Authorize.net's Webhook API allows you to register a URL/end point to receive notifications when specific events occur. For more information on API integration into Webhooks for management or processing notifications, please see our Webhook overview and documentation found on our developer center.

To add an endpoint:

1. Sign in to the Merchant Interface.
2. Be on or switched into the New Merchant Interface (2.0)
3. Click Account from the left navigation.
4. Click Account and API Settings.
5. Click Webhook Notifications.
6. Click Webhook.
7. Click Create a webhook notification.
8. Enter the following information:
   • Name (optional)
   • Endpoint URL (required)
   • Status (optional) Between Inactive and Active - Only active endpoints will receive notifications, however, you can test inactive endpoints.
   • Select the events to subscribe to. You can choose all events, a category or individual events.
9. Click Save.

To edit an endpoint:

1. Sign in to the Merchant Interface.
2. Be on or switched into the New Merchant Interface (2.0)
3. Click Account from the left navigation.
4. Click Account and API Settings.
5. Click Webhook Notifications.
6. Click Webhook.
7. Click Edit next to the Endpoint you would like to change.
8. Or to delete/remove an endpoint, click the X next to the edit button.
9. Click to confirm or cancel the action.
10. On the Edit page, you can change the following
    • Name (optional)
    • Endpoint URL (required)
    • Status (optional) Between Inactive and Active - Only active endpoints will receive notifications, however, you can test inactive endpoints.
    • Subscribed events.
11. Once all changes have been made, click Save.

How do I test Webhook end points?

1. Make sure the endpoint you have added is in an inactive state.
2. Click Test Webhook to generate a test notification.
3. Check your Webhook endpoint to verify it received and processed the test notification.

Receiving Webhooks Notifications

After configuring your Webhooks within your Account Settings, you must have a listener script at your specified endpoint URL to receive event notifications from us. These notifications are sent using an HTTP POST and include a hash in the header, which can be used to validate the origin of the HTTP POST. The body of the notification includes a hash generated with your Authorize.net account Signature Key, which must be generated before enabling any Webhooks notifications within your Account Settings.

Handling Failed Event Notifications

If a notification attempt for a specific event fails, we retry the notification up to 10 times until we receive an HTTP 200 OK message from your server, indicating successful receipt. We retry the notification 3 times at 3-minute intervals, 3 more times at 8-hour intervals, and finally 4 times at 48-hour intervals.

When your server returns an HTTP status code 200, it indicates successful receipt of the Webhook notification, and we will not make additional attempts to deliver the notification for that specific event. If we exhaust all attempts at increasing intervals without a successful response, the URL for that Webhook is assumed to be out of service. The status of that Webhook is set to inactive, and notifications will no longer be sent to the URL registered for that Webhook.

To prevent unnecessary Webhook inactivation, ensure that your server responds with the HTTP status code 200 as soon as the Webhook is received. If your application processes the Webhook notification and takes action based on the notification, and then responds with a 200 response once processing is successful, you run the risk of not sending the 200 response if processing is interrupted on your side. In that scenario, not only is notification processing not working on your side, but future notifications will not be sent from our side. To prevent this, ensure that your application code responds with the HTTP 200 status code as soon as the notification is received, and only then launches into any further processing of the notification.

Webhook Event Types

There are three types of events you can subscribe to:

• Customer Events - These events are associated with Customer Information Manager (CIM) and customer profiles and their underlying payment and shipping profiles you have created and saved.
  • Customer Created (net.authorize.customer.created)
  • Customer Deleted (net.authorize.customer.deleted)
  • Customer Updated (net.authorize.customer.updated)
  • PaymentProfile Created (net.authorize.customer.paymentProfile.created)
  • PaymentProfile Deleted (net.authorize.customer.paymentProfile.deleted)
  • PaymentProfile Updated (net.authorize.customer.paymentProfile.updated)
• Subscription Events - These events are associated with Automated Recurring Billing (ARB) and the automated charging of customers on a subscription.
  • Subscription Cancelled (net.authorize.customer.subscription.cancelled)
  • Subscription Created (net.authorize.customer.subscription.created)
  • Subscription Expired (net.authorize.customer.subscription.expired)
  • Subscription Expiring (net.authorize.customer.subscription.expiring)
  • Subscription Failed (net.authorize.customer.subscription.failed)
  • Subscription Suspended (net.authorize.customer.subscription.suspended)
  • Subscription Terminated (net.authorize.customer.subscription.terminated)
  • Subscription Updated (net.authorize.customer.subscription.updated)
• Payment Events - These events are associated with general payment events.
  • Authcapture Created (net.authorize.payment.authcapture.created)
  • Authorization Created (net.authorize.payment.authorization.created)
  • Capture Created (net.authorize.payment.capture.created)
  • Fraud Approved (net.authorize.payment.fraud.approved)
  • Fraud Declined (net.authorize.payment.fraud.declined)
  • Fraud Held (net.authorize.payment.fraud.held)
  • PriorAuthCapture Created (net.authorize.payment.priorAuthCapture.created)
  • Refund Created (net.authorize.payment.refund.created)
  • Void Created (net.authorize.payment.void.created)