Razorpay Has Two Distinct HMAC Signatures — Here Is How Not to Mix Them Up
Razorpay uses two separate HMAC-SHA256 signatures that are easy to confuse: one for webhook verification and another for checkout payment confirmation. The webhook signature is delivered via the X-Razorpay-Signature header, keyed with the webhook secret and computed over the raw request body. The payment signature, returned as razorpay_signature in the checkout success handler, is keyed with the API key secret and computed over the order ID and payment ID joined by a pipe character. Using the wrong secret for either check causes all verifications to fail, even when the code appears correct. A critical implementation detail is that the raw, unparsed request body must be used for webhook verification, since any prior JSON parsing can alter whitespace or key order and break the signature match.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in