Search

Are you looking for test card numbers?

Would you like to contact support?

Best practices

Learn about best practices when using Adyen notification webhooks.

Security

To protect your server from unauthorised notifications, we strongly recommend that you use Hash-based message authentication code (HMAC) signatures. By verifying the signature included in a notification, you'll confirm that the notification was sent by Adyen, and was not modified during transmission. For more information, refer to Verify HMAC signatures.

We also recommend that you use basic authentication over HTTPS. After you have set up a username and password for basic authentication in your Customer Area, we will include these in the header of the notification, so you can authenticate the request with your server. For this to be secure, you need to use HTTPS for your notifications endpoint, otherwise your basic authentication credentials can be compromised.

Basic authentication only guarantees that the notification was sent by Adyen, not that it wasn't modified during transmission.

Changing your HMAC key

If you need to change the secret HMAC key used to sign notifications, it is enough to generate a new HMAC key in your Customer Area.

If you generate a new HMAC key, it might take some time to propagate this in our infrastructure, so make sure that you can still accept notifications signed with your previous HMAC key for some time.

Changing your notifications endpoint

If you need to change your endpoint for receiving notifications:

  1. Add a new endpoint in your Customer Area.
  2. Disable the old endpoint.

Disabling notifications

You might want to disable notifications when:

  • Your endpoint is temporarily unable to receive notifications, for example during server maintenance.
  • You have set up a new endpoint for notifications.

To disable notifications:

  1. Log in to your Customer AreaCustomer Area.
  2. Go to Account > Server communication.
  3. Next to the endpoint that you wish to disable, click Edit & Test.
  4. Clear the Active checkbox.
  5. Click Save Configuration.

We will then queue all notifications to this endpoint. You will receive the queued notifications when you reactivate this endpoint by checking the Active checkbox.

If you change the URL while the notifications are disabled, you will not receive the queued notifications, as these will be sent to the old URL.

Handling duplicates

In some cases you might receive the same AUTHORISATION notification twice, so make sure that your system is able to deal with duplicates. These duplicate notifications have the same values in the eventCode and pspReference fields, while the eventDate and other fields may differ. Your server should use the details contained in the latest notification.

Queued notifications

To ensure that notifications are properly delivered, your server should acknowledge them with an appropriate response message.

If we don't receive the response message within 10 seconds, all notifications to this endpoint will be queued. We'll then retry sending the notification until it is accepted. Once accepted, you'll also receive all the queued notifications.

Retry attempts happen regularly for up to 7 days, at increasing time intervals:

  • 2 minutes
  • 5 minutes
  • 10 minutes
  • 15 minutes
  • 30 minutes
  • 1 hour
  • 2 hours
  • 4 hours

After that, retries happen every 8 hours for the following 7 days.

If your server is not acknowledging notifications, we will inform you of this with a system message. For more information, see How do I subscribe to system messages.

The notification queues are maintained separately for each endpoint. If you have multiple endpoints for receiving notifications and we have queued notifications for one of them, this won't affect the remaining endpoints.

Troubleshooting

If your endpoint is not accepting notifications properly, you can troubleshoot the issue yourself:

  1. Log in to your Customer Area
  2. Go to Account > Server Communications.
  3. Next to the notification endpoint that is not working properly, click Troubleshoot.
    You will see the request for which the expected [accepted] response is not returned by your server.

See also