IP Whitelisting

Learn how your integration works with Cashfree.

IP Whitelisting

The IP of the system from which you make your request has to be whitelisted to connect with the Cashfree production server. If the IP is not whitelisted, Cashfree rejects all incoming requests. To whitelist your IP go to IP Whitelist section in Access Control.

All IP's in TEST are automatically whitelisted, while those in PROD need approval from Cashfree. The approval process takes around 24 hours.

Static IP

Depending on your operating system, you can retrieve the IP of the system via multiple methods. You can also find your IP using helper sites such as https://whatismyipaddress.com/.

Please note that the IPv4 has to be whitelisted, not IPv6.

Dynamic IP

In the case where IP cannot be whitelisted, follow the below steps:

  • Pass the signature while generating the Authorization Bearer token.

  • Pass the signature as an HTTP header 'X­-Cf­-Signature'.

  • Make all other API requests with this token, and these requests do not require a signature to be passed as an HTTP header again.

Obtain Public Key: Contact your account manager or write to care@cashfree.com requesting a public key for the payout service. A key gets generated by Cashfree's backend and sent to you over email, usually within 2-3 hours.

Signature Generation using public key: Consider the below steps only if you have a Dynamic IP use case. Here are the steps to generate your signature:

  1. Retrieve your clientId (one which you are passing through the header X-Client-Id )

  2. Append this with CURRENT UNIX timestamp separated by a period (.)

  3. Encrypt this data using RSA encrypt with Public key you received – this is the signature.

  4. Pass this signature through the header X-Cf-Signature.

In the case of using our library, go through the libraries section. During the initialization process, you need to pass the key as a parameter.

public static function getSignature() {
$clientId = "<your clientId here>";
$publicKey =
$encodedData = $clientId.".".strtotime("now");
return static::encrypt_RSA($encodedData, $publicKey);
private static function encrypt_RSA($plainData, $publicKey) { if (openssl_public_encrypt($plainData, $encrypted, $publicKey,
$encryptedData = base64_encode($encrypted);
else return NULL;
return $encryptedData;
private static String generateEncryptedSignature(String clientIdWithEpochTimestamp) {
// clientIdWithEpochTimeStamp = clientId+"."+Instant.now().getEpochSecond();
String encrytedSignature = "";
try {
byte[] keyBytes = Files
.readAllBytes(new File("/Users/sameera/Downloads/payout_test_public_key.pem").toPath()); // Absolute Path to be replaced
String publicKeyContent = new String(keyBytes);
publicKeyContent = publicKeyContent.replaceAll("[\\t\\n\\r]", "")
.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
KeyFactory kf = KeyFactory.getInstance("RSA");
X509EncodedKeySpec keySpecX509 = new X509EncodedKeySpec(
RSAPublicKey pubKey = (RSAPublicKey) kf.generatePublic(keySpecX509);
final Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
encrytedSignature = Base64.getEncoder().encodeToString(cipher.doFinal(clientIdWithEpochTimestamp.getBytes()));
} catch (Exception e) {
return encrytedSignature;
from cashfree_sdk.payouts import Payouts
// Initialise the SDK, pass public key for dynamic IP
Payouts.init("<client_id>", "<client_secret>", "PROD", public_key= b'public key')
//require CashfreeSDK
const cfSdk = require('cashfree-sdk');
//access the PayoutsSdk from CashfreeSDK
const {Payouts} = cfSdk;
//Initialize Cashfree Payout for dynamic ip
"ENV": "TEST",
"ClientID": "CLIENTID",
"ClientSecret": "CLIENTSECRET",
"PathToPublicKey": "/path/to/your/public/key/file.pem",