Webhooks

Webhooks are server callbacks to your server from Cashfree payments.

Webhooks are event-based notifications that are received when a specific event related to the account aggregator API journey occurs.

Add webhooks

Add your webhook URL in our system for us to deliver webhook events.

Follow the instructions below to configure the webhook URL. Ensure to provide the publicly accessible HTTPS URL to your webhook endpoint.

  1. Once you login to the dashboard with the credentials, click Developers.
  2. Click Webhooks listed under the Verification Suite card.
  3. Click Add Webhook URL in the Developers - Verification Suite screen.
  4. In the Add Webhook popup, fill in the following information:
    • Webhook URL - Enter the URL in this field.
  5. Click Test & Add Webhook.
Add Webhook

Add Webhook


Consent webhook events

EventConsent StatusDescription
AA_CONSENT_VERIFICATION_SUCCESSSUCCESSYou will receive this event when the individual has given the consent successfully.
AA_CONSENT_VERIFICATION_PAUSEDPAUSEDYou will receive this event when the individual has paused the consent request.
AA_CONSENT_VERIFICATION_REVOKEDREVOKEDYou will receive this event when the individual has revoked the consent.
AA_CONSENT_VERIFICATION_REJECTEDREJECTEDYou will receive this event when the individual has rejected the consent request.
AA_CONSENT_VERIFICATION_EXPIREDEXPIREDYou will receive this event when the consent request expired.
{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_CONSENT_VERIFICATION_SUCCESS",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "SUCCESS",
    "consent_verification_id": "a12bc34def56789"
  }
}
{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_CONSENT_VERIFICATION_PAUSED",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "PAUSED",
    "consent_verification_id": "a12bc34def56789"
  }
}
{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_CONSENT_VERIFICATION_REVOKED",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "REVOKED",
    "consent_verification_id": "a12bc34def56789"
  }
}
{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_CONSENT_VERIFICATION_REJECTED",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "REJECTED",
    "consent_verification_id": "a12bc34def56789"
  }
}
{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_CONSENT_VERIFICATION_EXPIRED",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "EXPIRED",
    "consent_verification_id": "a12bc34def56789"
  }
}

Financial information webhook events

EventFinancial information statusDescription
AA_FI_VERIFICATION_ACTIVEPARTIALYou will receive this event when you receive partial financial information of the individual.
AA_FI_VERIFICATION_SUCCESSSUCCESSYou will receive this event when you receive all the financial information of the individual.
AA_FI_VERIFICATION_EXPIREDEXPIREDYou will receive this event when the request to fetch financial information expired.
AA_FI_VERIFICATION_FAILEDFAILEDYou will receive this event when the request to fetch financial information failed.

{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_FI_VERIFICATION_ACTIVE",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "PARTIAL",
    "fi_verification_id": "v1234567890abcdef",
    "fi_status_response": [
      {
        "fip_id": "FIP_1",
        "accounts": [
          {
            "link_ref_number": "b2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "READY"
          }
        ]
      }
    ]
  }
}
{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_FI_VERIFICATION_SUCCESS",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "SUCCESS",
    "fi_verification_id": "v1234567890abcdef",
    "fi_status_response": [
      {
        "fip_id": "FIP_1",
        "accounts": [
          {
            "link_ref_number": "b2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "READY"
          },
          {
            "link_ref_number": "a2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "TIMEOUT"
          }
        ]
      },
      {
        "fip_id": "FIP_2",
        "accounts": [
          {
            "link_ref_number": "c2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "READY"
          }
        ]
      }
    ]
  }
}

{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_FI_VERIFICATION_EXPIRED",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "EXPIRED",
    "fi_verification_id": "v1234567890abcdef",
    "fi_status_response": [
      {
        "fip_id": "FIP_1",
        "accounts": [
          {
            "link_ref_number": "b2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "READY"
          },
          {
            "link_ref_number": "a2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "TIMEOUT"
          }
        ]
      },
      {
        "fip_id": "FIP_2",
        "accounts": [
          {
            "link_ref_number": "c2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "READY"
          }
        ]
      }
    ]
  }
}

{
  "signature": "e8f06e55abcf7483f3249b7a992f4a2d",
  "event_type": "AA_FI_VERIFICATION_FAILED",
  "event_time": "2024-02-15 16:53:15",
  "version": "1.0",
  "data": {
    "status": "FAILED",
    "fi_verification_id": "v1234567890abcdef",
    "fi_status_response": [
      {
        "fip_id": "FIP_1",
        "accounts": [
          {
            "link_ref_number": "a2328fa7-0dcd-2314-asb5-9ef7b4c1cz6b",
            "fi_status": "TIMEOUT"
          }
        ]
      }
    ]
  }
}


Signature verification

Verifying the signature is mandatory before processing any response. It helps authenticate that the webhook is from Cashfree Payments.

Follow the steps to verify the signature:

  1. Sort the array based on keys.
  2. Concatenate all the values in this array and the resultant is the post data (postData).
  3. postData needs to be encrypted using SHA-256 and then base64 encoded.
  4. Verify if both the signature calculated and the signature received match.
  5. Proceed further only if the signatures match. If not, discard the request.
  6. Ensure clientSecret you use is from the oldest active key pair.

For example, from the webhook received, extract the data and pass it to generate HMAC function:

{bank_account=026291800001191, ifsc=YESB0000262, upi=, name_at_bank=John Doe, 
verification_id=fadsfdsf, ref_id=332, utr=332, status=SUCCESS,
added_on=2023-09-06T07:48:53+05:30, processed_on=2023-09-06 07:49:03, 
penny_collected_on=2023-09-06 07:48:53}
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Map;
import java.util.TreeMap;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.codec.binary.Base64;

public class ComputedSignature {
public static String generateHMAC(String clientSecret, String data) {
        String hash = null;
        ObjectMapper objectMapper = new ObjectMapper();
        try {
            Map<String, Object> jsonMap = objectMapper.readValue(data, new TypeReference<Map<String, Object>>() {
            });
            Map<String, Object> sortedMap = new TreeMap<>(jsonMap);

            // sort the map based on keys
            String postDataString = "";

            for (Map.Entry<String, Object> entry : sortedMap.entrySet()) {
                postDataString = postDataString + entry.getValue();
            }

            // encode the post data on sha256
            Mac sha256HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(clientSecret.getBytes(), "HmacSHA256");
            sha256HMAC.init(secretKey);

            hash = Base64.encodeBase64String(sha256HMAC.doFinal(postDataString.getBytes()));
        } catch (Exception e) {
            e.printStackTrace();

        }
        return hash;
    }
}

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Map;
import java.util.TreeMap;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.codec.binary.Base64;

public class ComputedSignature {
public static String generateHMAC(String clientSecret, String data) {
        String hash = null;
        ObjectMapper objectMapper = new ObjectMapper();
        try {
            Map<String, Object> jsonMap = objectMapper.readValue(data, new TypeReference<Map<String, Object>>() {
            });
            Map<String, Object> sortedMap = new TreeMap<>(jsonMap);

            // sort the map based on keys
            String postDataString = "";

            for (Map.Entry<String, Object> entry : sortedMap.entrySet()) {
                postDataString = postDataString + entry.getValue();
            }

            // encode the post data on sha256
            Mac sha256HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(clientSecret.getBytes(), "HmacSHA256");
            sha256HMAC.init(secretKey);

            hash = Base64.encodeBase64String(sha256HMAC.doFinal(postDataString.getBytes()));
        } catch (Exception e) {
            e.printStackTrace();

        }
        return hash;
    }
}