Are you looking for test card numbers?

Would you like to contact support?

Developer-resource icon

Best practices

Learn about best practices when using Adyen notification webhooks.


To protect your server from unauthorised notifications, we strongly recommend that you use Hash-based message authentication code (HMAC) signatures. By verifying the signature included in a notification, you'll confirm that the notification was sent by Adyen, and was not modified during transmission. For more information, refer to Verify HMAC signatures.

We also recommend that you use basic authentication over HTTPS. After you have set up a username and password for basic authentication in your Customer Area, we will include these in the header of the notification, so you can authenticate the request with your server. For this to be secure, you need to use HTTPS for your notifications endpoint, otherwise your basic authentication credentials can be compromised.

Basic authentication only guarantees that the notification was sent by Adyen, not that it wasn't modified during transmission.

Changing your HMAC key

If you need to change the secret HMAC key used to sign notifications, it is enough to generate a new HMAC key in your Customer Area.

If you generate a new HMAC key, it might take some time to propagate this in our infrastructure, so make sure that you can still accept notifications signed with your previous HMAC key for some time.

Configuring your existing notification endpoint

You can change the endpoint of your existing webhook.

Adyen requires you to use HTTPS endpoints with TLSv1.2 to receive Adyen webhook notifications. Before you configure your endpoint to receive Adyen webhook notifications, you need to make sure it supports TLSv1.2 connections.

Update your endpoint URL

  1. Log in to your Customer Area.
  2. Go to Developers > Webhooks.
  3. Next to the webhook you want to change the endpoint for, select the edit webhook icon .
  4. Under Server configuration, configure the following fields:
    • URL: Enter your HTTPS URL.
    • SSL Version: Select TLSv1.2.
  5. Select Save Configuration at the bottom of the page.

If you want to change your endpoint and disable the old endpoint for receiving notifications:

  1. Add a new endpoint in your Customer Area.
  2. Disable the old endpoint.

Disabling notifications

You might want to disable notifications when:

  • Your webhook endpoint is temporarily unable to receive notifications, for example during server maintenance.
  • You have set up a new webhook endpoint for notifications.

To disable notifications:

  1. Log in to your Customer Area.
  2. Go to Developers > Webhooks.
  3. Next to the notification you want to disable, select the edit webhook icon .
  4. Clear the Active checkbox.
  5. Select Save Configuration.

We will then queue all notifications to this endpoint. You will receive the queued notifications when you reactivate this endpoint by selecting the Active checkbox.

If you change the URL while the notifications are disabled, you will not receive the queued notifications, as these will be sent to the old URL.

Configuring merchant accounts

If you are using your Customer Area at the company account level, you can configure notification settings for a group of merchant accounts or for all merchant accounts.

  1. Log in to your Customer Area.
  2. Go to Developers > Webhooks.
  3. Next to the notification you want to edit, select the edit webhook icon .
  4. Under Merchant Accounts, select one of the following options:
    • Include All to apply the notification settings to all merchant accounts.
    • Include Accounts to apply the notification settings only to the accounts you choose.
    • Exclude Accounts to not apply the notification settings to the accounts you choose.
  5. Select Save Configuration at the bottom of the page.

Handling duplicates

In some cases you might receive the same AUTHORISATION notification twice, so make sure that your system is able to deal with duplicates. These duplicate notifications have the same values in the eventCode and pspReference fields, while the eventDate and other fields may differ. Your server should use the details contained in the latest notification.

Queued notifications

To ensure that notifications are properly delivered, your server should acknowledge them with an appropriate response message.

If we don't receive the response message within 10 seconds, all notifications to this endpoint will be queued.

You might still receive AUTHORISATION notifications for credit card payments that did not go through 3D Secure. These notifications are additionally sent from a different system, and not affected when your server is not acknowledging notifications.

We'll then retry sending the notification until it is accepted. Once accepted, you'll also receive all the queued notifications.

Retry attempts happen regularly for up to 7 days, at increasing time intervals:

  • 2 minutes
  • 5 minutes
  • 10 minutes
  • 15 minutes
  • 30 minutes
  • 1 hour
  • 2 hours
  • 4 hours

After that, retries happen every 8 hours for the following 7 days.

If your server is not acknowledging notifications, we will inform you of this with a system message after the fifth retry. To get system messages straight to your inbox, make sure you're subscribed to get system messages by email.

The notification queues are maintained separately for each endpoint. If you have multiple endpoints for receiving notifications and we have queued notifications for one of them, this won't affect the remaining endpoints.

Testing notifications

  1. Log in to your Customer Area.
  2. Select Developers > Webhooks.
  3. Select the edit icon for the webhook you wish to test.
  4. Select Test configuration.
  5. Select the notifications you want to test.
  6. Select Test to run the test. You can use the icon to see the details of the test notification that was sent.


If your endpoint is not accepting notifications properly, you can troubleshoot the issue yourself:

  1. Log in to your Customer Area.
  2. Go to Developers > Webhooks.
  3. Next to the notification endpoint that is not working properly, select Troubleshoot.
    You will see the request for which the expected [accepted] response is not returned by your server.
  4. You can Retry or Ignore notification.

See also