What should I log for payment webhooks?
Log the event name, entity ID (payment ID or refund ID), signature, received timestamp, and whether it was successfully processed. Store in a WebhookLog collection for audit trail. This helps debug issues and detect suspicious activity.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Razorpay Webhooks and Security Verifying Signatures and Preventing Fraud
Use crypto.createHmac('sha256', webhookSecret).update(req.body).digest('hex') and compare with the x-razorpay-signature header. Use express.raw() for the webhook route (not express.json()), as the signature is computed on the raw body. If signatures don't match, reject the request.
Check if you've already processed the payment before handling it. Query your database for the paymentId if the status is already 'paid', skip processing and return 200. This makes webhook handling idempotent and prevents duplicate processing.
A malicious user could modify the amount in the frontend request to pay less. Always get the amount from your database based on the plan or product. The frontend sends the plan ID, the backend looks up the price, and creates the order with the database price.
Still have questions?
Browse all our FAQs or reach out to our support team
