For all the payments (success or failed) to the UPI ID which is being provided in the response of "create a virtual account API" and for all the successful payments to the "virtual_account_number" which is being provided in the response of "create a virtual account API" , Open will notify the merchant with the details of the payment as the Webhook triggers to the Live webhook URL which the merchant has provided on their Open dashboard. see the below sample webhook request payload
{
"event_source":"virtual_account_payment",
"event_types_id":4,
"amount":"2.56",
"bank_ref_id":"022216477238",
"virtual_account_number":"363611794580225",
"payment_date":"2020-08-09 16:37:58",
"payment_mode":"UPI",
"status":"success",
"payee_details": {
"name": "NITISH RAJENDRA BAKALE",
"mobile": "0000000000",
"account_number": null,
"ifsc": null,
"va": "nitishbakale@kotak",
"payment_date": null
},
"vpa":"open.3000002229@icici",
"virtual_account_ifsc_code":"ICIC0000104",
"name":"Faris Vendor 2",
"primary_contact":"Faris2",
"email_id":"[email protected]",
"mobile_number":"1234567893",
"hash":"c14b2100ee5bc68b54b468b99fd2208985aa27d138fbd523588644efba28d9a4"
}
Hash Generation logic
Merchants can authenticate the webhook by using the hash which Open is sending in the Webhook request payload.
Hash generation steps
- remove "hash" key and value from webhook request payload.
- remove all new lines and whitespaces from current payload
- do SHA-256 HMAC hashing for the current request payload using the merchant's secret key.
- verify the hash generated is same which is there in request payload or not