Merchant Onboarding Webhooks

This is list of webhooks triggered from the Cashfree system. These webhooks allow partners to remain alert to state changes for their merchants.

Configure Webhook

To configure the webhook, go to Partner Dashboard > Developers > Webhooks. Add your webhook endpoint where you want to receive alerts. Ensure you do not process duplicate events.

Webhook will be sent to your configured endpoint as a POST request with the body containing the various parameters specifying the details of each event. Each request contains an event parameter that identifies its type.

We support webhooks in both encoded and JSON formats.

Webhook header parameters and descriptions are available below:

ParameterDescription
x-cashfree-timestampTimestamp in ISO format. Time at which the webhook is triggered.
x-cashfree-signatureString. It is a base64 encoded entity of the hash (SHA256) of the raw payload sorted by alphabetical order of keys and the latest partner api key.
This signature should be used to verify authenticity of the webhook.

Webhook parameters and descriptions are available below:

ParameterDescription
data.merchant_idUnique merchant id provided by the partner at the time of merchant creation.
data.merchant_nameName of the merchant
data.created_atTimestamp in ISO format for when the merchant was created in CF system.
data.onboarding_statusOnboarding status for the merchant
event_timeTimestamp in ISO format. Time when event was created.
typeType of webhook. Value is “MERCHANT_ONBOARDING_STATUS”
versionVersion of webhook. Default is 1.

Example - MERCHANT_ONBOARDING_STATUS webhook

{
 "data": {
    “merchant_id” : “CF89797”,
    “created_at” : “2021-06-23T23:15:20+0530”,
    “merchant_name” : “Business A”,
    “onboarding_status” : “ACTIVE”
    },
 "event_time": "2021-04-16T14:10:36+05:30",
 "type": "MERCHANT_ONBOARDING_STATUS",
 "version": 1
}

Verify Signature

Use the signature received in webhooks to verify if the request has not been tampered. This is generally a good security practice to avoid abuse via a fraudulent party.

To verify the signature at your end, you need your Cashfree Partner API Key along with the webhook object.

  • The timestamp is present in the webhook object header x-webhook-timestamp
  • The actual signature generated by Cashfree is present in the webhook object header x-webhook-signature

The signature creation logic is as below:

timestamp := 1617695238078; 
signedPayload := $timestamp.$payload;
expectedSignature := Base64Encode(HMACSHA256($signedPayload, $partnerApiKey));

Activation Lifecycle

Onboarding Status

Pending Email Verification: The Merchant must first verify their registered email address. An email is sent automatically from Cashfree Payments (from [email protected]) to the merchant email ID you specified when you added the merchant details.
If the merchant has not received the email in their Primary inbox, please ask them to check it in the Spam folder. If the merchant has not received the email you can use the Resend Email email to send the verification email again.

Email Verified: This means that Merchant has verified their email address, and can now start their KYC verification process.

KYC Status

Min KYC Pending: Merchant must submit the required KYC details and documents.
Min KYC Submitted: Merchant has submitted their KYC details and documents and the documents are being reviewed by Cashfree Payments
Min KYC Rejected: Merchant KYC has discrepancies and corresponding KYC details and documents need to be provided.
Min KYC Approved: Merchant KYC has been approved and Payment Gateway product is activated.

📘

Note:

If the merchants have verified their email you can fill out the KYC on behalf of the merchant and activate the account for your merchants.