Facebook Pixel

How do I verify Razorpay webhook signatures?

Use crypto.createHmac('sha256', webhookSecret).update(req.body).digest('hex') and compare with the x-razorpay-signature header. Use express.raw() for the webhook route (not express.json()), as the signature is computed on the raw body. If signatures don't match, reject the request.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Razorpay Webhooks and Security Verifying Signatures and Preventing Fraud

Check if you've already processed the payment before handling it. Query your database for the paymentId if the status is already 'paid', skip processing and return 200. This makes webhook handling idempotent and prevents duplicate processing.

A malicious user could modify the amount in the frontend request to pay less. Always get the amount from your database based on the plan or product. The frontend sends the plan ID, the backend looks up the price, and creates the order with the database price.

Go to Razorpay Dashboard → Settings → Webhooks → Add New Webhook. Enter your HTTPS URL (https://api.yourdomain.com/api/payment/webhook), select events (payment.captured, payment.failed, refund.processed), and set a webhook secret. The secret is used to verify webhook signatures.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.