Best Practices

Webhooks provide a reliable way to monitor transaction statuses and trigger the necessary actions in your Zoho Payments account. Check out these recommended practices to keep your webhooks secure and ensure they function smoothly with your integration.

Verify Signatures

Zoho Payments strongly advises verifying the signature of each webhook request before processing it. This step ensures the authenticity of the request’s origin. Additionally, the signature is unique for every delivery attempt, helping prevent replay attacks from malicious actors attempting to re-transmit the webhook.

Handle Duplicates

Zoho Payments provides an at-least-once guarantee for webhook delivery, meaning that while the delivery is ensured, occasional duplicate notifications may occur. Therefore, your server should be designed to handle duplicates appropriately. Logging the event_id can help ensure that you don’t process the same event more than once.

Balance traffic

Zoho Payments allows you to configure one or more events for each endpoint, and you can also set up multiple endpoints. Follow the steps below to optimize webhook traffic.

• Manage traffic efficiently by avoiding clustering all events at a single endpoint, as this can lead to multiple concurrent requests.
• Subscribe only to the necessary events to reduce server load.
• Spikes in webhook deliveries may occur due to high transaction volumes or network delays, causing events to accumulate and hit your servers simultaneously.
• Implement a queue to process webhooks asynchronously to handle this.

Prevent Timeouts

Zoho Payments recommends that your server respond promptly to webhook requests with a 200 OK status to avoid timeouts and re-delivery attempts. Ideally, your server should quickly verify the webhook request and send an immediate response. Afterward, you can process and handle the data on your end without keeping the network connection open between your server and Zoho Payments.