Handling Customer Notifications

GoCardless automatically sends notifications to customers whenever an event happens in our system. For example, when a payment has been created, the customer will receive an email that informs them about the amount, description and cause of the payment.

You have the ability to send some of these notifications yourself, and we’ll honour your request if it is made within our stated deadline: otherwise, we will send the notification ourselves.

This feature is especially handy if you want to combine multiple notifications into a single one, for example:

  • a welcome email which includes mandate setup information

  • an email that lists the schedule of all upcoming payments

  • an email that combines a notice of a new mandate and a new subscription

Here is an example of the workflow:

  1. Your integration creates a payment

  2. The payment event schedules a payment_created notification

  3. We send a webhook to your application which includes notification metadata

  4. Your application notifies us that it will handle the notification

There are three conditions that you must satisfy to be able to handle a notification:

  1. You must be approved to handle notifications of this type

  2. You must be the “notification owner” for that payment, mandate, or subscription

  3. You must be on the Pro package

Currently, the following notifications can be handled:

  • payment_created

  • mandate_created

  • subscription_created

Getting approved to handle notifications

To be able to handle customer notifications yourself, you will need to be granted permission. Please get in touch with the GoCardless support team to get started.

Permissions are very granular and cover the type & scheme of the notification. For example, you might be approved to handle the payment_created notification just in the scheme sepa.

Compliant notifications must include all of the required information for that notification type, and be sent within the correct interval. More information about the required information for each type of notification can be found in our platform guides.

Notification ownership

A merchant may be connected to multiple partners, or have multiple integrations, so to avoid the problem of multiple integrations all trying to handle the same notification, we track the “owner” for all customer notifications in our system.

Only the owner will have the ability to handle notifications for that resource, falling back to GoCardless if the notification deadline is missed.

The owner is usually defined as the creator of that resource. For example, if your integration creates a payment, the owner will be your integration. Currently, our system does not permit any kind of ownership transfer from one integration to another. Resources created via dashboard will not record any owner (and therefore cannot be handled by your integration).

Getting notified about notifications

Notification information is currently only delivered in webhooks. When your application receives a webhook, each event may include a customer_notifications payload, which contains a list of one or more notifications that were triggered by that event. (If you don’t receive this information, it’s because you are not the owner for that resource or have not been granted any permissions):

1POST https://example.com/webhooks HTTP/1.1 2Content-Type: application/json 3{ 4 "events": [ 5 { 6 "id": "EV123", 7 "created_at": "2018-08-03T12:00:00.000Z", 8 "action": "created", 9 "resource_type": "payments", 10 "links": { 11 "payment": "PM123", 12 }, 13 "details": {}, 14 "customer_notifications": [ 15 { 16 "id": "PCN123", 17 "type": "payment_created", 18 "deadline": "2018-08-25T12:09:06.000Z", 19 "mandatory": true 20 } 21 ] 22 } 23 ] 24}

Note that each notification for an event includes an idtypedeadline and mandatory flag:

  • id is used to handle the notification (see below)

  • type can be used to filter notifications that you don’t handle. For example, if your integration only handles payment_created notifications, you can safely ignore notifications that are of another type.

  • deadline is the time by which your application must respond. If we don’t hear from you before this deadline, we’ll send the notification ourselves. The deadline is typically 10 minutes from the point at which we send the webhook but in the case of payment_created notifications, the deadline is the last possible time to notify the customer before the payment collects (this mirrors GoCardless’ behaviour).

  • mandatory is whether the notification needs to be handled by somebody (currently always true).

Handling notifications yourself

If your application intends to handle a notification, you should let us know before you take action. If you wait until after sending the notification, there is a chance that we also sent it in the meantime (e.g. if the deadline had elapsed), which would result in the customer receiving two notifications, one from each of us.

So, we recommend that you declare your intent first, and then send the notification using whichever mechanism is most appropriate for your system:

1<?php 2// We recommend storing your webhook endpoint secret in an environment variable 3// for security 4$webhook_endpoint_secret = getenv("GOCARDLESS_WEBHOOK_ENDPOINT_SECRET"); 5$access_token = getenv("GOCARDLESS_ACCESS_TOKEN"); 6$request_body = file_get_contents('php://input'); 7 8$headers = getallheaders(); 9$signature_header = $headers["Webhook-Signature"]; 10 11try { 12 // The parse method will first verify the signature of the webhook body 13 // in order to ensure it has not been tampered with. Without a valid 14 // signature, a \GoCardlessPro\Core\Exception\InvalidSignatureException 15 // will be thrown. 16 $events = \GoCardlessPro\Webhook::parse($request_body, 17 $signature_header, 18 $webhook_endpoint_secret); 19 $client = new \GoCardlessPro\Client([ 20 'access_token' => $access_token, 21 'environment' => \GoCardlessPro\Environment::SANDBOX 22 ]); 23 24 // Each webhook may contain multiple events to handle, batched together 25 foreach ($events as $event) { 26 // We might want to handle mandate_created emails and send an email which 27 // includes both the mandate and upcoming payments for it. 28 foreach ($events->customer_notifications as $notification) { 29 if ($notification->type === "mandate_created") { 30 $client->customerNotifications()->handle($notification->id); 31 // We recommend processing data asynchronously, so as to 32 // promptly respond to the webhook and avoid timeouts. In this 33 // example, the application uses a message queue to send the 34 // email later. 35 \MyNotificationsSystem::enqueue($notification, $event); 36 } elseif ($notification->type === "payment_created") { 37 // If your mandate_created email properly notifies of the 38 // payment schedule, we still need to handle the payment_created 39 // notification to prevent GoCardless from sending it. 40 $client->customerNotifications()->handle($notification->id); 41 } 42 } 43 } 44 45 header("HTTP/1.1 204 No Content"); 46} catch(\GoCardlessPro\Core\Exception\InvalidSignatureException $e) { 47 header("HTTP/1.1 498 Invalid Token"); 48} 49

Alternatively, if your application does not respond, or does not respond before the deadline, GoCardless will send the notification instead and there will be no opportunity to handle after that point.

In all cases, GoCardless will record the outcome for each notification for audit purposes.

Need help?