The Reference Docs Developer Hub

Welcome to the Reference Docs developer hub. You'll find comprehensive guides and documentation to help you start working with Reference Docs as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Webhooks

Webhooks can be used as alerts to keep your systems and partner applications in sync with actions inside Recurly. Webhooks themselves should not be used as actionable items— please see Best Practices below for more information on working with webhooks.

Recurly can send webhooks to any publicly accessible server. When an event in Recurly triggers a webhook (e.g., an account is opened), Recurly will attempt to send this notification to the endpoint(s) you specify. You can specify up to 10 endpoints through the application. All notifications will be sent to all configured endpoints for your site.

Recurly only considers a notification delivered if it receives a timely response with a successful status code. In other words:

  • Your endpoint must be reachable at ports 80 (HTTP) or 443 (HTTPS) (Recurly does not support other ports).
  • Your endpoint must respond within 5 seconds
  • Your endpoint must respond with a 2XX status code (e.g., 200, 201, 204, etc). Recurly does not follow redirects or consider them successful responses.

Best Practices

Webhooks are not actionable on their own and should not be used for critical functions like provisioning accounts. The API response from an original action (i.e., signup, one time purchase) can be used to provision the account and store the state/details behind the action locally. The state/details of a user should be maintained in your internal database, and assumed unchanged unless a change of state is indicated with a webhook. Use the receipt of a webhook to trigger an API query to validate the push notification details against the current API data.

Recurly webhooks may be retried or sent multiple times if the delivery status is considered failed. Please make sure your endpoint can receive the same notification multiple times and in the wrong order.

For example, an account can close and we will send a notification for this. If delivery fails, the notification will be sent again later. In the meantime, the account could reopen (triggering another push notification). If your endpoint begins working again, it may receive the closed account notification after the account was reopened). Make sure that if your application takes action on closed accounts, that it verifies the account is still closed by issuing an API request.

Configuration & Security

If Recurly fails to deliver a webhook, it will retry it (see Automatic retries, below).

Webhooks support HTTP Basic Authentication to verify the request came from Recurly's servers.

Webhooks will come from any of the following IP addresses:

50.18.192.88
52.8.32.100
52.9.209.233
50.0.172.150
52.203.102.94
52.203.192.184

You may refuse other IP addresses from your endpoint configuration.

We recommend using http://requestb.in/ as an easy way to capture webhooks for initial testing.

Note: Recurly does not advocate the use of specific web servers or plugins, such as Apache with ModSecurity. However, if you are using Apache with ModSecurity, you may need to disable rule #990011 in mod_security in order for webhooks to be unblocked.

Webhook Details

Notifications are never combined. For example, if user signs up for a new subscription and this triggers a payment, you will receive two separate notifications (one for the subscription and one for the payment).

All webhooks notifications are stored in our systems for 15 days and are available through the application console. The application console also provides details about failure reasons. The timestamp for webhooks is in UTC, although we translate this to your site’s configured timezone when viewing notification status in the application.

Please note that if you delete an endpoint, please note that notifications sent to that endpoint over the last 15 days will no longer appear in the list of notifications.

Automatic retries

If Recurly receives an error in response to a webhook sent to your webhook URL, the notification will be retried. After ten failed attempts, Recurly will stop trying to send the failed notification. Notifications are sent in the order in which they were created. The interval between retries is approximately 10 + x* 2^(x+5), where x is the current attempt number. This means that the interval between the first few retries will be very short, but will extend exponentially in length as the retry number increases.

Notification Types

For a complete list of notification types, please refer to the Webhooks Developer Docs.

Cross Site Request Forgery (CSRF) for Rails applications

Many Rails applications enable forgery protection protect_from_forgery. You must disable protect_from_forgery for the action you setup to listen for changes from Recurly. In your controller, use the following line (assumes your listening action is named recurly_notification):

protect_from_forgery :except => :recurly_notification

Webhooks

Webhooks can be used as alerts to keep your systems and partner applications in sync with actions inside Recurly. Webhooks themselves should not be used as actionable items— please see Best Practices below for more information on working with webhooks.