretKey.

retryAttempts

Float

The number of payment retries. This is applicable for failed payments.


SUBSCRIPTION_AUTH_STATUS

This event is triggered when the checkout fails. The customer can do multiple checkouts through the same subscription, and you will be notified of every checkout failure.

This event will not be triggered for an active, or bank approval pending subscription.

This is just for eMandate authorisation, not applicable for other payment modes.

Parameter

Type

Description

cf_event

String

The event is triggered when the checkout fails (Alphanumeric).

cf_eventTime

String

The time when the event was dispatched

cf_subReferenceId

Float

A unique Id which was generated when the subscription was created (Numeric)

cf_subscriptionStatus

String

The status of the subscription when the event was triggered.

authTimestamp

String

Checkout timestamp.

authStatus

String

Checkout status. Allowed value: FAILED

authFailureReason

String

Failure reason for the checkout

Failure Reasons

Code

Reason

AP01

Account Blocked

AP02

Account Closed

AP03

Account Frozen

AP04

Account Inoperative

AP05

No Such Account

AP06

Not a SBS accoountnumber or old account number represent with CBS number

AP07

Refer to the branch KYC not completed

AP11

Authentication Failed

AP14

Invalid user credentials

AP15

Mandate not registered_ not maintaining required balance

AP16

Mandate not registered_ minor account

AP17

Mandate not registerd_ NRE Account

AP18

Mandate registration not allowed for CC account

AP19

Mandate registration not allowed for PF account

AP20

Mandate registraction not allowed for PPF account

AP23

Transaction rejected or canceleed by customer

AP24

Account not in regular Status

AP25

Withdrawal stopped due to insolvency of account

AP28

Mandate registration failed. Please contact your home branch

AP29

Technical errors or connectivity issues as bank

AP30

Browser closed by customer in mid-transaction

AP31

Mandate registration not allowed for joint account

AP32

Mandate registration not allowed for wallet account

AP33

User rejected the transaction on pre-login page

AP34

Account number not registered with net-banking facility

AP35

Debit card validation failed due to_ Invalid card number

AP36

Debit card validation failed due to_ Invalid expiry date

AP37

Debit card validation failed due to_ Invalid PIN

AP38

Debit card validation failed due to_ Invalid CVV

AP39

OTP invalid

AP40

Maximum retries exceeded for OTP

AP41

Time expired for OTP

AP42

Debit card not activated

AP43

Debit card blocked

AP44

Debit card hot listed

AP45

Debit card expired

AP46

No response received from customer while preforming transaction

AP47

Account number registered for only view rights in net-banking facility

Generate Signature

Use the following examples as illustrations for how to generate a signature. If the language you are using is not mentioned here, contact us at [email protected]

Do not go live without signature verification.

data = "";
iterate keys as key in POST request alphabetically:
  if (key starts with "cf_"):
    data = data + key + POST[key]
computedSignature = base64 of (hash of (data) with secretKey as hashKey)
if (computedSignature != POST["signature"]):
  // An invalid/fraud request do not mark subscription as successfull
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
public class ChecksumServlet extends HttpServlet {
  @Override
  protected void doPost(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
    try {
      String secretKey = "ac7960e7995536f0177fd210f3b3937fc2d974a4";
      Map<String, String[]> postData = request.getParameterMap();
      // ensuring appId gets initialized
      String data = "";
      SortedSet<String> keys = new TreeSet<String>(postData.keySet());
      for (String key : keys) {
        if ((key.length() > 3) && (key.substring(0, 3).equals("cf_"))) {
          data = data + key + ((String[])postData.get(key))[0];
}
}
      Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
      SecretKeySpec secret_key_spec = new
SecretKeySpec(secretKey.getBytes(),"HmacSHA256");
      sha256_HMAC.init(secret_key_spec);
      String computedSignature =
Base64.getEncoder().encodeToString(sha256_HMAC.doFinal(data.getBytes()));
      if (!computedSignature.equals(postData.get("signature"))) {
        // An invalid/fraud request do not mark subscription as successfull
} }
    catch (Exception ex) {
      // handle
} }
}