End Points and Test Data

Cashfree Payments uses API keys to allow access to the API. Once you have signed up at our merchant site, you will be able to see your AppId and SecretKey.

Cashfree expects API key to be included in all API requests to the server. Use the endpoint /api/v1/credentials/verify to verify your credentials.

Bank, UPI, and IFSC Verification End Points

PAN, UPI VPA using Phone Number, and Aadhaar Verification End Points


Test Data

View the test data and use this information to trigger the validations. The test data are usable only in the test environments such as gamma and sandbox, which are mentioned above.

Signature Verification

Verifying the signature is mandatory before processing any response. It helps authenticate that the webhook is from Cashfree Payments.

Follow the steps to verify the signature:

  1. Sort the array based on keys.
  2. Concatenate all the values in this array and the resultant is the post data (postData).
  3. postData needs to be encrypted using SHA-256 and then base64 encoded.
  4. Verify if both the signature calculated and the signature received match.
  5. Proceed further only if the signatures match. If not, discard the request.

For example, from the webhook received, extract the data and pass it to generate HMAC function:

{bank_account=026291800001191, ifsc=YESB0000262, upi=, name_at_bank=John Doe, 
verification_id=fadsfdsf, ref_id=332, utr=332, status=SUCCESS,
added_on=2023-09-06T07:48:53+05:30, processed_on=2023-09-06 07:49:03, 
penny_collected_on=2023-09-06 07:48:53}
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Map;
import java.util.TreeMap;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.codec.binary.Base64;

public class ComputedSignature {
public static String generateHMAC(String clientSecret, String data) {
        String hash = null;
        ObjectMapper objectMapper = new ObjectMapper();
        try {
            Map<String, Object> jsonMap = objectMapper.readValue(data, new TypeReference<Map<String, Object>>() {
            });
            Map<String, Object> sortedMap = new TreeMap<>(jsonMap);

            // sort the map based on keys
            String postDataString = "";

            for (Map.Entry<String, Object> entry : sortedMap.entrySet()) {
                postDataString = postDataString + entry.getValue();
            }

            // encode the post data on sha256
            Mac sha256HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(clientSecret.getBytes(), "HmacSHA256");
            sha256HMAC.init(secretKey);

            hash = Base64.encodeBase64String(sha256HMAC.doFinal(postDataString.getBytes()));
        } catch (Exception e) {
            e.printStackTrace();

        }
        return hash;
    }
}

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Map;
import java.util.TreeMap;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.codec.binary.Base64;

public class ComputedSignature {
public static String generateHMAC(String clientSecret, String data) {
        String hash = null;
        ObjectMapper objectMapper = new ObjectMapper();
        try {
            Map<String, Object> jsonMap = objectMapper.readValue(data, new TypeReference<Map<String, Object>>() {
            });
            Map<String, Object> sortedMap = new TreeMap<>(jsonMap);

            // sort the map based on keys
            String postDataString = "";

            for (Map.Entry<String, Object> entry : sortedMap.entrySet()) {
                postDataString = postDataString + entry.getValue();
            }

            // encode the post data on sha256
            Mac sha256HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(clientSecret.getBytes(), "HmacSHA256");
            sha256HMAC.init(secretKey);

            hash = Base64.encodeBase64String(sha256HMAC.doFinal(postDataString.getBytes()));
        } catch (Exception e) {
            e.printStackTrace();

        }
        return hash;
    }
}