Webhooks can be used as alerts to keep your systems and partner applications in sync with actions inside Recurly. Webhooks themselves should not be used as actionable items— please see Best Practices below for more information on working with webhooks.
Recurly can send webhooks to any publicly accessible server. When an event in Recurly triggers a webhook (e.g., an account is opened), Recurly will attempt to send this notification to the endpoint(s) you specify. You can specify up to 10 endpoints through the application. All notifications will be sent to all configured endpoints for your site.
Recurly only considers a notification delivered if it receives a timely response with a successful status code. In other words:
- Your endpoint must be reachable at ports
443(HTTPS) (Recurly does not support other ports).
- Your endpoint must respond within 5 seconds
- Your endpoint must respond with a
2XXstatus code (e.g.
204, etc). Recurly does not follow redirects or consider them successful responses.
If you need to generate a test URL you can do this using RequestBin or Mockbin.
Sandbox vs Production
Recurly sends sandbox and production webhooks from different services, so that the high level of testing done in sandbox mode does not impact production data.
In times of high sandbox testing volume, sandbox webhook deliverability may be delayed by up to 48 hours.
Recurly may auto-pause sandbox webhook endpoints that consistently return a high number of deliverability errors in a short window of time.
Webhooks are not actionable on their own and should not be used for critical functions like provisioning accounts. The API response from an original action (i.e. signup, one time purchase) can be used to provision the account and store the state/details behind the action locally. The state/details of a user should be maintained in your internal database, and assumed unchanged unless a change of state is indicated with a webhook. Use the receipt of a webhook to trigger an API query to validate the push notification details against the current API data.
Recurly webhooks may be retried or sent multiple times if the delivery status is considered failed. Please make sure your endpoint can receive the same notification multiple times and in the wrong order.
For example, an account can close and we will send a notification for this. If delivery fails, the notification will be sent again later. In the meantime, the account could reopen (triggering another push notification). If your endpoint begins working again, it may receive the closed account notification after the account was reopened). Make sure that if your application takes action on closed accounts, that it verifies the account is still closed by issuing an API request.
Configuration & Security
If Recurly fails to deliver a webhook, it will retry it (see Automatic retries, below).
Webhooks support HTTP Basic Authentication to verify the request came from Recurly's servers.
Please see our IP Allowlist documentation for the current list of Recurly IPs.
You may refuse other IP addresses from your endpoint configuration.
Note: Recurly does not advocate the use of specific web servers or plugins, such as Apache with ModSecurity. However, if you are using Apache with ModSecurity, you may need to disable rule #990011 in mod_security in order for webhooks to be unblocked.
Notifications are never combined. For example, if a user signs up for a new subscription and this triggers a payment, you will receive two separate notifications (one for the subscription and one for the payment).
All webhooks notifications are stored in our systems for 15 days and are available through the application console. The application console also provides details about failure reasons. The timestamp for webhooks is in UTC, although we translate this to your site’s configured timezone when viewing notification status in the application.
Please note that if you delete an endpoint, notifications sent to that endpoint over the last 15 days will no longer appear in the list of notifications.
If Recurly receives an error in response to a webhook sent to your webhook URL, the notification will be retried. After ten failed attempts, Recurly will stop trying to send the failed notification. Notifications are sent in the order in which they were created. The interval between retries is approximately 10 + x* 2^(x+5), where x is the current attempt number. This means that the interval between the first few retries will be very short, but will extend exponentially in length as the retry number increases.
For a complete list of notification types, please refer to the Webhooks Developer Docs.
Cross Site Request Forgery (CSRF) for Rails applications
Many Rails applications enable forgery protection
protect_from_forgery. You must disable
protect_from_forgery for the action you setup to listen for changes from Recurly. In your controller, use the following line (assumes your listening action is named
protect_from_forgery :except => :recurly_notification
Updated almost 3 years ago