Skip to main content
Verifying the signature is mandatory before processing any response. It helps authenticate that the webhook is from Cashfree Payments. Every webhook contains a signature (x-webhook-signature) in the header. The verification process is as follows:
  1. Extract the x-webhook-timestamp from the headers.
  2. Concatenate the timestamp and the raw request body (exact payload, unmodified).
  3. Generate an HMAC-SHA256 hash of this string using your client secret.
  4. Base64-encode the hash.
  5. Compare it with the x-webhook-signature header value. If they match, the webhook is valid.
  • Always use the raw request body and not a parsed JSON object. This prevents signature mismatch.
  • Reject the webhook if the signature does not match.

Sample code

const crypto = require("crypto");

function verify(req) {
  const ts = req.headers["x-webhook-timestamp"];
  const rawBody = req.rawBody; // middleware must store raw body
  const secretKey = "<client-secret>";
  const signStr = ts + rawBody;
  return crypto.createHmac("sha256", secretKey).update(signStr).digest("base64");
}

IPs to whitelist

When you decide to consume the webhooks, first, you need to verify if your systems need an IP whitelisting to be done at your end or not. Accordingly you can whitelist the below IPs of Cashfree:
Sandbox
52.66.25.127
15.206.45.168
Prod
52.66.101.190
3.109.102.144
3.111.60.173
18.60.134.245
18.60.183.142
Port
443 (secured)