Webhooks Guide
Webhooks allow you to receive real-time HTTP notifications when verification requests complete. Instead of polling for results, your server receives automatic updates as soon as processing finishes.How Webhooks Work
1
Submit Request
You submit a verification request (e.g., UPI by Mobile)
2
Request Queued
API returns
202 Accepted with a request ID3
Processing
TxnCheck processes the verification request
4
Webhook Delivered
Results are sent to your configured webhook URL
5
Confirmation
Your server returns
2xx to acknowledge receiptSetting Up Webhooks
Webhook URLs are configured at the merchant account level. Contact your account manager or configure webhooks in the Merchant Dashboard under Settings → Webhooks.Requirements
- HTTPS URL - Webhook endpoints must use HTTPS
- Public accessibility - Your endpoint must be reachable from the internet
- Quick response - Return
2xxwithin 30 seconds
Webhook Events
Webhook Payload
All webhook payloads follow this structure:Payload Fields
Full Check Step Statuses
Forfull-check requests, the stepStatuses field shows the outcome of each verification step:
result.vpaChargebackCheck.vpas[].isBlocklisted to determine blocklist status.
Webhook Headers
Each webhook request includes these headers:Signature Verification
Verification Algorithm
Implementation Examples
Retry Policy
If webhook delivery fails (non-2xx response or timeout), TxnCheck retries with exponential backoff:
After 5 failed attempts, the webhook is marked as failed. You can still retrieve results using the Request Status endpoint.
Testing Webhooks
Local Development
For local development, use a tunneling service like ngrok to expose your local server:Webhook Logs
View webhook delivery logs in the Merchant Dashboard under Webhooks → Logs. You can see:- Delivery status (success/failed)
- Response codes
- Retry attempts
- Payload details
Best Practices
Always Verify Signatures
Never process webhooks without verifying the signature first
Respond Quickly
Return 200 immediately, process events asynchronously
Handle Duplicates
Use request ID for idempotency - you may receive the same event twice
Log Everything
Log webhook payloads for debugging and audit trails
Webhook endpoints must be publicly accessible HTTPS URLs. Self-signed certificates are not supported.
