Skip to main content

Webhooks Guide

Webhooks allow you to receive real-time HTTP notifications when verification requests complete. Instead of polling for results, your server receives automatic updates as soon as processing finishes.

How Webhooks Work

1

Submit Request

You submit a verification request (e.g., UPI by Mobile)
2

Request Queued

API returns 202 Accepted with a request ID
3

Processing

TxnCheck processes the verification request
4

Webhook Delivered

Results are sent to your configured webhook URL
5

Confirmation

Your server returns 2xx to acknowledge receipt

Setting Up Webhooks

Webhook URLs are configured at the merchant account level. Contact your account manager or configure webhooks in the Merchant Dashboard under Settings → Webhooks.

Requirements

  • HTTPS URL - Webhook endpoints must use HTTPS
  • Public accessibility - Your endpoint must be reachable from the internet
  • Quick response - Return 2xx within 30 seconds

Webhook Events

Webhook Payload

All webhook payloads follow this structure:

Payload Fields

Full Check Step Statuses

For full-check requests, the stepStatuses field shows the outcome of each verification step:
Use result.vpaChargebackCheck.vpas[].isBlocklisted to determine blocklist status.

Webhook Headers

Each webhook request includes these headers:

Signature Verification

Always verify webhook signatures to ensure requests are from TxnCheck and haven’t been tampered with.

Verification Algorithm

Implementation Examples

Retry Policy

If webhook delivery fails (non-2xx response or timeout), TxnCheck retries with exponential backoff: After 5 failed attempts, the webhook is marked as failed. You can still retrieve results using the Request Status endpoint.

Testing Webhooks

Local Development

For local development, use a tunneling service like ngrok to expose your local server:

Webhook Logs

View webhook delivery logs in the Merchant Dashboard under Webhooks → Logs. You can see:
  • Delivery status (success/failed)
  • Response codes
  • Retry attempts
  • Payload details

Best Practices

Always Verify Signatures

Never process webhooks without verifying the signature first

Respond Quickly

Return 200 immediately, process events asynchronously

Handle Duplicates

Use request ID for idempotency - you may receive the same event twice

Log Everything

Log webhook payloads for debugging and audit trails
Webhook endpoints must be publicly accessible HTTPS URLs. Self-signed certificates are not supported.