A webhook is a request that GoCardless sends to your server to alert you of an event. Adding support for webhooks allows you to receive real-time notifications from GoCardless when things happen in your account, so you can take automated actions in response, for example:
- When a payment fails due to lack of funds, retry it automatically
- When a customer cancels their mandate with the bank, suspend their account
- When a customer’s subscription generates a new payment, record that payment against their account
Making localhost accessible to the internet with ngrok
To start experimenting with webhooks, your code will need to be accessible from the internet so GoCardless can reach it with HTTP requests. If you’re working locally, the easiest way to do this is with ngrok.
Download it and follow the instructions on the page to install it (you’ll need to unzip the archive, and then make the ngrok binary available in your PATH).
Now, just run ngrok http <port>, where <port> is the port where your web server is running (for example ngrok http 8000 if you’re running on port 8000).
You’ll see two links that forward to localhost:8000. Select the URL that starts with https, and copy it to your clipboard.
In the sandbox, you can use an HTTP URL for your webhooks, but to go live, the endpoint must be HTTPS secured.
Adding a webhook URL in the GoCardless Dashboard
To start receiving webhooks, you’ll need to add a webhook endpoint from your Dashboard here.
Simply enter the HTTPS URL from earlier and add on the path where your webhook handler will be available, give your endpoint a name, and then click “Create webhook endpoint”. Next, click on your new endpoint in the list and copy the secret to your clipboard.
Building a webhook handler
Let’s get started by building our first webhook handler. Webhooks are HTTP POST requests made to the URL you provided, with a JSON body.
The first step to take when you receive a webhook is to check its signature - this makes sure that is genuinely from GoCardless and hasn’t been forged. A signature is provided in the Webhook-Signature header of the request. We just need to compute the signature ourselves using the POSTed JSON and the webhook endpoint’s secret (which we copied earlier), and compare it to the one in the header.
If they match, the webhook is genuine, because only you and GoCardless know the secret. It’s important that you keep the secret safe, and change it periodically using the Dashboard.
We can verify the signature like this:
<?php
// We recommend storing your webhook endpoint secret in an environment variable
// for security, but you could include it as a string directly in your code
$webhook_endpoint_secret = getenv("GOCARDLESS_WEBHOOK_ENDPOINT_SECRET");
$request_body = file_get_contents('php://input');
$headers = getallheaders();
$signature_header = $headers["Webhook-Signature"];
try {
$events = \GoCardlessPro\Webhook::parse($request_body,
$signature_header,
$webhook_endpoint_secret);
// Process the events...
header("HTTP/1.1 204 No Content");
} catch(\GoCardlessPro\Core\Exception\InvalidSignatureException $e) {
header("HTTP/1.1 498 Invalid Token");
}
# Here, we're using a Django view, but essentially the same code will work in
# other Python web frameworks (e.g. Flask) with minimal changes
import os
from django.views.generic import View
from django.views.decorators.csrf import csrf_exempt
from django.utils.decorators import method_decorator
from django.http import HttpResponse
from gocardless_pro import webhooks
from gocardless_pro.errors import InvalidSignatureError
# Handle the incoming Webhook and check its signature.
class Webhook(View):
@method_decorator(csrf_exempt)
def dispatch(self, *args, **kwargs):
return super(Webhook, self).dispatch(*args, **kwargs)
def get_events(self, request):
secret = os.environ['GC_WEBHOOK_SECRET']
signature = request.META["HTTP_WEBHOOK_SIGNATURE"]
body = request.body.read().strip()
return webhooks.parse(body, secret, signature)
def post(self, request, *args, **kwargs):
try:
for event in self.get_events(request):
# Do something with the events ...
pass
return HttpResponse(200)
except InvalidSignatureError:
return HttpResponse(498)
# Here, we're using a Rails controller, but essentially the same code will work in other
# Ruby web frameworks (e.g. Sinatra) with minimal changes
class WebhooksController < ApplicationController
include ActionController::Live
protect_from_forgery except: :create
def create
# We recommend storing your webhook endpoint secret in an environment variable
# for security, but you could include it as a string directly in your code
webhook_endpoint_secret = ENV['GOCARDLESS_WEBHOOK_ENDPOINT_SECRET']
# In a Rack app (e.g. Sinatra), access the POST body with
# `request.body.tap(&:rewind).read`
request_body = request.raw_post
# In a Rack app (e.g. Sinatra), the header is available as
# `request.env['HTTP_WEBHOOK_SIGNATURE']`
signature_header = request.headers['Webhook-Signature']
begin
events = GoCardlessPro::Webhook.parse(request_body: request_body,
signature_header: signature_header,
webhook_endpoint_secret: webhook_endpoint_secret)
# Process the events...
render status: 204, nothing: true
rescue GoCardlessPro::Webhook::InvalidSignatureError
render status: 498, nothing: true
end
end
end
package hello;
// Use the POM file at
// https://raw.githubusercontent.com/gocardless/gocardless-pro-java-maven-example/master/pom.xml
import com.gocardless.errors.InvalidSignatureException;
import com.gocardless.resources.Event;
import com.gocardless.Webhook;
import java.util.List;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.http.ResponseEntity;
@RestController
public class HelloController {
@PostMapping("/")
public ResponseEntity<String> handlePost(
@RequestHeader("Webhook-Signature") String signatureHeader,
@RequestBody String requestBody) {
String webhookEndpointSecret = System.getenv("GOCARDLESS_WEBHOOK_ENDPOINT_SECRET");
try {
List<Event> events = Webhook.parse(requestBody, signatureHeader, webhookEndpointSecret)
for (Event event : events) {
// Process the event
}
return new ResponseEntity<String>("OK", HttpStatus.OK);
} catch(InvalidSignatureException e) {
return new ResponseEntity<String>("Incorrect Signature", HttpStatus.BAD_REQUEST);
}
}
}
[HttpPost]
public ActionResult HandleWebhook()
{
var requestBody = Request.InputStream;
requestBody.Seek(0, System.IO.SeekOrigin.Begin);
var requestJson = new StreamReader(requestBody).ReadToEnd();
// We recommend storing your webhook endpoint secret in an environment variable
// for security, but you could include it as a string directly in your code
var secret = ConfigurationManager.AppSettings["GoCardlessWebhookSecret"];
var signaure = Request.Headers["Webhook-Signature"] ?? "";
try
{
foreach (Event event in WebhookParser.Parse(requestJson, secret, signature))
{
// Process the event
}
return new HttpStatusCodeResult(HttpStatusCode.OK);
}
catch (InvalidSignatureException e)
{
return new HttpStatusCodeResult(HttpStatusCode.Forbidden);
}
}
Testing your webhook handler
In the Dashboard, the “Send test web hook” functionality makes it easy to start experimenting with webhooks.
Select the webhook endpoint you created earlier, set the Resource type of mandates and the action to cancelled. You can set the cause and event details however you like. Then, click “Send test web hook”.
Now, refresh the page. Usually, the webhook will appear right away, but sometimes you might have to refresh a few times. We’ll make a request to your endpoint, and your webhook will appear in the list - click on it. If everything’s working, you’ll see a response code of 200 OK.
Processing events
A webhook can contain multiple events, and each has a resource_type (telling us what kind of resource the event is for, for example “payments” or “mandates”), an action (telling us what happened to the resource, for example the cancelled action for a mandate) and details (specifying why the event happened).
You can see a full list of the possible combinations in the reference docs.
As an example, we’ll write a handler for when a mandate is cancelled:
<?php
function process_mandate_event($event)
{
switch ($event->action) {
case "cancelled":
print("Mandate " . $event->links["mandate"] . " has been cancelled!\n");
// You should keep some kind of record of what events have been processed
// to avoid double-processing
//
// $event = Event::where("gocardless_id", $event->id)->first();
// You should perform processing steps asynchronously to avoid timing out if
// you receive many events at once. To do this, you could use a queueing
// system like Beanstalkd
//
// http://george.webb.uno/posts/sending-php-email-with-mandrill-and-beanstalkd
//
// Once you've performed the actions you want to perform for an event, you
// should make a record to avoid accidentally processing the same one twice.
CancelServiceAndNotifyCustomer::performAsynchronously($event->links["mandate"]);
break;
default:
print("Don't know how to process a mandate " . $event->action . " event\n");
break;
}
}
// We recommend storing your webhook endpoint secret in an environment variable
// for security
$webhook_endpoint_secret = getenv("GOCARDLESS_WEBHOOK_ENDPOINT_SECRET");
$request_body = file_get_contents('php://input');
$headers = getallheaders();
$signature_header = $headers["Webhook-Signature"];
try {
$events = \GoCardlessPro\Webhook::parse($request_body,
$signature_header,
$webhook_endpoint_secret);
foreach ($events as $event) {
print("Processing event " . $event->id . "\n");
switch ($event->resource_type) {
case "mandates":
process_mandate_event($event);
break;
default:
print("Don't know how to process an event with resource_type " . $event->resource_type . "\n");
break;
}
}
header("HTTP/1.1 200 OK");
} catch(\GoCardlessPro\Core\Exception\InvalidSignatureException $e) {
header("HTTP/1.1 498 Invalid Token");
}
# Here, we're using a Django view, but essentially the same code will work in
# other Python web frameworks (e.g. Flask) with minimal changes
import json
import hmac
import hashlib
import os
from django.views.generic import View
from django.views.decorators.csrf import csrf_exempt
from django.utils.decorators import method_decorator
from django.http import HttpResponse
# Handle the incoming Webhook and perform an action with the Webhook data.
class Webhook(View):
@method_decorator(csrf_exempt)
def dispatch(self, *args, **kwargs):
return super(Webhook, self).dispatch(*args, **kwargs)
def is_valid_signature(self, request):
secret = bytes(os.environ['GC_WEBHOOK_SECRET'], 'utf-8')
computed_signature = hmac.new(
secret, request.body, hashlib.sha256).hexdigest()
provided_signature = request.META["HTTP_WEBHOOK_SIGNATURE"]
return hmac.compare_digest(provided_signature, computed_signature)
def post(self, request, *args, **kwargs):
if self.is_valid_signature(request):
response = HttpResponse()
payload = json.loads(request.body.decode('utf-8'))
# Each webhook may contain multiple events to handle, batched together.
for event in payload['events']:
self.process(event, response)
return response
else:
return HttpResponse(498)
def process(self, event, response):
response.write("Processing event {}\n".format(event['id']))
if event['resource_type'] == 'mandates':
return self.process_mandates(event, response)
# ... Handle other resource types
else:
response.write("Don't know how to process an event with \
resource_type {}\n".format(event['resource_type']))
return response
def process_mandates(self, event, response):
if event['action'] == 'cancelled':
response.write("Mandate {} has been \
cancelled\n".format(event['links']['mandate']))
# ... Handle other mandate actions
else:
response.write("Don't know how to process an event with \
resource_type {}\n".format(event['resource_type']))
return response
require 'gocardless_pro'
class MandateEventProcessor
def self.process(event, response)
case event.action
when 'cancelled'
response.stream.write("Mandate #{event.links.mandate} has been cancelled\n")
# You should keep some kind of record of what events have been processed
# to avoid double-processing, checking if the event already exists before
# event = Event.find_by(gocardless_id: event['id'])
# You should perform processing steps asynchronously to avoid timing out
# if you receive many events at once. To do this, you could use a
# queueing system like
# Resque (https://github.com/resque/resque)
#
# Once you've performed the actions you want to perform for an event, you
# should make a record to avoid accidentally processing the same one twice
# CancelServiceAndNotifyCustomer.enqueue(event['links']['mandate'])
else
response.stream.write("Don't know how to process a mandate #{event.action} " \
"event\n")
end
end
end
def create
# We recommend storing your webhook endpoint secret in an environment variable
# for security, but you could include it as a string directly in your code
webhook_endpoint_secret = ENV['GOCARDLESS_WEBHOOK_ENDPOINT_SECRET']
# In a Rack app (e.g. Sinatra), access the POST body with
# `request.body.tap(&:rewind).read`
request_body = request.raw_post
# In a Rack app (e.g. Sinatra), the header is available as
# `request.env['HTTP_WEBHOOK_SIGNATURE']`
signature_header = request.headers['Webhook-Signature']
begin
events = GoCardlessPro::Webhook.parse(request_body: request_body,
signature_header: signature_header,
webhook_endpoint_secret: webhook_endpoint_secret)
events.each do |event|
# We're using Rails's streaming functionality here to write directly to the
# response rather than using views, as one would usually.
response.stream.write("Processing event #{event.id}\n")
case event.resource_type
when 'mandates'
MandateEventProcessor.process(event, response)
else
response.stream.write("Don't know how to process an event with resource_type " \
"#{event.resource_type}\n")
end
end
response.stream.close
render status: 200
rescue GoCardlessPro::Webhook::InvalidSignatureError
render status: 498
end
end
package hello;
// Use the POM file at
// https://raw.githubusercontent.com/gocardless/gocardless-pro-java-maven-example/master/pom.xml
import com.gocardless.errors.InvalidSignatureException;
import com.gocardless.resources.Event;
import com.gocardless.Webhook;
import java.util.List;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.http.ResponseEntity;
@RestController
public class HelloController {
private String processMandate(Event event) {
/*
You should keep some kind of record of what events have been processed
to avoid double-processing, checking if the ecent already exists
before processing it.
You should perform processing steps asynchronously to avoid timing out
if you receive many events at once. To do this, you could use a
queueing system like @Async.
https://spring.io/guides/gs/async-method/
Once you've performed the actions you want to perform for an event, you
should make a record to avoid accidentally processing the same one twice
*/
switch (event.getAction()) {
case "cancelled":
return "Mandate " + event.getLinks().getMandate() +
" has been cancelled.\n";
default:
return "Do not know how to process an event with action " +
event.getAction() + ".\n";
}
}
private String processEvent(Event event) {
switch (event.getResourceType()) {
case MANDATES:
return processMandate(event);
default:
return "Don't know how to process an event of resource_type " +
event.getResourceType().toString() + ".\n";
}
}
@PostMapping("/")
public ResponseEntity<String> handlePost(
@RequestHeader("Webhook-Signature") String signatureHeader,
@RequestBody String requestBody) {
String webhookEndpointSecret = System.getenv("GOCARDLESS_WEBHOOK_ENDPOINT_SECRET");
try {
List<Event> events = Webhook.parse(requestBody, signatureHeader, webhookEndpointSecret)
String responseBody = "";
for (Event event : events) {
responseBody += processEvent(event);
}
return new ResponseEntity<String>(responseBody, HttpStatus.OK);
} catch(InvalidSignatureException e) {
return new ResponseEntity<String>("Incorrect Signature", HttpStatus.BAD_REQUEST);
}
}
}
[HttpPost]
public ActionResult HandleWebhook()
{
var requestBody = Request.InputStream;
requestBody.Seek(0, System.IO.SeekOrigin.Begin);
var requestJson = new StreamReader(requestBody).ReadToEnd();
// We recommend storing your webhook endpoint secret in an environment variable
// for security, but you could include it as a string directly in your code
var secret = ConfigurationManager.AppSettings["GoCardlessWebhookSecret"];
var hmac256 = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
byte[] messageHash = hmac256.ComputeHash(Encoding.UTF8.GetBytes(requestJson));
var result = BitConverter.ToString(messageHash).Replace("-", "").ToLower();
// If the signature doesn't match what was expected, reject the request
// Otherwise, handle the events in the webhook then respond with 200 OK
if ((Request.Headers["Webhook-Signature"] ?? "") != result)
return new HttpStatusCodeResult(HttpStatusCode.Forbidden);
// Here we deserialize the webhook using the same objects the library uses to
// represent API responses for Events, but you could parse and handle the JSON
// body however you prefer.
var serializerSettings = new GoCardless.Internals.JsonSerializerSettings();
GoCardless.Services.EventListResponse events =
JsonConvert.DeserializeObject<GoCardless.Services.EventListResponse>(message, serializerSettings);
// Webhooks can contain many events. In a real implementation, you should handle
// the processing of each event asychronously to avoid timing out here.
// You could check whether you've processed the event before (by recording the event
// ID when you process it) and retrieve the associated resource to ensure that you have
// the most up-to-date information about it.
foreach (GoCardless.Resources.Event eventResource in events.Events)
{
// To keep this example simple, we're only handling Mandate events
if (eventResource.ResourceType == GoCardless.Resources.EventResourceType.Mandates)
{
switch (eventResource.Action)
{
case "created":
Console.WriteLine($"Mandate {eventResource.Links.Mandate} has been created, yay!");
break;
case "cancelled":
Console.WriteLine($"Oh no, mandate {eventResource.Links.Mandate} was cancelled!");
break;
default:
Console.WriteLine($"{eventResource.Links.Mandate} has been {eventResource.Action}");
break;
}
}
else
{
Console.WriteLine($"No method to handle {eventResource.ResourceType} events yet");
}
}
return new HttpStatusCodeResult(HttpStatusCode.OK);
}
Send a test webhook again, just like the one you sent before, and then click on it in the list. You’ll see a response at the bottom like this:
Processing event EVTEST8XP9DCPK
Mandate index_ID_123 has been cancelled!
We’ll send webhooks exactly like this when real events happen in your account.
In the sandbox, to make integrating as easy as possible, we provide scenario simulators which allow you to manually trigger certain cases (like a customer cancelling their mandate or a payment failing due to insufficient funds) from the Dashboard so you can test how your integration responds.
You can add support for as many differ resource_types and actions as you like, and make use of all of the other data we give you with events.