Authentication overview

Razorpay IFSC utilizes a standard API key-based authentication model for programmatic access to its services. This approach requires developers to generate a unique set of credentials—a Key ID and a Key Secret—from their Razorpay dashboard. These keys are then used to sign API requests, ensuring that only authenticated and authorized entities can interact with the Razorpay platform. For server-side applications, the API Key ID and Key Secret are typically passed as part of the HTTP Basic Authentication header or directly in the request body, depending on the specific API endpoint and SDK implementation. For client-side operations, secure tokenization or server-side proxying is recommended to prevent exposure of sensitive credentials.

In addition to API keys for outgoing requests, Razorpay employs a separate mechanism for securing incoming webhook notifications. Webhooks are critical for real-time updates on transaction statuses, refunds, and other events. To ensure the integrity and authenticity of these notifications, Razorpay sends a digital signature with each webhook payload. Developers must verify this signature using a pre-shared secret to confirm that the event originated from Razorpay and has not been tampered with in transit. This two-pronged authentication strategy addresses both outbound API calls and inbound event notifications, contributing to a secure payment processing environment Razorpay API documentation.

Supported authentication methods

Razorpay primarily supports API key authentication for its RESTful API and HMAC-based signature verification for webhooks. These methods are designed to provide secure and reliable communication between your application and the Razorpay platform.

Method When to Use Security Level
API Keys (Key ID & Key Secret)
  • Authenticating server-to-server API calls (e.g., creating orders, initiating refunds).
  • Used in HTTP Basic Authentication header or request body.
  • Supported by all Razorpay SDKs (Python SDK integration, Node.js SDK integration, etc.).
 High. Requires secure storage and transmission. Vulnerable if exposed in client-side code.
Webhook Signature Verification (HMAC-SHA256)
  • Verifying the authenticity and integrity of incoming webhook events from Razorpay.
  • Essential for processing real-time notifications about payment status changes.
  • Uses a secret key shared between your application and Razorpay.
 High. Protects against spoofing and tampering of event data.
Tokenization (Client-side)
  • Collecting sensitive card details directly from the customer's browser without them touching your server.
  • Razorpay.js library tokenizes card details into a one-time use token.
  • This token is then sent to your server for processing via API keys.
 Very High. Reduces PCI DSS compliance scope by minimizing exposure of raw card data.

For operations involving sensitive customer data or financial transactions, Razorpay emphasizes server-side API calls authenticated with API keys. Client-side interactions, such as collecting payment information, should leverage Razorpay.js for secure tokenization, which reduces the merchant's PCI DSS compliance burden by ensuring raw card data never directly touches the merchant's servers Razorpay.js documentation.

Getting your credentials

To obtain the necessary authentication credentials for Razorpay IFSC, you must access your Razorpay Dashboard. The process involves creating an API key pair, which consists of a Key ID and a Key Secret. These credentials are unique to your account and environment (test or live) and are required for all API operations.

Steps to generate API keys:

  1. Log in to Razorpay Dashboard: Navigate to the official Razorpay website and log in to your merchant account.
  2. Access API Keys Section: From the dashboard, go to Settings > API Keys.
  3. Generate New Key: Click on the Generate Key button. If you already have existing keys, you might see an option to regenerate.
  4. Retrieve Key ID and Key Secret: Upon generation, Razorpay will display your Key ID and Key Secret. The Key Secret is displayed only once. It is crucial to copy and store it securely immediately. If you lose your Key Secret, you will need to regenerate the key pair, which invalidates the previous secret.
  5. Switch between Test/Live Mode: Ensure you are generating keys for the correct environment (Test Mode for development and testing, Live Mode for production transactions). You can switch between these modes using the toggle at the top of the dashboard.

Webhook Secret:

For webhook signature verification, a separate secret is configured during the webhook setup process. When you create a new webhook endpoint in the Razorpay Dashboard (Settings > Webhooks), you will be prompted to enter a secret string. This secret is used by Razorpay to generate the X-Razorpay-Signature header in webhook requests, and by your application to verify the signature. It is critical to use a strong, unique secret for each webhook endpoint and keep it confidential.

Authenticated request example

Here's an example of how to make an authenticated API request to Razorpay using Python, demonstrating the use of Basic Authentication with your Key ID and Key Secret. This example creates an order, a common operation in the Razorpay payment flow. The Razorpay Python SDK simplifies this process.


import razorpay

# Replace with your actual Key ID and Key Secret
key_id = 'YOUR_KEY_ID'
key_secret = 'YOUR_KEY_SECRET'

# Initialize the Razorpay client
client = razorpay.Client(auth=(key_id, key_secret))

# Create an order
data = {
    "amount": 50000,  # amount in paise (e.g., 50000 paise = INR 500)
    "currency": "INR",
    "receipt": "order_rcptid_11",
    "notes": {
        "key1": "value3",
        "key2": "value2"
    }
}

try:
    order = client.order.create(data=data)
    print("Order created successfully:")
    print(order)
except Exception as e:
    print(f"Error creating order: {e}")

This Python example directly uses the razorpay SDK, which handles the underlying HTTP Basic Authentication details. The key_id and key_secret are passed during the client initialization, and the SDK automatically includes them in the request headers for subsequent API calls. For direct HTTP requests without an SDK, you would construct the Authorization header manually by base64-encoding Key_ID:Key_Secret.

Webhook Signature Verification Example (Node.js):

This Node.js example demonstrates how to verify an incoming webhook signature. This is crucial for ensuring the authenticity of notifications sent from Razorpay.


const crypto = require('crypto');
const express = require('express');
const bodyParser = require('body-parser');

const app = express();

// Replace with your actual Webhook Secret
const webhookSecret = 'YOUR_WEBHOOK_SECRET'; 

// Use raw body parser for webhook, as signature depends on raw body
app.use(bodyParser.json({ 
  verify: (req, res, buf) => {
    req.rawBody = buf.toString();
  }
}));

app.post('/webhook', (req, res) => {
  const signature = req.headers['x-razorpay-signature'];
  const expectedSignature = crypto.createHmac('sha256', webhookSecret)
                                  .update(req.rawBody)
                                  .digest('hex');

  if (signature === expectedSignature) {
    console.log('Webhook signature verified successfully!');
    // Process the webhook event (e.g., update order status)
    const event = req.body;
    console.log('Received event:', event.event);
    res.status(200).send('OK');
  } else {
    console.error('Webhook signature verification failed.');
    res.status(400).send('Signature Mismatch');
  }
});

const PORT = 3000;
app.listen(PORT, () => {
  console.log(`Webhook server listening on port ${PORT}`);
});

In this Node.js example, the raw request body is used along with the webhookSecret to compute the expected HMAC-SHA256 signature. This computed signature is then compared against the x-razorpay-signature header received from Razorpay. A mismatch indicates a potentially malicious or tampered request, which should be rejected. This is a standard practice for webhook security across many API providers AWS API Gateway Lambda authorizer reference.

Security best practices

Implementing strong security practices is crucial when integrating with any payment gateway like Razorpay IFSC. Adhering to these guidelines helps protect sensitive data and prevent unauthorized access to your account.

  • Protect API Keys:
    • Never embed keys in client-side code: API Key Secrets should never be exposed in client-side code (e.g., JavaScript in browsers, mobile app binaries). Use a backend server to make API calls to Razorpay.
    • Environment Variables: Store API keys as environment variables rather than hardcoding them directly in your application code. This prevents accidental exposure and simplifies key rotation.
    • Secure Storage: If keys must be stored, use secure storage mechanisms like AWS Secrets Manager, Google Cloud Secret Manager, or Azure Key Vault.
    • Access Control: Restrict access to API keys to only authorized personnel and systems.
  • Rotate API Keys Regularly: Periodically generate new API keys and invalidate old ones. This minimizes the impact if a key is compromised. Razorpay's dashboard allows for key regeneration.
  • Use Test Keys for Development: Always use test API keys for development and staging environments. Switch to live keys only when deploying to production. This prevents accidental live transactions during testing.
  • Implement Webhook Signature Verification: Always verify the X-Razorpay-Signature header for every incoming webhook request. This ensures that the webhook originated from Razorpay and that its payload has not been tampered with. Reject any webhook that fails signature verification.
  • Secure Webhook Endpoints: Ensure your webhook endpoints are served over HTTPS and are protected from unauthorized access. Only allow POST requests to these endpoints.
  • Idempotency for API Requests: Implement idempotency keys for API requests where applicable. This prevents duplicate processing of transactions if a request is retried due to network issues or other transient errors.
  • Error Handling and Logging: Implement robust error handling for API calls. Log relevant information (without exposing sensitive data) to monitor for suspicious activity or integration issues.
  • PCI DSS Compliance: While Razorpay is PCI DSS Level 1 compliant, merchants still have responsibilities. If you handle card data directly (which is generally discouraged), ensure your systems are compliant. Using Razorpay.js for tokenization significantly reduces your PCI DSS scope.
  • Least Privilege Principle: If Razorpay introduces role-based access for API keys in the future, grant only the minimum necessary permissions to each key required for its specific function.
  • Monitor for Suspicious Activity: Regularly review your Razorpay dashboard for any unusual transaction patterns or API call volumes that might indicate a compromise.