PayU Integration Lab

Merchant Hosted Integration

Select a Payment Mode

Choose a payment method to integrate via S2S (Server-to-Server)

UPI Payments

Intent, QR, Collect — one-time, mandates, subscriptions, cross-border & split

Cards

Credit & debit card payments with 3DS authentication and tokenization

Net Banking

Direct bank transfers via online banking for all major banks

Getting Started
⚡ Choose Your Flow
UPI One-Time Payment ▼
1 Intent / QR Flow
2 Initiate Payment
3 Verify Payment
UPI OTM (Pre-Authorize) ▼
1 UPI OTM Transaction
2 Verify Payment Auth
3 Capture Transaction
4 Verify Payment Capture
5 Cancel Transaction
6 OTM Status Check
3 OTM Status Check
4 Capture Transaction
5 Verify Payment Capture
6 Cancel Transaction
UPI Subscriptions (Autopay) ▼
1 Register Mandate
2 Verify Payment
3 Mandate Status
4 Modify Mandate
5 Pre-Debit Notification
6 SI Transaction
7 Verify SI Payment
Cancel / Refund & Status ▼
1 Cancel / Refund
2 Check Action Status
Tools & Utilities ▼
🔧 Troubleshooting

Merchant Config

Key

Salt

Choose Your Integration Flow

Select the UPI product you want to integrate. Each card walks you through the complete flow — from initiation to verification.

UPI One-Time Payment

Accept single UPI payments via Intent, QR, or Collect. The most common UPI integration.

Intent / QR→ Initiate→ Verify→ Done

Start Flow →

🔒

UPI OTM (Pre-Authorize)

Pre-authorize a UPI amount, then capture later. Supports single and multi-capture.

Pre-Auth→ Verify→ Capture→ Status

Start Flow →

🔄

UPI Subscriptions (Autopay)

Start Flow →

🔄

Cancel / Refund & Status

Cancel a pending UPI transaction, initiate refunds for completed payments, and check the status of any action.

Cancel• Refund→ Check Status

Start Flow →

🔧

Troubleshooting

Common issues developers face during UPI seamless integration — causes, detection, and step-by-step fixes.

Hash errors• VPA issues• Pending payments

Open Guide →

📱

PayU UPI Simulator App

Install the PayU UPI Intent Simulator APK on your Android device to test UPI Intent flows and complete transactions in the sandbox.

Download APK ↓

Quick links: Prerequisites Architecture Troubleshooting

Prerequisites

Before you begin

Ensure you have the following ready before starting the integration.

Active PayU Merchant Account (Test/Production) Merchant Key (provided by PayU) Merchant Salt v1 (for hash generation) Server-side setup (Node.js / PHP / Java / Python) Success & Failure callback URLs configured UPI payment mode enabled on your PayU account

Test Environment Details

Environment URLs

Test Payment URL: https://test.payu.in/_payment
Production URL:   https://secure.payu.in/_payment

Test Merchant Key:  Your test key from PayU Dashboard
Test Merchant Salt: Your test salt v1 from PayU Dashboard

Callback Test URL:  https://test.payu.in/admin/test_response

UPI Flow Architecture

Understanding the complete UPI payment flow between all parties involved.

👤

Customer

→

🏢

Merchant Server

→

⚡
PayU API

→

📱

UPI App

→

✅

Response

Detailed Flow Steps

Customer initiates payment

Customer selects UPI on merchant's checkout page and optionally enters VPA or selects UPI app.

Merchant server generates hash

Server computes SHA-512 hash using key|txnid|amount|productinfo|firstname|email|udf1-5||||||salt

POST to PayU _payment API

Merchant server sends payment request with pg=UPI, bankcode=INTENT, and txn_s2s_flow=4.

PayU returns deeplink

PayU responds with a UPI deeplink URL. Merchant generates QR code from this deeplink or redirects to UPI app.

Customer approves on UPI app

Customer scans QR or opens UPI app, enters PIN and approves the payment.

PayU sends callback / Merchant polls status

PayU sends S2S callback to surl/furl. Merchant should also poll verify API for confirmation.

UPI Intent Flow

📱

PayU UPI Intent Simulator App

To test UPI Intent or complete UPI transactions in the sandbox environment, install the PayU UPI Simulator app on your Android device.

Download APK ↓

Overview

PayU supports three types of UPI Intent flows for initiating payments. All three use the same _payment API with pg=UPI and txn_s2s_flow=4 — the difference lies in the bankcode and how you handle the response deeplink on the customer's device.

Generic Intent — Works with any UPI app via QR code scanning (best for web)
Specific Intent — Targets a specific UPI app like Google Pay or PhonePe
Smart Intent — Auto-detects the best UPI app on the customer's device (required on Android per NPCI)

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

UPI S2S Enabled
UPI payment mode with S2S flow enabled on your account

✓

QR Library (Web)
A QR code generation library for rendering deeplinks

✓

Deep Link Handling (Mobile)
Intent handling on Android / URL scheme on iOS

How It Works

Merchant
POST _payment

→

PayU S2S
Returns deeplink

→

UPI Deeplink
QR / App Launch

→

Customer
Pays via UPI

→

Callback
surl / furl

Step-by-Step Guide

Choose an intent type

Decide between Generic (QR), Specific (target app), or Smart (auto-detect). This determines the bankcode you send.

Send the payment request

POST to _payment with pg=UPI, txn_s2s_flow=4, and your chosen bankcode. Use the Initiate Payment form (next step) to test.

Extract the deeplink from the response

PayU returns intentURIData (a upi://pay?... URL) or acsTemplate (base64 HTML). Extract the deeplink URI.

Present to customer

Web: Convert deeplink to QR code. Android: Fire an ACTION_VIEW intent. iOS: Open the URL scheme for the target app.

Poll & handle callback

Poll check_payment while waiting. PayU posts the final result to your surl (success) or furl (failure).

Intent Types — Deep Dive

▣ Generic UPI Intent

How it works: Generates a UPI deeplink URL that you convert into a QR code. Any UPI app on the customer's phone can scan the QR to pay. Best for desktop web and cross-platform payments.

Workflow

POST
_payment API

→

Extract
intentURIData

→

Build
Deeplink

→

Generate
QR Code

→

Customer
Scans & Pays

→

Verify
Payment

Send Payment Request

POST to _payment with these key parameters for Generic Intent:

Generic Intent Parameters

pg=UPI
bankcode=INTENT
txn_s2s_flow=4
s2s_client_ip=10.200.12.12
s2s_device_info=Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Use the Initiate Payment form (next step) to test this — select bankcode=INTENT.

Extract intentURIData from Response

If metaData.unmappedStatus = "pending", extract result.intentURIData from the response.

Sample Response

{
  "metaData": {
    "txnId": "my_order_26075",
    "unmappedStatus": "pending"
  },
  "result": {
    "paymentId": "403993715535965242",
    "intentURIData": "pa=payutest@hdfcbank&pn=Kumar&tr=...&am=1.00&cu=INR",
    "acsTemplate": "PGh0bWw+PGJvZHk+Li4u..."
  }
}

Build the Deeplink

Add the upi://pay? prefix to intentURIData to create a fully qualified UPI deeplink.

JavaScript

const intentURIData = response.result.intentURIData;
const deeplink = "upi://pay?" + intentURIData;

Generate QR Code

Convert the deeplink into a QR code and display it to the customer.

Node.js – QR Code

const QRCode = require('qrcode');
const deeplink = "upi://pay?" + response.result.intentURIData;
const qrDataURL = await QRCode.toDataURL(deeplink);
document.getElementById('qr-img').src = qrDataURL;

HTML – qrcode.js (CDN)

<script src="https://cdn.jsdelivr.net/npm/qrcode/build/qrcode.min.js"></script>
<canvas id="qr-canvas"></canvas>
<script>
  QRCode.toCanvas(document.getElementById('qr-canvas'), deeplink, { width: 280 });
</script>

Customer Scans QR & Pays

The customer opens any UPI app, scans the QR code, and completes the payment. While waiting, poll the transaction status.

JavaScript – Poll Status

async function pollPaymentStatus(txnId, interval = 5000) {
  const poll = setInterval(async () => {
    const status = await checkPaymentStatus(txnId);
    if (status !== 'pending') {
      clearInterval(poll);
      handlePaymentResult(status);
    }
  }, interval);
  setTimeout(() => clearInterval(poll), 300000);
}

Verify the Payment

Always call verify_payment to confirm the final transaction status. Configure webhooks for server-to-server notifications.

Ref: PayU UPI Intent S2S Docs

◉ Specific UPI Intent

How it works: Targets a specific UPI app (Google Pay, PhonePe, Paytm, etc.) by using its bank code. Best for mobile where you detect installed apps and let the customer choose.

NPCI Mandate: All merchants must show a "Pay by any UPI App" option on Android alongside specific app options.

Workflow

Fetch
UPI Apps

→

Get
Intent URI

→

Extract
intentURIData

→

Add Prefix
& Launch

→

Handle
Response

→

Verify
Payment

Fetch List of UPI Apps on Device

Query the device for installed UPI apps to display on your checkout page.

Kotlin – Fetch UPI Apps

fun getUPIApps(context: Context): List<Map<String, String>> {
    val intent = Intent(Intent.ACTION_VIEW, Uri.parse("upi://pay"))
    val activities = context.packageManager
        .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY)
    return activities.map { info ->
        val name = context.packageManager
            .getApplicationLabel(info.activityInfo.applicationInfo).toString()
        mapOf("appName" to name, "packageName" to info.activityInfo.packageName)
    }
}

Get Intent URI from PayU

POST to _payment with pg=UPI, txn_s2s_flow=4, and the specific bankcode for the chosen app.

Supported Bank Codes

UPI App	Bank Code	Package Name (Android)
Google Pay	`TEZ`	`com.google.android.apps.nbu.paisa.user`
PhonePe	`PHONEPE`	`com.phonepe.app`
Paytm	`PAYTM`	`net.one97.paytm`
BHIM	`BHIM`	`in.org.npci.upiapp`
Amazon Pay	`AMAZONPAY`	`in.amazon.mShop.android.shopping`
CRED	`CRED`	`com.dreamplug.androidapp`

Extract Deeplink from Response

If metaData.unmappedStatus = "pending", extract result.intentURIData. This is not a complete deeplink — you must add a platform-specific prefix.

Add Platform Prefix & Launch the App

Prepend a platform-specific prefix to intentURIData to build the final deeplink.

Platform	Prefix Format
Android (Specific)	`intent://pay?{data}#Intent;scheme=upi;package=<pkg>;end`
iOS — PhonePe	`phonepe://upi/pay?` + intentURIData
iOS — Google Pay	`gpay://upi/pay?` + intentURIData
iOS — Paytm	`paytm://upi/pay?` + intentURIData
iOS — BHIM	`bhim://upi/pay?` + intentURIData
iOS — CRED	`credpay://upi/pay?` + intentURIData

Kotlin – Launch Specific UPI App

fun launchUPIApp(activity: Activity, packageName: String, intentUri: String) {
    val intent = Intent(Intent.ACTION_VIEW)
    intent.setPackage(packageName)
    intent.data = Uri.parse("upi://pay?$intentUri")
    activity.startActivityForResult(intent, 101)
}

iOS (Swift) – Open Specific App

let deeplink = "phonepe://upi/pay?" + intentURIData
if let url = URL(string: deeplink), UIApplication.shared.canOpenURL(url) {
    UIApplication.shared.open(url)
}

Handle the UPI App Response

After the customer completes payment, handle the result in onActivityResult.

Kotlin – onActivityResult

override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
    super.onActivityResult(requestCode, resultCode, data)
    if (requestCode == 101) {
        val status = data?.getStringExtra("Status") ?: "unknown"
        verifyPayment(txnId) // Always verify regardless of status
    }
}

Verify the Payment

Always call verify_payment to confirm the final transaction status. Do not rely solely on the UPI app callback.

Ref: PayU UPI Intent S2S Docs

✦ Smart UPI Intent

How it works: Auto-detects UPI apps on the customer's device and lets the OS present an app chooser. Required on Android per NPCI mandate.

NPCI Mandate

Android: Must implement Smart Intent — "Pay by any UPI App" is mandatory
Web: Must use UPI Intent S2S to generate QR code instead of UPI Collect
iOS: Can use UPI Collect or app-specific deeplinks

Workflow

Update
Manifest

→

Fetch
UPI Apps

→

Get
Intent URI

→

Add Prefix
& Launch

→

Handle
Response

→

Verify
Payment

Update Manifest File (One-Time — Android 11+)

Add UPI app package IDs to your AndroidManifest.xml so your app can detect installed UPI apps.

AndroidManifest.xml

<queries>
    <package android:name="com.google.android.apps.nbu.paisa.user"/>  <!-- Google Pay -->
    <package android:name="com.phonepe.app"/>                         <!-- PhonePe -->
    <package android:name="net.one97.paytm"/>                         <!-- Paytm -->
    <package android:name="in.org.npci.upiapp"/>                      <!-- BHIM -->
    <package android:name="in.amazon.mShop.android.shopping"/>        <!-- Amazon Pay -->
    <package android:name="com.dreamplug.androidapp"/>                <!-- CRED -->
</queries>

Fetch List of UPI Apps on Device

Query the device for installed UPI apps to display on your checkout page or use the OS app chooser.

Kotlin – Fetch UPI Apps

fun getUPIApps(context: Context): List<Map<String, String>> {
    val intent = Intent(Intent.ACTION_VIEW, Uri.parse("upi://pay"))
    val activities = context.packageManager
        .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY)
    return activities.map { info ->
        val name = context.packageManager
            .getApplicationLabel(info.activityInfo.applicationInfo).toString()
        mapOf("appName" to name, "packageName" to info.activityInfo.packageName)
    }
}

Get Intent URI from PayU

POST to _payment with pg=UPI, bankcode=INTENT, txn_s2s_flow=4. Extract result.intentURIData when unmappedStatus = "pending".

Add Platform Prefix & Launch UPI App

The intentURIData is not a complete deeplink. Prepend a platform-specific prefix:

Platform	Prefix Format
Generic / QR / Web	`upi://pay?` + intentURIData
Android (App Chooser)	`intent://pay?{data}#Intent;scheme=upi;end`
Android (Specific)	`intent://pay?{data}#Intent;scheme=upi;package=<pkg>;end`

Kotlin – Smart Intent (OS Chooser)

// "Pay by any UPI App" - no package set, OS shows app chooser
val intent = Intent(Intent.ACTION_VIEW)
intent.data = Uri.parse("upi://pay?$intentUri")
activity.startActivityForResult(intent, 101)

Handle the UPI App Response

After the customer completes payment, handle the result in onActivityResult.

Kotlin – onActivityResult

override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
    super.onActivityResult(requestCode, resultCode, data)
    if (requestCode == 101) {
        val status = data?.getStringExtra("Status") ?: "unknown"
        verifyPayment(txnId) // Always verify regardless of status
    }
}

Verify the Payment

Always call verify_payment to confirm the transaction status. Do not rely solely on the UPI app callback.

Ref: PayU UPI Intent S2S Docs

💡 Testing Intent Flows

Use the Initiate Payment form (next step) to test Intent flows — select the appropriate bankcode (INTENT, TEZ, PHONEPE, or PAYTM) from the dropdown. All intent types use the same _payment API.

UPI One-Time Payment (S2S)

Overview

The UPI One-Time Payment API lets you initiate a single UPI payment via PayU's Server-to-Server (S2S) flow. You POST payment details to the _payment endpoint with pg=UPI, and PayU returns a deeplink or redirect for the customer to authorize the payment in their UPI app.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

UPI Enabled
UPI payment mode activated on your PayU account

✓

Hash Generated
SHA-512 payment hash computed server-side

How It Works

Merchant
Sends payment

→

PayU API
_payment

→

UPI Switch
Routes txn

→

Customer App
Authorizes

→

Complete
Callback

Step-by-Step Guide

Collect payment details

Gather the transaction amount, product info, and customer details (name, email, phone). Generate a unique txnid (max 25 chars).

Generate the payment hash

Compute sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt) on your server. Never expose salt client-side.

POST to PayU _payment endpoint

Send all parameters including pg=UPI, bankcode (INTENT/TEZ/PHONEPE/PAYTM), and txn_s2s_flow=4 to https://test.payu.in/_payment.

Handle the S2S response

If unmappedStatus=pending with intentURIData, generate a QR code from the deeplink. If acsTemplate is returned, decode the base64 HTML and render it.

Poll for payment status

Use check_payment API to poll until the transaction moves to success or failure. PayU also sends a callback to your surl/furl.

API Reference

Parameter	Required	Description	Example
`key`	Mandatory	String — Merchant key provided by PayU during onboarding	JPg****f
`txnid`	Mandatory	String — The transaction ID is a reference number for a specific order generated by the merchant	ypl938459435
`amount`	Mandatory	String — The payment amount for the transaction	10.00
`productinfo`	Mandatory	String — A brief description of the product	iPhone
`firstname`	Mandatory	String — The first name of the customer	Ashish
`lastname`	Mandatory	String — The last name of the customer	Kumar
`email`	Mandatory	String — The email address of the customer	test@gmail.com
`phone`	Mandatory	String — The phone number of the customer	9876543210
`zipcode`	Mandatory	String — Billing address zip code. Character Limit–20	400004
`surl`	Mandatory	String — Success URL; PayU redirects here if the transaction is successful	https://test.payu.in/admin/test_response
`furl`	Mandatory	String — Failure URL; PayU redirects here if the transaction fails	https://test.payu.in/admin/test_response
`hash`	Mandatory	String — SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory (S2S)	String — Defines the payment category. Post `UPI`	UPI
`bankcode`	Mandatory (S2S)	String — Unique bank code for UPI payment option: INTENT (generic/QR), TEZ (Google Pay), PHONEPE, PAYTM, BHIM, AMAZONPAY, CRED	INTENT
`txn_s2s_flow`	Conditional	Integer — Parameter to enable S2S flow. Must be `4` for Legacy Decoupled flow (UPI Intent)	4
`s2s_client_ip`	Mandatory	String — Source IP of the customer. Required for UPI Intent flow	10.200.12.12
`s2s_device_info`	Mandatory	String — Customer agent's device information. Required for UPI Intent flow	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`vpa`	Conditional	String — Customer's VPA handle. Mandatory for UPI Collect flow	customer@upi
`udf1`	Conditional	String — Mandatory if AD bank requests this detail. Must contain Buyer's PAN and DOB: `PAN\|\|DOB`	AAAPZ1234C\|\|22/08/1972
`udf2`	Optional	String — User-defined field 2
`udf3`	Conditional	String — Mandatory if AD bank requests this detail. Must contain Invoice ID and Merchant Name: `InvoiceID\|\|MerchantName`	INV-123_1231\|\|MerchantName
`udf4`	Optional	String — User-defined field 4
`udf5`	Optional	String — User-defined field 5
`address1`	Optional (recommended)	String — Billing address line 1. Helpful for fraud detection and chargebacks	34 Saikripa-Estate, Tilak Nagar
`address2`	Optional (recommended)	String — Billing address line 2
`city`	Optional (recommended)	String — Billing city. Recommended for higher approval rate	Mumbai
`state`	Optional (recommended)	String — Billing state. Recommended for higher approval rate	Maharashtra
`country`	Optional (recommended)	String — Billing country. Recommended for higher approval rate	India
`upiAppName`	Optional	String — Name of the UPI app selected by the customer on checkout	gpay/phonepe/paytm/qr/amazonpay
`udf_params`	Optional	JSON String — Additional UDF parameters (udf6–udf10)	{"udf7":"asdf","udf8":"12"}
`buyer_type_business`	Optional	Binary — Send `1` if the buyer is a business (B2B cross-border). Default is `0`. Included in hash if posted	1

Hash Formula

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)
Example: sha512(a4vGC2|TXN_123|10.00|iPhone|Ashish|test@gmail.com|ABCDE1234F||1990-01-01||INV123456||MerchantName||||||||hKvGJP28d2ZUuCRz5BnDag58QBdCxBli)

Try It — Send Real Request

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Last Name *

Email *

Phone *

Zipcode *

Success URL (surl) *

Failure URL (furl) *

Bank Code (bankcode) *

txn_s2s_flow *

pg *

Conditional Parameters

VPA (vpa) — Mandatory for UPI Collect

Mandatory Parameters

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

udf1 PAN & DOB

udf2

udf3 Invoice & Merchant

udf4

udf5

Address Line 1 recommended

Address Line 2

City recommended

State recommended

Country recommended

UPI App Name (upiAppName)

UDF Params (udf_params) JSON

Buyer Type Business B2B

UPI Mandate Registration (Autopay)

Overview

UPI Mandate (Standing Instruction / Autopay) allows merchants to register a recurring payment mandate via UPI. The customer approves the mandate once, and subsequent payments can be auto-debited within the approved limits. This uses the _payment endpoint with si=1 and api_version=7.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

UPI SI Enabled
Standing Instruction (SI) enabled on your PayU merchant account

✓

api_version = 7
Required so si_details JSON is included in the hash

✓

si_details JSON
Billing cycle, amount, start/end dates configured

How It Works

Merchant
Sends mandate

→

PayU API
_payment

→

UPI Switch
Routes request

→

Customer
Approves Mandate

→

Mandate Active
Recurring ready

Step-by-Step Guide

Prepare mandate details

Build the si_details JSON with mandatory fields: billingAmount, billingCurrency (INR), billingCycle (ONCE / ADHOC / DAILY / WEEKLY / MONTHLY / YEARLY), billingInterval, paymentStartDate, and paymentEndDate. Optionally include UPI-specific fields: remarks (PSP display text, max 50 chars), billingLimit (ON/BEFORE/AFTER), billingRule (MAX/EXACT), and billingDate (day number).

Set UDF fields

Set udf1 = PAN||DOB (e.g. ABCDE1234F||1990-01-01) and udf3 = InvoiceID||MerchantName.

Generate the hash (api_version=7)

Compute sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||si_details_json|salt). The si_details JSON string is appended before the salt.

POST to PayU _payment endpoint

Send all parameters with si=1, pg=UPI, bankcode=INTENT, txn_s2s_flow=4, and api_version=7.

Customer approves the mandate

The customer receives a mandate approval request on their UPI app. Once approved, the mandate becomes active and recurring debits can be triggered.

API Reference

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key — unique identifier for your PayU account	BmTY3G
`txnid`	Mandatory	Unique transaction ID generated by the merchant. PayU rejects duplicates.	my_order_29327
`amount`	Mandatory	Payment amount. Auto-debit limit: ₹15,000. With PIN: ₹1,00,000.	1000.00
`productinfo`	Mandatory	Brief product description (max 100 chars)	MonthlySubscription
`firstname`	Mandatory	Customer first name (max 60 chars)	Payu-Admin
`email`	Mandatory	Customer email (max 50 chars)	test@example.com
`phone`	Mandatory	Customer phone number	1234567890
`lastname`	Mandatory	Customer last name (max 60 chars)	Verma
`surl`	Mandatory	Success URL — redirect after successful transaction	https://test.payu.in/admin/test_response/
`furl`	Mandatory	Failure URL — redirect after failed transaction	https://test.payu.in/admin/test_response
`hash`	Mandatory	SHA-512 hash for tamper prevention (api_version=7 formula)	(auto-computed)
`pg`	Mandatory	Payment gateway type — must be `UPI`	UPI
`bankcode`	Mandatory	`UPI` for UPI Collect, `INTENT` for UPI Intent	INTENT
`si`	Mandatory	Must be `1` to enable Standing Instruction / Autopay	1
`si_details`	Mandatory	JSON with billing cycle details (see si_details breakdown below)	(see below)
`vpa`	Conditional	Customer VPA handle. Required when `bankcode=UPI` (UPI Collect).	customer@upi
`txn_s2s_flow`	Conditional	Must be `4` for UPI Intent flow	4
`api_version`	Optional	API version. Pass `7` so `si_details` is included in hash.	7
`address1`	Optional	Billing address line 1 (max 100 chars)	H.No-17, Block C
`address2`	Optional	Billing address line 2 (max 100 chars)	34 Saikripa-Estate
`city`	Optional	Customer city	Mumbai
`state`	Optional	Customer state	Maharashtra
`country`	Optional	Customer country (max 50 chars)	India
`zipcode`	Optional	Billing zipcode (max 20 chars)	400004
`free_trial`	Optional	Enable free trial. When set to `1`, PayU adjusts the amount to ₹2.00 for UPI regardless of the amount passed.	1
`udf1`	Conditional	PAN\|\|Date of Birth — Mandatory if AD bank requests this detail	ABCDE1234F\|\|1990-01-01
`udf3`	Conditional	Invoice ID\|\|Merchant Name — Mandatory if AD bank requests this detail	INV123456\|\|MerchantName

si_details JSON Parameters

Field	Required	Description	Example
`billingAmount`	Mandatory	Maximum amount for recurring debit. For UPI, must not exceed INR 15,000.	1000.00
`billingCurrency`	Mandatory	Currency — must be `INR`	INR
`billingCycle`	Mandatory	Defines the billing frequency: `DAILY`, `WEEKLY`, `MONTHLY`, `YEARLY`, `ONCE`, or `ADHOC`	MONTHLY
`billingInterval`	Mandatory	Coupled with billingCycle. e.g. billingCycle=MONTHLY & billingInterval=3 means charge every 3 months (quarterly).	1
`paymentStartDate`	Mandatory	Start date in `YYYY-MM-DD`. For UPI, send the current date (other values are ignored).	2026-04-10
`paymentEndDate`	Mandatory	End date in `YYYY-MM-DD`. Number of payment iterations is calculated from start & end dates.	2027-04-10
`remarks`	Optional (UPI only)	Remarks shown on PSP app during mandate registration. Max 50 characters.	Subscription for a year
`billingLimit`	Optional (UPI only)	Period relative to mandate date for debit: `ON` (specific date), `BEFORE` (before & on), `AFTER` (after & on, default).	ON=2026-04-20
`billingRule`	Optional (UPI only)	Limitation on recurring debit amount: `MAX` (debit up to amount, default) or `EXACT` (exact amount only).	MAX=1000
`billingDate`	Optional (UPI only)	Day on which recurring debit should happen. For WEEKLY: 1=Mon…7=Sun. For MONTHLY: 1–31.	1

Billing Cycle Reference

Cycle	Description	Example (billingInterval)
`ONCE`	One-time — for split/partial payment use cases	1
`DAILY`	Daily billing — every N days	3 (every 3 days)
`WEEKLY`	Weekly billing — every N weeks	1 (every week)
`MONTHLY`	Monthly billing — every N months	1 (every month)
`YEARLY`	Yearly billing — every N years	1 (every year)
`ADHOC`	No definite cycle — for post-paid bills where cycle/amount varies	1

Hash Formula (api_version=7)

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||si_details_json|salt)
Example: sha512(a4vGC2|MAND_123|2.00|MonthlySubscription|sudhanshu|test@test.com|ABCDE1234F||1990-01-01||INV123456||MerchantName|||||||||{"billingAmount":"200.00","billingCurrency":"INR","billingCycle":"MONTHLY","billingInterval":1,"paymentStartDate":"2025-12-24","paymentEndDate":"2026-12-01"}|YourSalt)

⚡

Amount Restrictions for Mandate Registration

In the PayU Test Environment, the mandate registration amount determines the simulated outcome. Use these ranges to test different scenarios.

PayU Test Environment Only — test.payu.in

💰

Minimum Amount Requirement

UPI Autopay (Standing Instruction) mandate registration requires the amount to be greater than ₹2 INR. Requests with amount ≤ ₹2 will fail. The default sample amount is set to ₹1,000.

⚠

Transaction Amount ≤ Billing Amount

The recurring transaction amount (si_transaction) cannot be greater than the billing amount (billingAmount) set during mandate registration. If the transaction amount exceeds the billing amount, the debit will be rejected by the UPI switch.

🔒 UPI Autopay — Mandate Registration

Registration Success

> ₹2

Mandate created → unmappedStatus = pending → Customer approves via UPI

Registration Failure

≤ ₹2

Failure — Amount too low for mandate

💡 Tip: For a successful end-to-end UPI Autopay test, use an amount > ₹2 (e.g. ₹1,000). The mandate registration will succeed and the customer can approve the mandate via their UPI app.

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

Transaction ID (txnid) *

Amount * (must be > ₹2)

Product Info (productinfo) *

First Name (firstname) *

Email *

Phone *

Success URL (surl) *

Failure URL (furl) *

pg *

bankcode *

txn_s2s_flow *

si *

Billing Amount *

Billing Cycle *

Last Name (lastname) *

Billing Interval *

UDF1 (PAN||DOB) *

UDF3 (InvoiceID||MerchantName) *

Payment Start Date *

Payment End Date *

Conditional Parameters

VPA (vpa) * (mandatory for UPI Collect)

Optional Parameters

API Version (api_version)

Address Line 1 (address1)

Address Line 2 (address2)

City

State

Country

Zipcode

Remarks (UPI only, max 50 chars)

Billing Limit (UPI only)

Billing Rule (UPI only)

Billing Date (UPI only)

Free Trial (free_trial) (UPI amount adjusted to ₹2)

Verify Payment (Autopay)

Overview

After registering a UPI mandate, use the verify_payment command to check the transaction status and get the mihpayid (authPayuId). This ID is required for all subsequent mandate operations: status check, modification, pre-debit notification, and recurring payment execution.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Transaction ID (txnid)
The txnid used during mandate registration

How It Works

Merchant
Sends verify

→

PayU API
postservice.php

→

Response
mihpayid returned

→

Use mihpayid
As authPayuId

Step-by-Step Guide

Get the txnid

Use the same transaction ID (txnid) that was used during mandate registration.

Generate the hash

Compute sha512(key|command|var1|salt) where command is verify_payment and var1 is the txnid.

POST to postservice.php

Send key, command (verify_payment), var1 (txnid), and hash.

Extract mihpayid from response

The mihpayid in the response is the authPayuId needed for mandate status, modify, pre-debit, and SI transaction.

API Reference

Parameter	Required	Description	Example
`key`	Yes	Merchant key from PayU dashboard	a4vGC2
`command`	Yes	API command	verify_payment
`var1`	Yes	Transaction ID (txnid) from mandate registration	txn-4039971553710
`hash`	Yes	SHA-512 hash	(computed)

Hash Formula

sha512(key|command|var1|salt)
sha512(merchantKey|verify_payment|txnid|merchantSalt)

Important: The mihpayid from the verify response is the authPayuId you need for all subsequent steps: Mandate Status, Modify Mandate, Pre-Debit Notification, and SI Transaction.

Try It — Verify Payment

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

Transaction ID (txnid) *

Command *

Get UPI Mandate Status

Overview

After registering a UPI mandate, use the upi_mandate_status command to check the current status of the mandate. This API returns the mandate's approval status, active/inactive state, and other details. It uses POST to postservice.php with SHA-512 hash authentication.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Successful Mandate Registration
A UPI mandate must be registered first

✓

authPayuId (mihpayid)
The PayU ID from the mandate registration response

How It Works

Merchant
Sends status request

→

PayU API
postservice.php

→

UPI Network
Checks mandate

→

Status Returned
Active / Paused / Revoked

Step-by-Step Guide

Get the authPayuId

From your mandate registration response, get the mihpayid (this is your authPayuId).

Build the var1 JSON

Create a JSON object with authPayuId and a unique requestId.

Generate the hash

Compute sha512(key|command|var1|salt) where command is upi_mandate_status.

POST to postservice.php

Send key, command, var1 (JSON string), and hash to the postservice endpoint.

API Reference

Parameter	Required	Description	Example
`key`	Yes	Merchant key from PayU dashboard	a4vGC2
`command`	Yes	API command	upi_mandate_status
`var1`	Yes	JSON with authPayuId and requestId	{"authPayuId":"...","requestId":"..."}
`hash`	Yes	SHA-512 hash	(computed)

var1 JSON for upi_mandate_status

{
  "authPayuId": "403993715535364356",
  "requestId": "1892432asds15g6"
}

Hash Formula

sha512(key|command|var1|salt)
sha512(merchantKey|upi_mandate_status|{"authPayuId":"...","requestId":"..."}|merchantSalt)

Try It — Get Mandate Status

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

authPayuId (mihpayid) *

Request ID *

Modify UPI Mandate (Recurring Payment)

Overview

Use the upi_mandate_modify command to modify an existing UPI mandate. You can update the billing amount and/or the end date of the mandate. The customer will receive a modification request on their UPI app which they must approve. This uses POST to postservice.php with SHA-512 hash authentication.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Active UPI Mandate
A mandate must be registered and in active state

✓

authPayuId (mihpayid)
The PayU ID from the mandate registration response

✓

New Amount or End Date
At least one field to modify

How It Works

Merchant
Sends modify request

→

PayU API
postservice.php

→

UPI Network
Routes to bank

→

Customer
Approves modification

→

Mandate Updated
New terms active

Step-by-Step Guide

Get the authPayuId

Use the mihpayid from your mandate registration or verify payment response.

Build the var1 JSON

Create a JSON object with authPayuId, requestId, and the fields to modify: amount and/or endDate.

Generate the hash

Compute sha512(key|command|var1|salt) where command is upi_mandate_modify.

POST to postservice.php

Send key, command, var1 (JSON string), and hash. The customer will receive a modification approval request on their UPI app.

API Reference

Parameter	Required	Description	Example
`key`	Yes	Merchant key from PayU dashboard	a4vGC2
`command`	Yes	API command	upi_mandate_modify
`var1`	Yes	JSON with modify details	{"authPayuId":"...","requestId":"...","amount":"...","endDate":"..."}
`hash`	Yes	SHA-512 hash	(computed)

var1 JSON for upi_mandate_modify

{
  "authPayuId": "403993715535437921",
  "requestId": "403993715921",
  "amount": "3500",
  "endDate": "2028-11-15"
}

Hash Formula

sha512(key|command|var1|salt)
sha512(merchantKey|upi_mandate_modify|{"authPayuId":"...","requestId":"...","amount":"...","endDate":"..."}|merchantSalt)

Try It — Modify UPI Mandate

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

authPayuId (mihpayid) *

Request ID *

Optional Parameters

New Amount

New End Date

UPI OTM Pre-Authorize

Overview

UPI One Time Mandate (OTM) allows pre-authorization of a payment. The amount is blocked in the customer's account and can be captured (fully or partially) later. This uses the _payment endpoint with pre_authorize=1 and api_version=7. Supports both Normal Capture (single capture) and Multi Capture (multiple partial captures).

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

UPI OTM Enabled
Pre-authorization enabled on your PayU merchant account

✓

api_version = 7
Required so si_details JSON is included in the hash

✓

si_details JSON
Payment start/end dates; optionally multiCapture: "Y"

How It Works

Merchant
Sends OTM

→

PayU API
_payment

→

UPI Switch
Routes request

→

Amount Blocked
In customer a/c

→

Capture Later
Full / Partial

Step-by-Step Guide

Choose capture type

Decide between Normal Capture (single full/partial capture) or Multi Capture (multiple partial captures). For multi capture, include "multiCapture": "Y" in si_details.

Prepare si_details JSON

Build the JSON with paymentStartDate and paymentEndDate. Add "multiCapture": "Y" if using multi capture mode.

Generate the hash (api_version=7)

Compute sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||si_details_json|salt). The si_details JSON string is appended before the salt.

POST to PayU _payment endpoint

Send all parameters with pre_authorize=1, pg=UPI, bankcode=INTENT, txn_s2s_flow=4, api_version=7, plus s2s_client_ip and s2s_device_info.

Amount is blocked & capture later

Once the customer authorizes, the amount is blocked. Use capture_transaction API to capture the full or partial amount within the validity window.

API Reference

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt for hash generation (never sent in request)	mGHSxpD2iB…
`txnid`	Mandatory	Unique transaction/order ID (auto-generated if empty)	OTM_17345678
`amount`	Mandatory	Block amount for the pre-authorization	18000
`productinfo`	Mandatory	Brief product description	iPhone
`firstname`	Mandatory	Customer's first name	Payu-Admin
`email`	Mandatory	Customer's email address	test@example.com
`phone`	Mandatory	Customer's phone number	9876543210
`surl`	Mandatory	Success redirect URL	https://test.payu.in/admin/test_response
`furl`	Mandatory	Failure redirect URL	https://test.payu.in/admin/test_response
`pg`	Mandatory	Payment gateway category — fixed `UPI`	UPI
`bankcode`	Mandatory	Bank code for UPI Intent — fixed `INTENT`	INTENT
`txn_s2s_flow`	Mandatory	S2S flow type — fixed `4` for UPI Intent	4
`pre_authorize`	Mandatory	Enable pre-authorization — fixed `1`	1
`api_version`	Mandatory	API version — fixed `7` (includes si_details in hash)	7
`si_details`	Mandatory	JSON with `paymentStartDate`, `paymentEndDate`, and optionally `multiCapture: "Y"`	{"paymentStartDate":"2026-03-28","paymentEndDate":"2026-05-27"}
`hash`	Mandatory	SHA-512 hash (auto-computed)	(computed)
`s2s_client_ip`	Mandatory	Source IP of the customer — required for UPI Intent flow	10.200.12.12
`s2s_device_info`	Mandatory	Customer's device user agent — required for UPI Intent flow	Mozilla/5.0
`lastname`	Optional	Customer's last name	Kumar
`udf1`	Optional	User-defined field 1 (included in hash)	udf1
`udf2`	Optional	User-defined field 2 (included in hash)	udf2
`udf3`	Optional	User-defined field 3 (included in hash)	udf3
`udf4`	Optional	User-defined field 4 (included in hash)	udf4
`udf5`	Optional	User-defined field 5 (included in hash)	udf5

Normal Capture vs Multi Capture

Feature	Normal Capture	Multi Capture
Captures allowed	1 (full or partial)	Multiple partial captures
`multiCapture` in si_details	Not required	"Y"
Cancel remaining	Yes (cancel_transaction)	Yes (cancel_transaction)

Hash Formula

OTM Transaction Hash (api_version=7)

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||si_details_json|salt)
sha512(a4vGC2|OTM_123|18000|iPhone|Payu-Admin|test@example.com|udf1|udf2|udf3|udf4|udf5||||||{"paymentStartDate":"2026-03-28","paymentEndDate":"2026-05-27"}|hKvGJP28d2ZUuCRz5BnDag58QBdCxBli)

⚡

Amount Restrictions for Execution or Capture API

In the PayU Test Environment, the amount you send determines the simulated transaction outcome. Use these ranges to test different scenarios.

PayU Test Environment Only — test.payu.in

💰

OTM Maximum Amount

UPI OTM (One-Time Mandate) supports a maximum pre-authorization amount of ₹5,00,000 (5 Lakh) in production. In the test environment, use amount > ₹5,000 for a successful flow.

🔒 OTM (Pre-Authorize) — Auth + Capture

Auth Success

> ₹5,000

Amount blocked → capture_transaction succeeds E000

Auth Failure

< ₹500 or ₹500 – ₹1,500

Failure — Insufficient Amount 99

Auth Failure

₹1,500 – ₹3,000

Failure — Invalid Data 5004

Stuck In Progress

₹3,000 – ₹5,000

capture_transaction & verify_payment = in progress

💡 Tip: For a successful end-to-end OTM test, use an amount > ₹5,000 (e.g. ₹18,000). The auth will succeed, and the capture will also complete successfully.

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info (productinfo) *

First Name (firstname) *

Email *

Phone *

Success URL (surl) *

Failure URL (furl) *

Payment Start Date *

Payment End Date *

Capture Type *

si_details (JSON) *

pg *

bankcode *

txn_s2s_flow *

pre_authorize *

api_version *

Mandatory Parameters

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Optional Parameters

Last Name (lastname)

udf1

udf2

udf3

udf4

udf5

Capture Transaction

Overview

After a successful pre-authorized (OTM) transaction, use the capture_transaction command to capture (debit) the blocked amount. You can capture the full amount or a partial amount. This API is called via postservice.php with a SHA-512 hash for authentication.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Successful Auth Transaction
A pre-authorized (OTM) payment must be completed first

✓

mihpayid from Verify
Use verify_payment to retrieve the mihpayid for the auth transaction

✓

Capture Amount
Full or partial amount (must not exceed the authorized amount)

How It Works

Auth Transaction
Pre-authorize

→

Verify
Get mihpayid

→

Capture Request
postservice

→

Amount Debited
From customer

Step-by-Step Guide

Complete an auth (pre-authorize) transaction

Use the UPI OTM flow to create a pre-authorized transaction. The amount will be blocked in the customer's account.

Verify to get mihpayid

Call verify_payment with the transaction ID to retrieve the mihpayid (PayU's internal transaction reference).

Generate capture hash

Compute sha512(key|command|var1|salt) where command=capture_transaction and var1=mihpayid.

POST capture request

Send key, command, var1 (mihpayid), var2 (unique capture order ID), var3 (capture amount), and hash to postservice.php.

Verify the capture

Call verify_payment again to confirm the capture was successful and the amount has been debited.

Hash Formula

Capture Hash

sha512(key|command|var1|salt)
sha512(merchantKey|capture_transaction|mihpayid|merchantSalt)

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

mihpayid (Auth PayU ID) *

Capture Order ID *

Capture Amount *

Command *

Verify Payment

Overview

Callback URLs can be spoofed. Always verify the payment status with PayU's server using the verify_payment command before fulfilling the order. This API is the single source of truth for payment status and is called via postservice.php.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Completed Transaction
A payment transaction (success, failure, or pending) to verify

✓

Transaction ID (txnid)
The unique transaction ID used when creating the payment

How It Works

Transaction Complete
Payment done

→

Verify API
postservice

→

Get Status
success/failure

→

Confirm Order
Fulfill / Reject

Step-by-Step Guide

Get transaction ID

Use the txnid you sent when creating the payment. This is your merchant-side unique reference.

Generate verify hash

Compute sha512(key|command|var1|salt) where command=verify_payment and var1=txnid.

POST verify request

Send key, command, var1 (txnid), and hash to postservice.php.

Process the response

Extract mihpayid, status, mode, and payment_source from the response to determine payment outcome.

Confirm or reject order

Based on the verified status, fulfill the order (if success) or show an error (if failure/pending).

API Reference

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt used for hash generation (never sent in request)	mGHSxpD2iB…
`command`	Mandatory	API command — fixed `verify_payment`	verify_payment
`var1`	Mandatory	Transaction ID (txnid) used during payment initiation	TXN_1234567890
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

Hash Formula

Verify Hash

sha512(key|command|var1|salt)
sha512(a4vGC2|verify_payment|TXN_1234567890|hKvGJP28d2ZUuCRz5BnDag58QBdCxBli)

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

Transaction ID (var1) *

Command *

Cancel / Refund Transaction

Overview

Use cancel_refund_transaction to cancel or refund a UPI One-Time Payment. Called via postservice.php with SHA-512 hash authentication.

API Reference

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt for hash generation (never sent in request)	mGHSxpD2iB…
`command`	Mandatory	API command — fixed `cancel_refund_transaction`	cancel_refund_transaction
`var1` (mihpayid)	Mandatory	PayU transaction ID from Verify Payment response	403993715537142566
`var2` (token id)	Mandatory	Unique cancel/refund token ID (auto-generated if empty)	cnl_12345
`var3` (amount)	Mandatory	Amount to cancel/refund	2.00
`hash`	Mandatory	SHA-512 hash (auto-computed)	(computed)

Hash Formula

Cancel/Refund Hash

sha512(key|cancel_refund_transaction|mihpayid|salt)
sha512(a4vGC2|cancel_refund_transaction|403993715537142566|hKvGJP28d2ZUuCRz5BnDag58QBdCxBli)

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

mihpayid (var1) *

Cancel Amount (var3) *

Cancel Token ID (var2) *

Command *

Check Action Status

Overview

Use check_action_status to track the status of a cancel/refund request. After initiating a cancel or refund via cancel_refund_transaction, this API lets you check whether the refund has been processed, is pending, or has failed. Called via postservice.php with SHA-512 hash authentication.

API Reference

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt for hash generation (never sent in request)	mGHSxpD2iB…
`command`	Mandatory	API command — fixed `check_action_status`	check_action_status
`var1`	Mandatory	PayU ID (mihpayid) for which action status is to be fetched	139210626
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

Hash Formula

Check Action Status Hash

sha512(key|command|var1|salt)
sha512(a4vGC2|check_action_status|139210626|hKvGJP28d2ZUuCRz5BnDag58QBdCxBli)

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

PayU ID / mihpayid (var1) *

Command *

Cancel / Refund Transaction

Overview

Cancel a pre-authorized (OTM) transaction using cancel_transaction to release the blocked amount back to the customer. Called via postservice.php with SHA-512 hash authentication.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Successful Auth Transaction
A pre-authorized (OTM) payment must be completed and captured (or pending capture)

✓

mihpayid from Verify
Use verify_payment to retrieve the mihpayid for the auth transaction

✓

Cancel Command
cancel_transaction — releases the blocked amount

How It Works

Transaction
Auth/Capture done

→

Cancel/Refund Request
postservice

→

PayU Processes
Refund initiated

→

Status Updated
check_action_status

Step-by-Step Guide

Identify the transaction to cancel/refund

Use verify_payment to get the mihpayid of the auth transaction you want to cancel or refund.

Choose the correct command

Use cancel_transaction to release the blocked amount. The command is the same for both Normal and Multi Capture.

Generate cancel hash

Compute sha512(key|command|var1|salt) where var1=mihpayid.

POST cancel request

Send the request to postservice.php with all required parameters including a unique cancel token ID.

Check refund status

Use check_action_status with the request_id to track the refund progress.

API Reference — Cancel Transaction

Parameter	Required	Description	Example
`key`	Yes	Merchant key from PayU dashboard	a4vGC2
`command`	Yes	Fixed `cancel_transaction`	cancel_transaction
`var1`	Yes	mihpayid of auth transaction	403993715536064861
`var2`	Yes	Unique cancel token ID	cancel_txn_12345
`hash`	Yes	SHA-512 hash	(computed)

Hash Formula

Cancel/Refund Hash

sha512(key|cancel_transaction|var1|salt)
sha512(merchantKey|cancel_transaction|mihpayid|merchantSalt)

check_action_status (Refund Status)

cURL – Check Refund Status

curl -X POST "https://test.payu.in/merchant/postservice.php?form=2" \
 --data-urlencode "key={{merchantKey}}" \
 --data-urlencode "command=check_action_status" \
 --data-urlencode "var1={{request_id}}" \
 --data-urlencode "hash={{hash}}"

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

mihpayid (Auth PayU ID) *

Command *

Cancel Token ID *

OTM Status Check API

Overview

This API checks the status of a UPI OTM (One Time Mandate) transaction. Unlike other PayU APIs, it uses HMAC-SHA256 signature-based authentication (not the standard SHA-512 hash). It is a GET request to the PayU API endpoint. The proxy handles HMAC header generation server-side, so you only need to provide key, salt, and payuId.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Successful OTM Transaction
A UPI OTM pre-auth transaction must have been initiated

✓

mihpayid (payuId)
The PayU transaction ID from the auth response or verify_payment

How It Works

Get mihpayid
From verify

→

Generate HMAC Headers
SHA-256 auth

→

GET Request
API endpoint

→

OTM Status
Response

Step-by-Step Guide

Get the mihpayid

Use verify_payment or extract from the auth response to get the PayU transaction ID (mihpayid/payuId).

Generate HMAC-SHA256 headers

The proxy handles this server-side. Headers include: Date (UTC), Digest (SHA-256 of empty body, base64), and Authorization (HMAC signature).

Send GET request

Call https://apitest.payu.in/v1/transaction/upi_otm_status_check?payuId={{payuid}} with the HMAC headers.

Parse OTM status response

The response contains the mandate/OTM status, amount, validity, and transaction details.

API Reference

Property	Required	Description	Example
`Method`	—	HTTP method	GET
`URL`	—	API endpoint	`https://apitest.payu.in/v1/transaction/upi_otm_status_check?payuId={{payuid}}`
`Auth`	—	Authentication type	HMAC-SHA256 signature
`Date`	Yes	UTC date header	Tue, 23 Sep 2025 06:58:08 GMT
`Digest`	Yes	SHA-256 of request body (empty for GET), base64	47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
`Authorization`	Yes	HMAC signature header	hmac username="key", algorithm="hmac-sha256", ...

HMAC Authentication Formula

HMAC-SHA256 Auth

Digest = base64(sha256(""))   // empty body for GET
SignatureString = "date: {utcDate}\ndigest: {digest}"
Signature = base64(hmac-sha256(salt, signatureString))
Authorization = 'hmac username="{key}", algorithm="hmac-sha256", headers="date digest", signature="{signature}"'

HMAC Generation Reference (Node.js)

Node.js – HMAC Auth Generation

const crypto = require('crypto');
const merchant_key = "your_merchant_key";
const merchant_secret = "your_merchant_salt";

const requestBody = "";  // empty for GET
const bodyHash = crypto.createHash('sha256').update(requestBody).digest('base64');
const date = new Date().toUTCString();
const signatureString = `date: ${date}\ndigest: ${bodyHash}`;
const signature = crypto.createHmac('sha256', merchant_secret)
    .update(signatureString).digest('base64');

const auth = `hmac username="${merchant_key}", algorithm="hmac-sha256", ` +
    `headers="date digest", signature="${signature}"`;

// Headers:
//   Date: <date>
//   Digest: <bodyHash>
//   Authorization: <auth>
//   Content-Type: application/json

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

PayU ID (mihpayid) *

Auth Method *

Verify Payment Auth

Overview

After the UPI OTM Transaction is authorized, call verify_payment with the original txnid to confirm the auth status and retrieve the mihpayid needed for capture.

Hash Formula

Verify Auth Hash

sha512(key|verify_payment|txnid|salt)

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

Transaction ID (txnid) *

Command *

Verify Payment Capture

Overview

After calling capture_transaction, verify the capture using the capture_order_id (var2 from the capture request) to confirm the amount was debited successfully.

Hash Formula

Verify Capture Hash

sha512(key|verify_payment|capture_order_id|salt)

Try It — Send Real Request

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

Capture Order ID *

Command *

Pre-Debit Notification

Overview

After a successful UPI Mandate Registration (and optionally checking/modifying the mandate), you must send a pre-debit notification using the pre_debit_SI command at least 24 hours before the scheduled debit. This is an NPCI mandate requirement. The API uses POST to postservice.php with SHA-512 hash authentication, where var1 is a JSON string.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Successful Mandate Registration
A UPI mandate must be registered and verified

✓

authPayuId (mihpayid)
The PayU ID from the verify payment response

✓

24-Hour Pre-Debit Window
NPCI mandates sending pre-debit notification at least 24h before the scheduled debit

How It Works

→

Verify
verify_payment

→

Status
mandate_status

→

Modify
mandate_modify

→

Pre-Debit
pre_debit_SI

→

SI Transaction
si_transaction

Step-by-Step Guide

Enter authPayuId

Use the mihpayid from the Verify Payment response (auto-filled if you followed the flow).

Set debit date and amount

The debit date must be at least 24 hours in the future. Amount should be within the mandate limits.

Send pre-debit notification

Click “Send to PayU” to send the pre_debit_SI command. The customer will be notified of the upcoming debit.

Proceed to SI Transaction

After the pre-debit notification is acknowledged, proceed to execute the actual recurring payment.

API Reference — pre_debit_SI (Pre-Debit Notification)

Mandatory for UPI Recurring

NPCI mandates sending a pre-debit notification to the customer at least 24 hours before the scheduled debit.

Parameter	Required	Description	Example
`key`	Yes	Merchant key from PayU dashboard	a4vGC2
`command`	Yes	API command	pre_debit_SI
`var1`	Yes	JSON with pre-debit details: `authPayuId`, `requestId`, `debitDate` (YYYY-MM-DD), `amount`	{"authPayuId":"...","requestId":"...","debitDate":"...","amount":"..."}
`hash`	Yes	SHA-512 hash (var1 is the JSON string)	(computed)

var1 JSON for pre_debit_SI

{
  "authPayuId": "403993715534484661",
  "requestId": "403993715534484661_1",
  "debitDate": "2025-09-06",
  "amount": "2.00"
}

Hash Formula (pre_debit_SI)

Pre-Debit Hash

sha512(key|command|var1|salt)
sha512(merchantKey|pre_debit_SI|{"authPayuId":"...","requestId":"...","debitDate":"...","amount":"..."}|merchantSalt)

Try It — Pre-Debit Notification

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

authPayuId (mihpayid) *

Request ID *

Debit Date *

Amount *

Optional Parameters

Invoice Display Number

SI Transaction (Recurring Payment)

Overview

After sending the pre-debit notification, execute the actual recurring payment using the si_transaction command. This API debits the customer’s account based on the registered UPI mandate. It uses POST to postservice.php with SHA-512 hash authentication, where var1 is a JSON string containing transaction details.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

Pre-Debit Notification Sent
A pre_debit_SI must have been sent at least 24h before

✓

authpayuid (mihpayid)
The PayU ID from the verify payment response

✓

Customer Details
Name, email, and address information for the transaction

How It Works

→

Verify
verify_payment

→

Status
mandate_status

→

Modify
mandate_modify

→

Pre-Debit
pre_debit_SI

→

SI Transaction
si_transaction

Step-by-Step Guide

Enter authpayuid

Use the mihpayid from the Verify Payment response (auto-filled if you followed the flow).

Set amount and transaction details

Enter the recurring amount, a unique transaction ID, and customer details (name, email, address).

Execute SI transaction

Click “Send to PayU” to execute the si_transaction command and debit the customer.

Verify the payment

Use verify_payment with the SI txnid to confirm the payment was successful.

API Reference — si_transaction (Execute Recurring Payment)

Parameter	Required	Description	Example
`key`	Yes	Merchant key from PayU dashboard	a4vGC2
`command`	Yes	API command — fixed `si_transaction`	si_transaction
`var1`	Yes	JSON object with transaction details (see var1 fields below)	(see below)
`hash`	Yes	SHA-512 hash: `sha512(key\|command\|var1\|salt)`	(computed)

var1 JSON Fields

Field	Required	Description	Example
`authpayuid`	Yes	Unique authentication payment ID from the registration transaction	403993715534484661
`amount`	Yes	Monetary value of the recurring transaction	100.00
`txnid`	Yes	Merchant-generated unique transaction ID	SI_1234567890
`firstname`	Yes	Customer’s first name	Sudhanshu
`email`	Yes	Customer’s email for communication and receipts	test@example.com
`phone`	Yes	Customer’s contact number (echoed back in response)	9999999999
`udf1`	Yes	PAN and DOB separated by `\|\|`: `PAN\|\|DOB`	ABCDE1234F\|\|1990-01-01
`udf3`	Yes	Invoice ID and seller name separated by `\|\|`: `invoiceId\|\|sellerName`	INV789\|\|SellerName
`lastname`	No	Customer’s last name	Kumar
`address1`	No	Customer’s address line 1	308 third floor
`address2`	No	Customer’s address line 2	my lane
`city`	No	Customer’s city	Delhi
`state`	No	Customer’s state	Delhi
`country`	No	Customer’s country	India
`zipcode`	No	Customer’s zipcode	110092
`invoiceDisplayNumber`	No	User-friendly invoice number displayed to the customer	INV-2024-001
`udf2`	No	Custom user-defined field (echoed back)
`udf4`	No	Custom user-defined field (echoed back)
`udf5`	No	Custom user-defined field (echoed back)

UDF Note: If the first value in a UDF is absent, it will be sent as NULL||<VALUE>. If the second value is absent, it will be sent as <VALUE>.

var1 JSON for si_transaction (UPI)

{
  "authpayuid": "403993715534484661",
  "amount": "100",
  "txnid": "Rec_403993715534484661_1",
  "firstname": "Sudhanshu",
  "lastname": "Kr",
  "email": "test@example.com",
  "phone": "9999999999",
  "address1": "address",
  "address2": "my lane",
  "city": "my city",
  "state": "my state",
  "country": "India",
  "zipcode": "110092",
  "udf1": "ABCDE1234F||1990-01-01",
  "udf3": "INV123456||MerchantName",
  "invoiceDisplayNumber": "SI_1236"
}

Hash Formula (si_transaction)

SI Transaction Hash

sha512(key|command|var1|salt)
sha512(merchantKey|si_transaction|{"authpayuid":"...","amount":"...","txnid":"...",...}|merchantSalt)

Try It — Execute Recurring Payment

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

authpayuid (mihpayid) *

Amount *

Transaction ID *

First Name (firstname) *

Email *

Phone *

UDF1 (PAN||DOB) *

UDF3 (Invoice||SellerName) *

Optional Parameters

Last Name (lastname)

Invoice Display Number

Address Line 1

Address Line 2

City

State

Country

Zipcode

UDF2

UDF4

UDF5

Verify SI Payment (Autopay)

Overview

After executing a recurring SI Transaction, use the verify_payment command to confirm the debit status. This verifies whether the customer's account was successfully debited for the recurring payment.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/UAT credentials

✓

SI Transaction ID (txnid)
The txnid used in the SI Transaction request

How It Works

SI Transaction
Debit executed

→

Verify Payment
postservice.php

→

Response
Status returned

→

Confirm
Debit success/fail

Step-by-Step Guide

Get the SI txnid

Use the same transaction ID (txnid) that was used in the si_transaction request.

Generate the hash

Compute sha512(key|command|var1|salt) where command is verify_payment and var1 is the SI txnid.

POST to postservice.php

Send key, command (verify_payment), var1 (txnid), and hash.

Check the response status

Look for status = success or failure to confirm whether the recurring debit was completed.

API Reference

Parameter	Required	Description	Example
`key`	Yes	Merchant key from PayU dashboard	a4vGC2
`command`	Yes	API command	verify_payment
`var1`	Yes	Transaction ID (txnid) from SI Transaction	Rec_40399715537_1
`hash`	Yes	SHA-512 hash	(computed)

Hash Formula

sha512(key|command|var1|salt)
sha512(merchantKey|verify_payment|si_txnid|merchantSalt)

Try It — Verify SI Payment

Mandatory Parameters

Merchant Key (key) *

Merchant Salt *

SI Transaction ID (txnid) *

Command *

Troubleshooting

Common issues developers face during UPI seamless integration and how to fix them.

Overview

Common issues developers encounter during PayU UPI seamless integration. Each issue includes causes, detection methods, and step-by-step fixes.

Key Concepts

✓

Hash Validation
Ensure correct formula and salt

✓

VPA Format
Must be user@handle format

✓

S2S Flow
Always use txn_s2s_flow=4 for Intent

✓

Polling Strategy
verify_payment every 5-10s for pending

Quick Diagnostic

Error Message
Read the error

→

Identify Category
Hash / VPA / Flow

→

Follow Fix Steps
See accordion below

→

Re-test
Validate the fix

Causes

Incorrect salt being used (use Salt v1, not v2)
Wrong parameter order in hash string
Extra spaces or encoding issues in parameters
Missing pipe characters (need exactly 6 pipes before salt: ||||||)
Amount format mismatch (e.g., "10" vs "10.00")

How to Detect

PayU returns error message "Hash validation failed" or "Sorry, Some Problem Occurred".

How to Fix

Debug Hash

// Print the hash string before hashing to verify:
const hashString = `${key}|${txnid}|${amount}|${productinfo}|${firstname}|${email}|${udf1}|${udf2}|${udf3}|${udf4}|${udf5}||||||${salt}`;
console.log('Hash Input:', hashString);  // Verify each component
console.log('Pipe count:', (hashString.match(/\|/g)||[]).length); // Should be 17

Causes

Wrong VPA format (must be username@handle)
Invalid UPI handle (e.g., non-existent bank handle)
Bank-side rejection or temporarily unavailable handle

How to Detect

Payment API returns error with invalid VPA message.

How to Fix

Verify the VPA format is correct (username@handle) before initiating payment. Show user-friendly error if VPA is invalid.

Causes

UPI collect request timed out (customer didn't approve in time)
Bank-side processing delay
Network timeout between UPI switch and bank

How to Detect

Verify API returns status: "pending" or unmappedstatus: "pending".

How to Fix

Implement polling: Check payment status every 5-10 seconds for up to 5 minutes
Set UPI expiry time in the request using expiryTime parameter
Show appropriate "Payment Processing" UI to the customer

Causes

Deeplink URL expired (usually valid for 5 minutes)
QR code generated from incorrect deeplink
UPI app not installed on device (for specific intent)

How to Fix

Generate fresh deeplink for each attempt
Use Generic Intent (INTENT) for web to let any UPI app scan
Show fallback option if specific UPI app is not available

Causes

Forgot to include txn_s2s_flow=4 in the request
Using wrong value (must be 4 for UPI Intent S2S)

How to Detect

PayU redirects to its payment page instead of returning a deeplink, or returns an error.

How to Fix

Always include txn_s2s_flow=4 in your payment request for UPI Intent S2S flow.

Quick Reference: Error Codes

Error	Meaning	Fix
`Hash validation failed`	Incorrect hash	Check salt version, parameter order
`Invalid VPA`	VPA doesn't exist	Verify VPA format before payment
`Transaction pending`	Awaiting customer action	Poll verify_payment API
`txn_s2s_flow missing`	Not in S2S mode	Add txn_s2s_flow=4
`Invalid amount`	Amount format wrong	Use decimal format (e.g. 10.00)

Getting Started
⚡ Choose Your Flow
Normal S2S Payment ▼
Get BIN Info API
Check isDomestic API
Card Payment API (_payment)
Handle 3DS / Submit OTP
Verify Payment API
Pre-Auth Payment ▼
Get BIN Info API
Pre-Auth Payment API
Handle 3DS / Submit OTP
Verify Payment API
Capture Transaction API
Tokenization ▼
Model 2: Zero Code ▼
First-Time Customer ▼
Get BIN Info API
Payment API (_payment)
Handle 3DS / Submit OTP
Verify Payment API
Repeat Customer ▼
Get User Cards API
Payment API (_payment)
Handle 3DS / Submit OTP
Verify Payment API
Delete Payment Instrument
Model 3: REST API ▼
First-Time Customer ▼
Get BIN Info API
Payment API (_payment)
Handle 3DS / Submit OTP
Verify Payment API
Save Payment Instrument
Repeat Customer ▼
Get Payment Instrument
Get Cryptogram (TAVV)
Get User Cards (PayU Token)
Payment API — Repeat
Handle 3DS / Submit OTP
Verify Payment API
Delete Payment Instrument
Tools & Utilities ▼
ACS Template Decoder

Merchant Config

Key

Salt

Choose Your Integration Flow

Select the card payment product you want to integrate. Each card walks you through the complete flow — from initiation to verification.

Normal S2S Card Payment

Standard server-to-server card payment with 3DS authentication. The most common card integration.

BIN Check→ Payment→ 3DS/OTP→ Verify

Start Flow →

🔒

Pre-Auth Card Payment

Hold funds first, capture later. Ideal for hotels, rentals, and e-commerce.

BIN Check→ Auth→ 3DS/OTP→ Capture/Cancel

Start Flow →

🛡

Tokenization

Save cards securely, pay with tokens — PayU, Network & Issuer tokens.

Model 2: Zero Code• Model 3: REST API

Start Flow →

🔧

Tools & Utilities

ACS template decoder and debugging tools for Cards S2S integration.

ACS Decoder• 3DS Debug• Response Inspector

Open Tools →

💡

PCI DSS Compliance Required

You must be PCI DSS compliant before handling raw card data in any seamless S2S card flow. Use the Merchant Config bar above to set your key & salt once.

Normal S2S Card Payment

📕 Documentation

🔗 S2S Classic Integration Guide

Complete Card Payment Lifecycle

This flow walks you through every API call needed for a standard server-to-server credit/debit card payment — from BIN validation to final verification.

Prerequisite: You must be PCI DSS compliant (or use a PCI-compliant vault/tokenization solution) before handling raw card data in this seamless cards flow.

Seamless Cards Flow (S2S)

3 phases: Pre-Payment (BIN checks + payment hash), Payment (initiate 3DS + optional OTP submission), and Post-Payment (verify final status and reconcile).

Prerequisites

Merchant Key
Used to authenticate PayU

Merchant Salt
Used in hash generation

Card BIN / Card Details
Required for getBinInfo and _payment

Pre-Payment: Validate & Prepare

Validate BIN capabilities, check domestic/international applicability, and keep the correct SHA-512 payment hash ready for _payment.

What you do here

getBinInfo
Inspect network & capabilities

check_isDomestic (optional)
Decide applicability

Payment hash
Generate the correct SHA-512 hash

Get BIN Info API

Retrieve card BIN details — issuing bank, card type (credit/debit), network (Visa/Mastercard/Rupay), and capabilities (ATM PIN, OTP, Zero Redirect, SI support). Supports three modes: single BIN lookup, feature-based filtering, and bulk retrieval with pagination.

POST https://test.payu.in/merchant/postservice.php?form=2 | Command: getBinInfo

Hash: sha512(key|command|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`getBinInfo`	`getBinInfo`
`var1`	Mandatory	Request type: `1` = single BIN lookup, `2` = feature-based BIN list, `3` = all BIN information	`1`
`var2`	Conditional	If var1=1: BIN number (e.g. 512345). If var1=2: `1` (ATM PIN support) or `2` (OTP-on-the-fly). If var1=3: leave empty.	`512345`
`var3`	Optional	Start index for pagination (default: `0`). Used when var1=2 or var1=3.	`0`
`var4`	Optional	Records per page / offset (default: `100`, range: 1–1000). Used when var1=2 or var1=3.	`100`
`var5`	Optional	Set to `1` to get enhanced features: `is_zero_redirect_supported`, `is_si_supported`.	`1`
`hash`	Mandatory	`sha512(key\|getBinInfo\|var1\|salt)`	(computed)

BIN API Use Cases

Use Case	var1	var2	var3	var4	var5	Description
Single BIN Query	1	512345	0	0	0	Get info for a specific BIN
Single BIN + Enhanced	1	512345	0	0	1	Single BIN with zero redirect & SI support
ATM PIN Support Cards	2	1	1	20	0	Get BINs with ATM PIN support
OTP Support Cards	2	2	1	20	0	Get BINs with OTP-on-the-fly support
All Cards – Page 1	3		1	20	0	First 20 cards (records 1–20)
All Cards – Page 2	3		21	20	0	Next 20 cards (records 21–40)
All Cards – Page 3	3		41	20	0	Next 20 cards (records 41–60)
Large Batch Query	3		1	100	0	Get 100 cards at once
Custom Range	3		501	50	0	Cards 501–550

Mandatory Parameters

Merchant Key *

Merchant Salt *

var1 – Request Type * 1 = Single BIN lookup

var2 – BIN / Feature Code BIN number (first 6–9 digits) for single lookup

var3 – Start Index Pagination start index (default: 0)

var4 – Records Per Page Number of records to fetch (1–1000, default: 100)

var5 – Enhanced Features Set to 1 for additional fields like is_zero_redirect_supported

Response Parameters — Use in Normal S2S Payment

Parameter	Values	Use Case in Normal S2S Flow
`issuing_bank`	e.g. `HDFC`, `ICICI`	Identify the issuing bank for display and routing decisions
`bin`	BIN number	The matched BIN (6–9 digits). Use to confirm which BIN PayU resolved
`category`	`creditcard` / `debitcard`	Determine card type for surcharge rules or payment restrictions
`card_type`	`VISA`, `MAST`, `AMEX`, `MAES`, `DINR`	Set `bankcode` parameter in `_payment` API (e.g. `CC` for credit, `DC` for debit)
`is_domestic`	`1` = Domestic, `0` = International	Domestic cards can use Native OTP. International cards typically redirect to 3DS. Also used by `check_isDomestic` step
`is_otp_on_the_fly`	`1` = Supported, `0` = Not	Critical: If `1`, card supports Native OTP (pureS2S). You can use `submit_otp` API in Step 5 instead of 3DS redirect. If `0`, only Bank Page (3DS Redirect) is available
`is_atmpin_card`	`1` / `0`	If `1`, card supports ATM PIN authentication as alternative to OTP
`is_zero_redirect_supported`	`1` / `0`	If `1`, zero redirect (headless) payment is possible. Returned only when `var5=1`
`is_si_supported`	`1` / `0`	If `1`, card supports Standing Instructions (recurring mandates). Returned only when `var5=1`

Check isDomestic (Card BIN API) OPTIONAL

Determines whether a card BIN is domestic (Indian) or international, along with the issuing bank, card type (credit/debit), and card category. This is an optional pre-payment check — use it when you need to:

Apply different surcharges for international vs. domestic cards
Block or allow specific card categories (e.g., only domestic cards)
Show the issuing bank name on your checkout UI
Decide payment routing before initiating the transaction

When to skip this step: If you don’t need to differentiate between domestic and international cards, you can proceed directly to the Payment Phase. The getBinInfo API in Step 1 already returns card type and bank information.

POST https://test.payu.in/merchant/postservice.php?form=2 | Command: check_isDomestic

Hash: sha512(key|command|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU for authentication	`JPg****f`
`command`	Mandatory	`check_isDomestic` — fixed value for this API	`check_isDomestic`
`var1`	Mandatory	First 6 digits of the card number (BIN). Must be exactly 6 digits.	`512345`
`hash`	Mandatory	`sha512(key\|check_isDomestic\|var1\|salt)`	(computed)

Response Fields

Field	Example	Description
`isDomestic`	`Y` / `N`	Y = Domestic (Indian) card, N = International card
`issuingBank`	`HDFC`	Name of the card issuing bank
`cardType`	`VISA`	Card network (VISA, Mastercard, Rupay, etc.)
`cardCategory`	`CC`	`CC` = Credit Card, `DC` = Debit Card

Mandatory Parameters

Merchant Key *

Merchant Salt *

var1 – Card BIN (first 6 digits) * Enter exactly the first 6 digits of the card number

Payment: Execute the Transaction

Send the card payment request to _payment and handle 3DS via acsTemplate and optional OTP submission.

Inputs required

Card data + hash
Include correct hash

S2S parameters
Success & failure URLs

OTP (optional)
Only for Pure S2S when supported

Generate Payment Hash

Before calling the _payment API, you must generate a SHA-512 hash. This hash ensures that no one has tampered with the payment request parameters. It acts as a digital signature between your server and PayU.

Hash Formula for _payment API

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

Field	Description	Example
`key`	Merchant Key provided by PayU	a4vGC2
`txnid`	Your unique transaction ID	TXN_1234567890
`amount`	Transaction amount	10.00
`productinfo`	Product description	Test Product
`firstname`	Customer first name	Test
`email`	Customer email	test@example.com
`udf1–udf5`	User-defined fields — pass empty string if not used	(empty)
`\|\|\|\|\|\|`	Six pipes for empty udf6–udf10 (always required)	\|\|\|\|\|\|
`salt`	Merchant Salt — never expose to client	hKvGJP28d2...

⚠ Security Rules:

Hash MUST be generated server-side — never expose your Salt on the client/browser
Empty UDF fields must remain as empty strings (not omitted) in the hash string
The |||||| (six pipes) between udf5 and salt are for empty udf6–udf10 and are always required

Not included in hash: ccnum, ccvv, ccexpmon, ccexpyr, pg, bankcode, surl, furl, txn_s2s_flow — these are sent as separate parameters but are not part of the hash computation.

In this Integration Lab: The hash is auto-computed client-side for testing convenience. In production, always compute the hash on your server.

Card Payment API (_payment)

Submit the card payment request with all card details, S2S flow parameters, and the generated hash. The txn_s2s_flow=4 parameter enables the Cards Decoupled (S2S) flow.

POST https://test.payu.in/_payment

Content-Type: application/x-www-form-urlencoded

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	`JPg****f`
`txnid`	Mandatory	Unique transaction ID generated by the merchant. PayU rejects duplicate txnids.	`ypl938459435`
`amount`	Mandatory	Payment amount for the transaction	`10.00`
`productinfo`	Mandatory	Brief description of the product	`iPhone`
`firstname`	Mandatory	Customer first name	`Ashish`
`email`	Mandatory	Customer email address	`test@gmail.com`
`phone`	Mandatory	Customer phone number	`9876543210`
`pg`	Mandatory	Payment gateway type. `CC` for Credit Card, `DC` for Debit Card	`CC`
`bankcode`	Mandatory	Bank code for the card type (e.g. `CC`, `DC`, `AMEX`)	`CC`
`ccnum`	Mandatory	13–19 digit card number (15 for AMEX, 13–19 for Maestro). Validated with LUHN algorithm.	`5123456789012346`
`ccname`	Mandatory	Name on card as entered by the customer	`Test User`
`ccvv`	Mandatory	3-digit CVV (4-digit CID for AMEX)	`123`
`ccexpmon`	Mandatory	Card expiry month in MM format (e.g. `01`, `12`)	`05`
`ccexpyr`	Mandatory	Card expiry year in YYYY format (e.g. `2030`)	`2030`
`surl`	Mandatory	Success URL — PayU redirects here on successful transaction	https://test.payu.in/admin/test_response
`furl`	Mandatory	Failure URL — PayU redirects here on failed transaction	https://test.payu.in/admin/test_response
`hash`	Mandatory	SHA-512 hash: `sha512(key\|txnid\|amount\|productinfo\|firstname\|email\|udf1\|udf2\|udf3\|udf4\|udf5\|\|\|\|\|\|SALT)`	(computed)
`txn_s2s_flow`	Mandatory	Must be `4` for Cards Decoupled (S2S) flow	`4`
`s2s_client_ip`	Mandatory	The source IP of the customer	`10.200.12.12`
`s2s_device_info`	Mandatory	The customer agent’s device information (User-Agent string)	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`zipcode`	Optional	Customer’s PIN code (6 digits)	`400004`
`address1`	Optional	Billing address line 1 (up to 100 characters). Recommended for higher approval rate.	123 Main Street
`address2`	Optional	Billing address line 2 (up to 100 characters)	Suite 100
`city`	Optional	Customer city (max 50 characters). Recommended for higher approval rate.	Mumbai
`state`	Optional	Customer state (max 50 characters)	Maharashtra
`country`	Optional	Customer country (max 50 characters). Recommended for higher approval rate.	India
`lastname`	Optional	Customer last name (alphabets only)	Kumar
`udf1`	Optional	User-defined field 1 (up to 255 characters)	—
`udf2`	Optional	User-defined field 2 (up to 255 characters)	—
`udf3`	Optional	Date of Birth (DOB) of buyer in DD-MM-YYYY. Recommended for higher approval rate.	22-08-1990
`udf4`	Optional	User-defined field 4 (up to 255 characters)	—
`udf5`	Optional	User-defined field 5 (up to 255 characters)	—
`store_card`	Optional	Set to `1` to tokenize the card for future use	`1`
`user_credentials`	Conditional	Required if `store_card=1`. Format: `merchantKey:uniqueCustomerId`	`JPg****f:customer1`

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Email *

Phone *

Card Number *

Name on Card (ccname) *

Expiry Month *

Expiry Year *

CVV *

PG *

Bank Code (bankcode) *

Success URL (surl) *

Failure URL (furl) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Conditional Parameters

Store Card — set to 1 to tokenize Set to 1 to tokenize the card for future use

User Credentials — required if store_card=1 Required if store_card=1. Format: merchantKey:uniqueCustomerId

Optional Parameters (included in request only if filled)

Address Line 1 (address1) recommended

Address Line 2 (address2)

City recommended

State

Country recommended

Zipcode

UDF1

UDF2

UDF3

UDF4

UDF5

Last Name (lastname)

Handle 3DS / Submit OTP

After the payment API call, check binData.pureS2SSupported in the response to determine how the customer completes 3DS authentication:

⏳ Waiting for payment response… Send a card payment request in the previous step. The authentication options will appear here automatically.

① Native OTP — Submit OTP API

How it works: Your server sends the customer’s OTP to PayU via the ResponseHandler.php endpoint. The customer stays on your checkout page throughout — no redirects.

POST https://test.payu.in/ResponseHandler.php | Submit OTP

Parameter	Description	Value
`referenceId`	Unique reference from payment response — auto-filled from `metaData.referenceId`	Auto-filled
`otp`	OTP entered by the customer on your page	Test: `123456`
`data`	Must include `payuPureS2S` flag	`{"payuPureS2S":"1"}`

Mandatory Parameters

Reference ID *From metaData.referenceId in the payment response

OTP *Test environment OTP: 123456

② Pay on Bank Page — 3DS Redirect

How it works: The payment response contains an acsTemplate (base64-encoded HTML). When decoded and rendered, it auto-submits a form that redirects the customer to the bank’s 3DS page. After authentication, the bank redirects back to your surl/furl.

⚠ No ACS template received yet. This will load automatically after you send the payment request in the previous step.

🔒 ACS Template Decode Guide

The acsTemplate is a Base64-encoded HTML string. Decode it to get the bank redirect form.

▼ How to Decode Base64 acsTemplate

// JavaScript – Decode Base64 acsTemplate
const acsTemplate = response.result.acsTemplate;
const decodedHtml = atob(acsTemplate);

// Open decoded HTML in popup window
const bankWindow = window.open('', 'BankAuth', 'width=800,height=600');
bankWindow.document.write(decodedHtml);
bankWindow.document.close();

Decoded HTML Structure:

<html><body>
<form name="payment_post" action="https://pgsim01.payu.in/initiate" method="post">
  <input type="hidden" name="merchantName" value="PAYU">
  <input type="hidden" name="txnAmount" value="1.00">
  <input type="hidden" name="txnRefId" value="MANDATE_xxx">
  <input type="hidden" name="ibibo_code" value="ICICENCC">
  <!-- ... more hidden fields ... -->
</form>
<script>
  window.onload = function() {
    document.forms['payment_post'].submit();  // Auto-submits to bank
  }
</script>
</body></html>

⚠ Troubleshooting OTP Errors

E2502 “Payu unable to parse ACS page for native” — PayU test environment issue. Retry or use a different test card.
E501 “Bank was unable to authenticate” — the card may not support native OTP. Use the Bank Page option instead.
E802 “Issuing Bank was temporarily not available” — transient bank simulator issue. Retry after a few moments.

Post-Payment: Verify & Reconcile

Verify via verify_payment, then reconcile status and validate callback integrity using reverse hash.

What you confirm here

Final status
Captured / Auth state

Reverse hash
Verify callback payload

Verify Payment API

Always verify the transaction server-side using verify_payment command. Do not rely solely on callback — network issues can cause missed callbacks. You can verify multiple transaction IDs in a single request by separating them with a pipe (|).

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|command|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`verify_payment` — fixed value for this API	`verify_payment`
`var1`	Mandatory	Transaction ID(s) to verify. Multiple txnids can be separated by pipe (`\|`), e.g. `TXN_001\|TXN_002`	`TXN_001`
`hash`	Mandatory	`sha512(key\|verify_payment\|var1\|salt)`	(computed)

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID *

Handle Callback & Reverse Hash

PayU sends a POST callback to your surl (success) or furl (failure). Verify the response hash before updating your order status.

Reverse Hash Formula

sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key)

Security Best Practice

Always verify the reverse hash before trusting callback data
Cross-check with verify_payment API for double confirmation
Check status, amount, and txnid match your records

Pre-Auth Card Payment

📕 Documentation

🔗 Pre-Authorize Card Transactions Guide

Hold Funds & Capture Later

Pre-authorization holds funds on the customer's card without immediately capturing them. Ideal for hotels, car rentals, and e-commerce where the final amount may change. You capture the actual amount later.

Prerequisite: You must be PCI DSS compliant (or use a PCI-compliant vault/tokenization solution) before handling raw card data in this seamless cards flow.

📅 Pre-Auth — 7-Day Authorization Window

Authorization Hold	Checks fund availability and holds the required amount on the payer’s card for up to 7 days. Funds are not debited at this stage.
Capture	A `capture_transaction` request debits the funds from the payer’s card. You can capture the full amount or a partial amount (partial capture). After partial capture, the remaining balance is cancelled immediately.
Auto Capture	PayU automatically captures the authorized amount on the 7th day if no capture or cancel request is received. Merchants can opt for Auto Cancel or set a custom auto-capture window.
Cancel	Cancel applies only to authorized (uncaptured) transactions. Once captured, the transaction can only be refunded, not cancelled.
Supported Cards	Pre-auth is supported on Visa, Mastercard, and Amex Credit Cards.

⏱ 7-day hold period ✔ Full or partial capture 🔄 Auto capture on Day 7 ✘ No multiple partial captures

Note: PayU does not support multiple partial captures on a single authorization request. After a partial amount is captured, the remaining balance is cancelled immediately. If no action is taken within 7 days, PayU auto-captures the full authorized amount by default.

Seamless Pre-Auth Lifecycle

Phase 1: BIN + payment hash prep. Phase 2: _payment with pre_authorize=1. Phase 3: verify hold and capture (or cancel hold).

Prerequisites

pre_authorize=1
Holds funds (auth state)

capture_transaction
Captures the final amount

cancel_transaction (optional)
Cancel the hold if needed

Pre-Payment: Validate & Prepare

Same as normal S2S: generate the correct payment hash first. The pre_authorize=1 flag is included only in the payment request.

Key steps

getBinInfo
BIN capabilities

Payment hash
SHA-512 hash for _payment

Get BIN Info API

Retrieve card BIN details before initiating a pre-authorized payment — issuing bank, card type, network, and capabilities (ATM PIN, OTP, Zero Redirect, SI). Supports single BIN lookup, feature-based filtering, and bulk retrieval.

POST https://test.payu.in/merchant/postservice.php?form=2 | Command: getBinInfo

Hash: sha512(key|command|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`getBinInfo`	`getBinInfo`
`var1`	Mandatory	Request type: `1` = single BIN, `2` = feature-based list, `3` = all BINs	`1`
`var2`	Conditional	If var1=1: BIN number. If var1=2: `1` (ATM PIN) or `2` (OTP). If var1=3: leave empty.	`512345`
`var3`	Optional	Start index for pagination (default: `0`)	`0`
`var4`	Optional	Records per page (default: `100`, range: 1–1000)	`100`
`var5`	Optional	Set to `1` for enhanced features (zero redirect, SI support)	`1`
`hash`	Mandatory	`sha512(key\|getBinInfo\|var1\|salt)`	(computed)

BIN API Use Cases

Use Case	var1	var2	var3	var4	var5	Description
Single BIN Query	1	512345	0	0	0	Get info for a specific BIN
Single BIN + Enhanced	1	512345	0	0	1	Single BIN with zero redirect & SI support
ATM PIN Support Cards	2	1	1	20	0	Get BINs with ATM PIN support
OTP Support Cards	2	2	1	20	0	Get BINs with OTP-on-the-fly support
All Cards – Page 1	3		1	20	0	First 20 cards (records 1–20)
All Cards – Page 2	3		21	20	0	Next 20 cards (records 21–40)
Large Batch Query	3		1	100	0	Get 100 cards at once
Custom Range	3		501	50	0	Cards 501–550

Mandatory Parameters

Merchant Key *

Merchant Salt *

var1 – Request Type * 1 = Single BIN lookup

var2 – BIN / Feature Code BIN number (first 6–9 digits) for single lookup

var3 – Start Index Pagination start index (default: 0)

var4 – Records Per Page Number of records (1–1000, default: 100)

var5 – Enhanced Features Set to 1 for additional fields

Response Parameters — Use in Pre-Auth Payment

Parameter	Values	Use Case in Pre-Auth Flow
`issuing_bank`	e.g. `HDFC`, `ICICI`	Identify the issuing bank. Some banks may have pre-auth limits or restrictions
`bin`	BIN number	The matched BIN (6–9 digits). Confirms the BIN PayU resolved for this card
`category`	`creditcard` / `debitcard`	Important: Pre-auth is primarily supported on credit cards. Some debit cards may not support pre-auth — check before proceeding
`card_type`	`VISA`, `MAST`, `AMEX`, `MAES`, `DINR`	Determine card network. Pre-auth support varies by network. Set `bankcode` as `CC` for pre-auth payment
`is_domestic`	`1` = Domestic, `0` = International	Domestic cards can use S2S Native OTP for pre-auth. International cards redirect to 3DS for authentication
`is_otp_on_the_fly`	`1` = Supported, `0` = Not	Critical: If `1`, card supports Native OTP for pre-auth. You can authenticate via `submit_otp` API in Step 4 instead of bank page redirect. If `0`, only 3DS Redirect works
`is_atmpin_card`	`1` / `0`	If `1`, card supports ATM PIN based authentication
`is_zero_redirect_supported`	`1` / `0`	If `1`, zero redirect flow is possible for pre-auth. Returned only when `var5=1`
`is_si_supported`	`1` / `0`	If `1`, card supports Standing Instructions — useful for recurring pre-auth scenarios. Returned only when `var5=1`

Payment: Submit Pre-Authorization

Call _payment with pre_authorize=1 to hold funds. Final debit happens later when you capture.

Expected result

✓

Hold state
Auth (not captured yet)

Generate Payment Hash

Before calling _payment with pre_authorize=1, you must generate a SHA-512 hash. This hash ensures that no one has tampered with the payment request parameters. The hash formula is identical to a normal payment.

Hash Formula for Pre-Auth _payment API

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

Field	Description	Example
`key`	Merchant Key provided by PayU	a4vGC2
`txnid`	Your unique transaction ID	TXN_1234567890
`amount`	Pre-auth hold amount	10.00
`productinfo`	Product description	Test Product
`firstname`	Customer first name	Test
`email`	Customer email	test@example.com
`udf1–udf5`	User-defined fields — pass empty string if not used	(empty)
`\|\|\|\|\|\|`	Six pipes for empty udf6–udf10 (always required)	\|\|\|\|\|\|
`salt`	Merchant Salt — never expose to client	hKvGJP28d2...

⚠ Security Rules:

Hash MUST be generated server-side — never expose your Salt on the client/browser
Empty UDF fields must remain as empty strings (not omitted) in the hash string
The |||||| (six pipes) between udf5 and salt are for empty udf6–udf10 and are always required

Not included in hash: pre_authorize, ccnum, ccvv, ccexpmon, ccexpyr, pg, bankcode, surl, furl, txn_s2s_flow — these are sent as separate parameters. The pre_authorize=1 flag does not change the hash formula.

In this Integration Lab: The hash is auto-computed client-side for testing convenience. In production, always compute the hash on your server.

Pre-Auth Payment API (_payment with pre_authorize=1)

Submit a pre-authorization request to hold funds on the customer’s card without debiting. The pre_authorize=1 parameter is the only difference from a normal card payment.

POST https://test.payu.in/_payment

Content-Type: application/x-www-form-urlencoded

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	`JPg****f`
`txnid`	Mandatory	Unique transaction ID generated by the merchant. PayU rejects duplicate txnids.	`ypl938459435`
`amount`	Mandatory	Payment amount to hold on the card	`18000`
`productinfo`	Mandatory	Brief description of the product	`iPhone`
`firstname`	Mandatory	Customer first name	`Ashish`
`email`	Mandatory	Customer email address	`test@gmail.com`
`phone`	Mandatory	Customer phone number	`9876543210`
`pg`	Mandatory	`CC` for Credit Card	`CC`
`bankcode`	Mandatory	Bank code for the card (e.g. `CC`, `AMEX`)	`CC`
`ccnum`	Mandatory	13–19 digit card number (15 for AMEX). Validated with LUHN algorithm.	`5123456789012346`
`ccname`	Mandatory	Name on card as entered by the customer	`Test User`
`ccvv`	Mandatory	3-digit CVV (4-digit CID for AMEX)	`123`
`ccexpmon`	Mandatory	Card expiry month in MM format (e.g. `01`, `12`)	`05`
`ccexpyr`	Mandatory	Card expiry year in YYYY format (e.g. `2030`)	`2030`
`surl`	Mandatory	Success URL — PayU redirects here on successful authorization	https://test.payu.in/admin/test_response
`furl`	Mandatory	Failure URL — PayU redirects here on failed authorization	https://test.payu.in/admin/test_response
`pre_authorize`	Mandatory	Must be `1` for pre-authorization. This holds funds without debiting.	`1`
`hash`	Mandatory	SHA-512 hash (see Generate Payment Hash step above). `pre_authorize` is NOT included in hash.	(computed)
`txn_s2s_flow`	Mandatory	Must be `4` for Cards Decoupled (S2S) flow	`4`
`s2s_client_ip`	Mandatory	The source IP of the customer	`10.200.12.12`
`s2s_device_info`	Mandatory	The customer agent’s device information (User-Agent string)	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`address1`	Optional	Billing address line 1 (recommended for fraud detection)	123 Main Street
`address2`	Optional	Billing address line 2	Suite 100
`city`	Optional	Customer city	Mumbai
`state`	Optional	Customer state	Maharashtra
`country`	Optional	Customer country	India
`zipcode`	Optional	Billing zip code	`400004`
`udf1`–`udf5`	Optional	User-defined fields to store additional info per transaction	—

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Email *

Phone *

Card Number *

Name on Card *

Expiry Month *

Expiry Year *

CVV *

PG *

Bank Code (bankcode) * Bank code for the card (e.g. CC, DC, AMEX)

Success URL (surl) *

Failure URL (furl) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Pre-Authorize (pre_authorize) * Must be 1 for pre-authorization. Holds funds without debiting.

Optional Parameters (included in request only if filled)

Address Line 1

Address Line 2

City

State

Country

Zipcode

UDF1

UDF2

UDF3

UDF4

UDF5

Handle 3DS / Submit OTP

After the payment API call, check binData.pureS2SSupported in the response to determine how the customer completes 3DS authentication:

⏳ Waiting for payment response… Send a pre-auth payment request in the previous step. The authentication options will appear here automatically.

① Native OTP — Submit OTP API

How it works: Your server sends the customer’s OTP to PayU via the ResponseHandler.php endpoint. The customer stays on your checkout page throughout — no redirects.

POST https://test.payu.in/ResponseHandler.php | Submit OTP

Parameter	Description	Value
`referenceId`	Unique reference from payment response — auto-filled from `metaData.referenceId`	Auto-filled
`otp`	OTP entered by the customer on your page	Test: `123456`
`data`	Must include `payuPureS2S` flag	`{"payuPureS2S":"1"}`

Mandatory Parameters

Reference ID *From metaData.referenceId in the payment response

OTP *Test environment OTP: 123456

② Pay on Bank Page — 3DS Redirect

⚠ No ACS template received yet. This will load automatically after you send the payment request in the previous step.

🔒 ACS Template Decode Guide

The acsTemplate is a Base64-encoded HTML string. Decode it to get the bank redirect form.

▼ How to Decode Base64 acsTemplate

// JavaScript – Decode Base64 acsTemplate
const acsTemplate = response.result.acsTemplate;
const decodedHtml = atob(acsTemplate);

// Open decoded HTML in popup window
const bankWindow = window.open('', 'BankAuth', 'width=800,height=600');
bankWindow.document.write(decodedHtml);
bankWindow.document.close();

Decoded HTML Structure:

<html><body>
<form name="payment_post" action="https://pgsim01.payu.in/initiate" method="post">
  <input type="hidden" name="merchantName" value="PAYU">
  <input type="hidden" name="txnAmount" value="1.00">
  <input type="hidden" name="txnRefId" value="MANDATE_xxx">
  <input type="hidden" name="ibibo_code" value="ICICENCC">
  <!-- ... more hidden fields ... -->
</form>
<script>
  window.onload = function() {
    document.forms['payment_post'].submit();  // Auto-submits to bank
  }
</script>
</body></html>

⚠ Troubleshooting OTP Errors

E2502 “Payu unable to parse ACS page for native” — PayU test environment issue. Retry or use a different test card.
E501 “Bank was unable to authenticate” — the card may not support native OTP. Use the Bank Page option instead.
E802 “Issuing Bank was temporarily not available” — transient bank simulator issue. Retry after a few moments.

Post-Payment: Verify, Capture & Reconcile

Verify the hold (auth), then capture (auth => captured). Optionally cancel the hold.

Key operations

verify_payment
Confirm auth state

capture_transaction
Capture the final amount

Verify Payment (Check Auth Status)

Verify the pre-auth transaction server-side using verify_payment command. Look for unmappedstatus: auth in the response which confirms funds are held on the card.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|verify_payment|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`verify_payment` — fixed value for this API	`verify_payment`
`var1`	Mandatory	Transaction ID(s) to verify. Multiple txnids can be separated by pipe (`\|`)	`TXN_001`
`hash`	Mandatory	`sha512(key\|verify_payment\|var1\|salt)`	(computed)

Key Response Field: Check transaction_details.<txnid>.unmappedstatus — value auth confirms the pre-authorization hold is active. After capture, this changes to captured.

Transaction ID *

Optional: Cancel Pre-Authorized Transaction API

Cancel the pre-authorized (held) payment using PayU cancel_transaction. This command cancels the hold and releases the funds back to the card. Cancel is only applicable to Authorization requests — any captured transaction can only be refunded.

POST https://test.payu.in/merchant/postservice.php?form=2

Hash: sha512(key|cancel_transaction|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`cancel_transaction` — fixed value	`cancel_transaction`
`var1`	Mandatory	PayU ID (`mihpayid`) from the pre-auth or verify_payment response	`403993715537230966`
`var2`	Mandatory	Merchant unique reference number (token) for this cancel request	`CANCEL_REF_001`
`hash`	Mandatory	`sha512(key\|cancel_transaction\|var1\|salt)`	(computed)

Mandatory Parameters

Merchant Key *

Merchant Salt *

PayU ID (mihpayid) * var1 = PayU transaction reference ID

Cancel Token (var2) * var2 = Merchant unique reference number

Capture Transaction API

Capture the pre-authorized amount to actually debit the customer’s card. The captured amount can be less than or equal to the authorized amount (partial capture). After partial capture, the remaining balance is cancelled automatically.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|capture_transaction|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`capture_transaction` — fixed value for this API	`capture_transaction`
`var1`	Mandatory	PayU ID (`mihpayid`) generated by PayU as part of the pre-authorize operation	`403993715537230966`
`var2`	Mandatory	Merchant unique reference number (token) for this capture request	`CAPTURE_REF_001`
`var3`	Mandatory	Amount to capture — must be ≤ authorized amount. Partial capture is supported.	`18000`
`hash`	Mandatory	`sha512(key\|capture_transaction\|var1\|salt)`	(computed)

Response: On success, the response contains "status": 1, "msg": "Capture Request Queued", a request_id, and bank_ref_num. Always verify the final status using verify_payment after capture.

Mandatory Parameters

Merchant Key *

Merchant Salt *

PayU ID (mihpayid) * var1 = PayU's transaction reference ID

Unique Request ID * var2 = Unique identifier for this capture request

Capture Amount * var3 = Amount to capture (can be partial)

Verify Final Status (After Capture)

After capture, verify again using verify_payment to confirm the transaction status. The unmappedstatus should change from auth to captured, confirming the funds have been debited.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|verify_payment|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`verify_payment` — fixed value for this API	`verify_payment`
`var1`	Mandatory	Transaction ID(s) to verify. Multiple txnids can be separated by pipe (`\|`)	`TXN_001`
`hash`	Mandatory	`sha512(key\|verify_payment\|var1\|salt)`	(computed)

Expected Status Progression:
• After pre-auth: unmappedstatus = auth (funds held)
• After capture: unmappedstatus = captured (funds debited)
• If cancelled: unmappedstatus = auth with cancellation reflected

⏳ Note: Capture takes ~1 minute to process

PayU processes capture requests via a background cron that runs every ~1 minute. After clicking “Verify Final Status”, if the status is still auth, the tool will automatically retry every 10 seconds (up to ~80 seconds) until the status changes to captured.

Final Verify Request

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Card Tokenization

Save Cards Securely & Pay with Tokens

Tokenization replaces sensitive card data with secure tokens per RBI guidelines. Choose the model that fits your integration needs. Each model below shows the complete Pre-Payment, Payment & Post-Payment lifecycle.

Prerequisite: You must be PCI DSS compliant (or use a PCI-compliant tokenization flow) before handling raw card data during first-time token creation.

Model 2: Zero Code Change

Just add store_card=1 & user_credentials to your existing payment request. PayU tokenizes automatically.

Model 3: REST API Integration

Full control with save_payment_instrument, get_payment_instrument, delete_payment_instrument & Cryptogram APIs.

Model 2 – Zero Code Change

📕 Documentation

🔗 Zero Code Change for Vault Integration (Model 2)

How it works

PayU is onboarded as token requestor. You pass consent (store_card=1) and a user ID (user_credentials) during payment. PayU processes the transaction, creates network/issuer tokens, and stores them on your behalf. For repeat payments, retrieve saved cards with get_user_cards and pay using the token + CVV.

Select your customer journey to see the step-by-step API flow:

First-Time Customer

New customer paying for the first time. Collect card details, process the payment with store_card=1, and the card is automatically tokenized by PayU.

Flow: Validate BIN → Generate Hash → Payment with store_card=1 → 3DS Auth → Verify Payment
Card token is returned automatically in the payment response.

Repeat Customer

Returning customer with a previously saved card. Fetch their saved cards, let them pick one, enter CVV, and process payment using the stored token.

Flow: Get Saved Cards → Customer selects card → Generate Hash → Payment with store_card_token + CVV → 3DS Auth → Verify

Pre-Payment: Validate Card & Retrieve Saved Cards

For first-time customers, validate the card BIN. For returning customers, also fetch their saved (tokenized) cards using get_user_cards.

Get BIN Info API

Validate the card BIN (first 6–8 digits) to check card type, issuing bank, card category (domestic/international), capabilities (ATM PIN, OTP, Zero Redirect, SI) before proceeding with tokenized payment.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|getBinInfo|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU for authentication	`JPg****f`
`command`	Mandatory	`getBinInfo` — fixed value for this API	`getBinInfo`
`var1`	Mandatory	Request type: `1` = single BIN lookup, `2` = feature-based BIN list, `3` = all BINs	`1`
`var2`	Conditional	If var1=1: BIN number (e.g. `512345`). If var1=2: `1` (ATM PIN) or `2` (OTP). If var1=3: leave empty.	`512345`
`var3`	Optional	Start index for pagination (default: `0`)	`0`
`var4`	Optional	Records per page (default: `100`, range: 1–1000)	`100`
`var5`	Optional	Set to `1` to fetch enhanced features (`is_zero_redirect_supported`, `is_si_supported`)	`1`
`hash`	Mandatory	`sha512(key\|getBinInfo\|var1\|salt)`	(computed)

BIN API Use Cases

Use Case	var1	var2	var3	var4	var5	Description
Single BIN Query	1	512345	0	0	0	Get info for a specific BIN
Single BIN + Enhanced	1	512345	0	0	1	Single BIN with zero redirect & SI support
ATM PIN Support Cards	2	1	1	20	0	Get BINs with ATM PIN support
OTP Support Cards	2	2	1	20	0	Get BINs with OTP-on-the-fly support
All Cards – Page 1	3		1	20	0	First 20 cards (records 1–20)
Large Batch Query	3		1	100	0	Get 100 cards at once

Mandatory Parameters

Merchant Key *

Merchant Salt *

var1 – Request Type * 1 = Single BIN lookup

var2 – BIN / Feature Code BIN number (first 6–9 digits) for single lookup

var3 – Start IndexPagination start index (default: 0)

var4 – Records Per PageNumber of records (1–1000, default: 100)

var5 – Enhanced Features

Response Parameters — Use in Tokenization Model 2 (Zero Code Change)

Parameter	Values	Use Case in Model 2 Tokenization
`issuing_bank`	e.g. `HDFC`, `ICICI`	Display issuing bank to user during card entry. Helps confirm card identity before tokenization
`bin`	BIN number	The resolved BIN. Use for pre-validation before sending `_payment` with `store_card=1`
`category`	`creditcard` / `debitcard`	Show card category to user. Both credit and debit cards support Model 2 tokenization
`card_type`	`VISA`, `MAST`, `AMEX`, `MAES`, `DINR`	Identify card network. Tokenization support varies: `VISA`, `MAST`, `AMEX` fully supported. `DINR` uses issuer tokens. Use to set `bankcode` in payment
`is_domestic`	`1` = Domestic, `0` = International	Domestic cards support S2S Native OTP for tokenized payment. International cards go through 3DS redirect
`is_otp_on_the_fly`	`1` = Supported, `0` = Not	Critical for 3DS step: If `1`, both Native OTP and 3DS Redirect options appear in Step 4. If `0`, only Pay on Bank Page (3DS Redirect) is available. This directly controls the `pureS2SSupported` behavior
`is_atmpin_card`	`1` / `0`	If `1`, ATM PIN authentication may be available as an alternative during tokenized payment
`is_zero_redirect_supported`	`1` / `0`	If `1`, zero redirect (headless) tokenized payment is possible. Returned only when `var5=1`
`is_si_supported`	`1` / `0`	If `1`, card supports Standing Instructions with tokenization — useful for subscription-based repeat payments. Returned only when `var5=1`

Model 2 Tip: For first-time customers, always check is_otp_on_the_fly before payment — it determines whether you can use Native OTP (submit_otp API) or must use 3DS Redirect after the _payment call with store_card=1. For repeat customers using store_card_token, the same parameter applies for authentication method selection.

Get User Cards API Repeat customers only

Retrieve saved (tokenized) cards for a returning customer. Returns card_token, masked card number, card type, card mode, and token details (network/issuer). Customer selects a saved card and enters only CVV.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|get_user_cards|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPM7Fg`
`command`	Mandatory	API command — fixed value `get_user_cards`	`get_user_cards`
`var1`	Mandatory	User credentials in format `merchantKey:userId`. Must match what was used during `save_payment_instrument` or `store_card`.	`JPM7Fg:abc`
`hash`	Mandatory	`sha512(key\|get_user_cards\|var1\|salt)`	Computed hash

Mandatory Parameters

Merchant Key *

Merchant Salt *

User Credentials (var1) *Format: merchantKey:userId — e.g. a4vGC2:test_customer1

Note: If no cards have been saved for this user, the API returns {"status":0, "msg":"Card not found."}. This is expected for first-time users. Cards are saved only after a successful payment with store_card=1.

Payment: Execute with Card or Saved Token

For first-time customers, send full card details with store_card=1. For returning customers, send store_card_token + CVV.

Generate Payment Hash

Before calling _payment, you must generate a SHA-512 hash. This hash ensures that no one has tampered with the payment request parameters. The hash formula is the same for both first-time and repeat customers.

Hash Formula for Model 2 _payment API

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

Field	Description	Example
`key`	Merchant Key provided by PayU	a4vGC2
`txnid`	Your unique transaction ID	TXN_1234567890
`amount`	Transaction amount	10.00
`productinfo`	Product description	Test Product
`firstname`	Customer first name	Test
`email`	Customer email	test@example.com
`udf1–udf5`	User-defined fields — pass empty string if not used	(empty)
`\|\|\|\|\|\|`	Six pipes for empty udf6–udf10 (always required)	\|\|\|\|\|\|
`salt`	Merchant Salt — never expose to client	hKvGJP28d2...

⚠ Security Rules:

Hash MUST be generated server-side — never expose your Salt on the client/browser
Empty UDF fields must remain as empty strings (not omitted) in the hash string
The |||||| (six pipes) between udf5 and salt are for empty udf6–udf10 and are always required

Not included in hash: store_card, user_credentials, store_card_token, ccnum, ccvv, ccexpmon, ccexpyr, pg, bankcode, surl, furl, txn_s2s_flow — tokenization parameters and card details are sent separately but are not part of the hash computation.

In this Integration Lab: The hash is auto-computed client-side for testing convenience. In production, always compute the hash on your server.

Payment API — First-Time Customer

Send full card details with two extra tokenization parameters (store_card=1 and user_credentials) to instruct PayU to tokenize the card after successful payment. The _payment API processes the transaction first, then creates a network/issuer token which is stored in PayU Vault.

POST https://test.payu.in/_payment

Content-Type: application/x-www-form-urlencoded

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	`JPg****f`
`txnid`	Mandatory	Unique transaction ID generated by the merchant	`ypl938459435`
`amount`	Mandatory	Payment amount (e.g. `10.00`)	`10.00`
`productinfo`	Mandatory	Brief description of the product	`iPhone`
`firstname`	Mandatory	Customer first name	`Ashish`
`email`	Mandatory	Customer email address	`test@gmail.com`
`phone`	Mandatory	Customer phone number	`9876543210`
`pg`	Mandatory	`CC` for Credit Card	`CC`
`bankcode`	Mandatory	Card bank code (e.g. `CC`, `AMEX`)	`CC`
`ccnum`	Mandatory	Full card number (13–19 digits, validated with LUHN)	`5123456789012346`
`ccname`	Mandatory	Name on card as entered by the customer	`Test User`
`ccvv`	Mandatory	3-digit CVV (4-digit CID for AMEX)	`123`
`ccexpmon`	Mandatory	Card expiry month in MM format (e.g. `05`)	`05`
`ccexpyr`	Mandatory	Card expiry year in YYYY format (e.g. `2030`)	`2030`
`surl`	Mandatory	Success URL — PayU redirects here on successful payment	https://test.payu.in/admin/test_response
`furl`	Mandatory	Failure URL — PayU redirects here on failed payment	https://test.payu.in/admin/test_response
`hash`	Mandatory	SHA-512 hash (see Generate Payment Hash step above)	(computed)
`store_card`	Mandatory	`1` = customer consent to save card. `0` = no consent.	`1`
`user_credentials`	Mandatory	`merchantKey:uniqueUserId` — identifies the customer	`JPg****f:customer1`
`txn_s2s_flow`	Mandatory	`4` — enables S2S JSON response format	`4`
`s2s_client_ip`	Mandatory	Customer’s IP address (e.g. `10.200.12.12`)	`10.200.12.12`
`s2s_device_info`	Mandatory	Customer’s User-Agent string	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`address1`, `address2`	Optional	Billing address (recommended for fraud detection)	123 Main Street
`city`, `state`, `country`, `zipcode`	Optional	Billing address details	Mumbai, MH, India, 400004
`udf1`–`udf5`	Optional	User-defined fields for additional transaction info	—

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Email *

Phone *

Card Number *Test cards: 5506900480000008 (MC) • 4895370077346937 (Visa) — OTP: 123456

Name on Card *

Expiry Month *

Expiry Year *

CVV *

PG *

Bank Code (bankcode) *

Success URL (surl) *

Failure URL (furl) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Conditional Parameters

Store Card (store_card) *1 = customer consent to save card

User Credentials *Format: merchantKey:uniqueUserId

Optional Parameters (included in request only if filled)

Address Line 1

Address Line 2

City

State

Country

Zipcode

UDF1

UDF2

UDF3

UDF4

UDF5

Response: On success, PayU returns cardToken in the callback response. Store this token for repeat payments.

Payment API — Repeat Customer (Saved Token)

Send the store_card_token instead of full card details. Card number, name, expiry are not needed — PayU resolves them from the token. CVV is optional for saved card transactions.

POST https://test.payu.in/_payment

Content-Type: application/x-www-form-urlencoded

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`txnid`	Mandatory	Unique transaction ID generated by the merchant	`ypl938459435`
`amount`	Mandatory	Payment amount	`10.00`
`productinfo`	Mandatory	Brief description of the product	`iPhone`
`firstname`	Mandatory	Customer first name	`Ashish`
`email`	Mandatory	Customer email address	`test@gmail.com`
`phone`	Mandatory	Customer phone number	`9876543210`
`pg`	Mandatory	`CC` for Credit Card	`CC`
`bankcode`	Mandatory	Card bank code (e.g. `CC`)	`CC`
`surl`	Mandatory	Success URL	https://test.payu.in/admin/test_response
`furl`	Mandatory	Failure URL	https://test.payu.in/admin/test_response
`hash`	Mandatory	SHA-512 hash (same formula as first-time payment)	(computed)
`user_credentials`	Mandatory	`merchantKey:uniqueUserId` — must match value used during card save	`JPg****f:customer1`
`store_card_token`	Mandatory	Card token from `get_user_cards` response (`card_token` field)	`abc123tokenxyz`
`txn_s2s_flow`	Mandatory	`4` — enables S2S JSON response format	`4`
`s2s_client_ip`	Mandatory	Customer’s IP address	`10.200.12.12`
`s2s_device_info`	Mandatory	Customer’s User-Agent string	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`ccvv`	Optional	CVV — not required for saved card transactions	`123`
`storecard_token_type`	Optional	`0` for PayU token hub (default if omitted)	`0`
`address1`, `address2`	Optional	Billing address (recommended for fraud detection)	123 Main Street
`city`, `state`, `country`, `zipcode`	Optional	Billing address details	Mumbai, MH, India, 400004
`udf1`–`udf5`	Optional	User-defined fields for additional transaction info	—

Not needed for repeat: ccnum, ccname, ccexpmon, ccexpyr, store_card — card details are resolved from the token by PayU.

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Email *

Phone *

Store Card Token * Select from dropdown (populated after Get User Cards API) or enter manually. The card_token from the response.

CVV (optional)Optional for saved card transactions. Test CVV: 123

Token Type (storecard_token_type) (optional) 0 for PayU token hub (default if omitted)

User Credentials *Format: merchantKey:uniqueUserId

PG *

Bank Code (bankcode) *

Success URL (surl) *

Failure URL (furl) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Optional Parameters (included in request only if filled)

Address Line 1

Address Line 2

City

State

Country

Zipcode

UDF1

UDF2

UDF3

UDF4

UDF5

Handle 3DS Authentication / Submit OTP

After the payment API call, check binData.pureS2SSupported in the response to determine how the customer completes 3DS authentication:

⏳ Waiting for payment response… Send a payment request in the previous step. The authentication options will appear here automatically.

① Native OTP — Submit OTP API

How it works: Your server sends the customer’s OTP to PayU via the ResponseHandler.php endpoint. The customer stays on your checkout page throughout — no redirects.

POST https://test.payu.in/ResponseHandler.php | Submit OTP

Parameter	Description	Value
`referenceId`	Unique reference from payment response — auto-filled from `metaData.referenceId`	Auto-filled
`otp`	OTP entered by the customer on your page	Test: `123456`
`data`	Must include `payuPureS2S` flag	`{"payuPureS2S":"1"}`

Mandatory Parameters

Reference ID *From metaData.referenceId in the payment response

OTP *Test environment OTP: 123456

② Pay on Bank Page — 3DS Redirect

⚠ No ACS template received yet. This will load automatically after you send the payment request in the previous step.

🔒 ACS Template Decode Guide

The acsTemplate is a Base64-encoded HTML string. Decode it to get the bank redirect form.

▼ How to Decode Base64 acsTemplate

// JavaScript – Decode Base64 acsTemplate
const acsTemplate = response.result.acsTemplate;
const decodedHtml = atob(acsTemplate);

// Open decoded HTML in popup window
const bankWindow = window.open('', 'BankAuth', 'width=800,height=600');
bankWindow.document.write(decodedHtml);
bankWindow.document.close();

Decoded HTML Structure:

<html><body>
<form name="payment_post" action="https://pgsim01.payu.in/initiate" method="post">
  <input type="hidden" name="merchantName" value="PAYU">
  <input type="hidden" name="txnAmount" value="1.00">
  <input type="hidden" name="txnRefId" value="MANDATE_xxx">
  <input type="hidden" name="ibibo_code" value="ICICENCC">
  <!-- ... more hidden fields ... -->
</form>
<script>
  window.onload = function() {
    document.forms['payment_post'].submit();  // Auto-submits to bank
  }
</script>
</body></html>

Post-Payment: Verify & Collect Token

Verify the transaction. For first-time payments, the cardToken is returned in the callback — store it for future repeat payments.

Verify Payment API

Confirm the transaction status server-side using verify_payment command. Always verify before trusting callback data. You can verify multiple transactions by separating txnid values with a pipe (|).

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|verify_payment|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`verify_payment` — fixed value for this API	`verify_payment`
`var1`	Mandatory	Transaction ID(s) to verify. Multiple txnids separated by pipe (`\|`)	`TXN_001`
`hash`	Mandatory	`sha512(key\|verify_payment\|var1\|salt)`	(computed)

Mandatory Parameters

Transaction ID *

Handle Callback & Store Token

PayU's callback (surl/furl) for a first-time payment includes cardToken. Store this securely in your database linked to the customer ID for future repeat payments.

Key Callback Fields (First-time)

status=success
cardToken=28b99d39e83e8031caa7ad   ← Store this for repeat payments
cardnum=XXXXXXXXXXXX2346
mode=CC
unmappedstatus=captured

Reverse Hash Verification

Always verify sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key) before trusting callback data.

Delete Payment Instrument (Delete Saved Card)

Remove a saved token when the customer revokes consent or the card expires. Use delete_payment_instrument (or delete_user_card) API.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|delete_payment_instrument|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`delete_payment_instrument` — fixed value for this API	`delete_payment_instrument`
`var1`	Mandatory	User credentials: `merchantKey:userId`	`JPg****f:customer1`
`var2`	Mandatory	Card token (`cardToken`) to delete	`abc123tokenxyz`
`var3`	Optional	Network token value (if deleting specific network token)	—
`var4`	Optional	Issuer token value (if deleting specific issuer token)	—
`hash`	Mandatory	`sha512(key\|delete_payment_instrument\|var1\|salt)`	(computed)

Mandatory Parameters

Merchant Key *

Merchant Salt *

User Credentials (var1) *

Token to Delete (var2) * Select from dropdown (populated after Get User Cards) or enter manually.

Optional Parameters

Network Token (var3) (optional)Optional — specify to delete a specific network token

Issuer Token (var4) (optional)Optional — specify to delete a specific issuer token

Model 3 – Simple REST API Integration

📕 Documentation

🔗 Simple REST APIs for Vault Integration (Model 3)

How it works

You have full control over the token lifecycle using dedicated REST APIs. For first-time transactions, process the payment first, then call save_payment_instrument to create the token. For repeat transactions, retrieve saved cards via get_user_cards or token details via get_payment_instrument, and optionally get the cryptogram for network tokens. You can also process tokens outside PayU.

Select your customer journey to see the step-by-step API flow:

First-Time Customer

New customer paying with a fresh card. Process the payment first, then explicitly call save_payment_instrument API to create the token. You control when and how the token is created.

Flow: Validate BIN → Generate Hash → Payment (plain card) → 3DS Auth → Verify → save_payment_instrument
Token is created explicitly after a successful payment.

Repeat Customer

Returning customer using a previously tokenized card. Retrieve token details via get_payment_instrument, fetch the cryptogram (TAVV), and process payment using the network token.

Flow: Get Payment Instrument → Get Cryptogram → Generate Hash → Payment with Network Token → 3DS Auth → Verify

Pre-Payment: Validate Card, Retrieve Tokens & Cryptogram

For first-time customers, collect card details and consent, then validate the BIN. For repeat customers, retrieve saved cards via get_user_cards or token details via get_payment_instrument, and optionally get the cryptogram (TAVV) for network token transactions.

Get BIN Info API

Validate the card BIN (first 6–8 digits) to check card type, issuing bank, card category (domestic/international), supported authentication methods, and token capabilities before proceeding with REST API tokenization.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|getBinInfo|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU for authentication	`JPg****f`
`command`	Mandatory	`getBinInfo` — fixed value for this API	`getBinInfo`
`var1`	Mandatory	Request type: `1` = single BIN lookup, `2` = feature-based BIN list, `3` = all BINs	`1`
`var2`	Conditional	If var1=1: BIN number (e.g. `512345`). If var1=2: `1` (ATM PIN) or `2` (OTP). If var1=3: leave empty.	`512345`
`var3`	Optional	Start index for pagination (default: `0`)	`0`
`var4`	Optional	Records per page (default: `100`, range: 1–1000)	`100`
`var5`	Optional	Set to `1` to fetch enhanced features (`is_zero_redirect_supported`, `is_si_supported`)	`1`
`hash`	Mandatory	`sha512(key\|getBinInfo\|var1\|salt)`	(computed)

BIN API Use Cases

Use Case	var1	var2	var3	var4	var5	Description
Single BIN Query	1	512345	0	0	0	Get info for a specific BIN
Single BIN + Enhanced	1	512345	0	0	1	Single BIN with zero redirect & SI support
ATM PIN Support Cards	2	1	1	20	0	Get BINs with ATM PIN support
OTP Support Cards	2	2	1	20	0	Get BINs with OTP-on-the-fly support
All Cards – Page 1	3		1	20	0	First 20 cards (records 1–20)
Large Batch Query	3		1	100	0	Get 100 cards at once

Try It – Get BIN Info

Merchant Key *

Merchant Salt *

var1 – Request Type * 1 = Single BIN lookup

var2 – BIN / Feature Code BIN number (first 6–9 digits) for single lookup

var3 – Start IndexPagination start index (default: 0)

var4 – Records Per PageNumber of records (1–1000, default: 100)

var5 – Enhanced Features

Response Parameters — Use in Tokenization Model 3 (REST API Integration)

Parameter	Values	Use Case in Model 3 Tokenization
`issuing_bank`	e.g. `HDFC`, `ICICI`	Identify issuing bank. Used for display and helps determine token provisioning path (network vs issuer)
`bin`	BIN number	The resolved BIN. Validate before calling `save_payment_instrument` for first-time or `get_payment_details` for repeat
`category`	`creditcard` / `debitcard`	Card category. Both types support Model 3. Debit cards may have different token provisioning behavior
`card_type`	`VISA`, `MAST`, `AMEX`, `MAES`, `DINR`	Critical for token type: `VISA`/`MAST` → Network Token (`storecard_token_type=1`). `DINR` (Diners) → Issuer Token (`storecard_token_type=2`). Determines which token path to use in repeat payments
`is_domestic`	`1` = Domestic, `0` = International	Domestic cards support S2S Native OTP. International cards use 3DS redirect for authentication during payment
`is_otp_on_the_fly`	`1` = Supported, `0` = Not	Critical for 3DS step: If `1`, both Native OTP and 3DS Redirect options appear in the Handle 3DS step. If `0`, only Pay on Bank Page (3DS Redirect) is available. Controls `pureS2SSupported` in the `_payment` response
`is_atmpin_card`	`1` / `0`	If `1`, ATM PIN authentication may be available during tokenized payment
`is_zero_redirect_supported`	`1` / `0`	If `1`, zero redirect (headless) flow possible for tokenized payments. Returned only when `var5=1`
`is_si_supported`	`1` / `0`	If `1`, card supports Standing Instructions — useful for subscription payments with saved tokens. Returned only when `var5=1`

Model 3 Tip: card_type is the most important parameter for Model 3. It determines the token type for repeat payments:

VISA/MAST → Use Network Token (storecard_token_type=1) with TAVV from get_payment_details
DINR → Use Issuer Token (storecard_token_type=2) with trMerchantId, tokenReferenceId, tokenBank from cryptogram
Any card → Can also use PayU Token (storecard_token_type=0) via get_user_cards

Get User Cards API Repeat customers only

Retrieve all saved (tokenized) cards for a returning customer. Returns card_token, masked card number, card type, card mode, and token details. Customer selects a saved card and enters only CVV for repeat payment.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|get_user_cards|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPM7Fg`
`command`	Mandatory	Fixed value `get_user_cards`	`get_user_cards`
`var1`	Mandatory	User credentials: `merchantKey:userId`. Must match what was used during card save.	`JPM7Fg:abc`
`hash`	Mandatory	`sha512(key\|get_user_cards\|var1\|salt)`	(computed)

Merchant Key *

Merchant Salt *

User Credentials (var1) *Format: merchantKey:userId — must match what was used during card save

Note: If no cards have been saved for this user, the API returns {"status":0, "msg":"Card not found."}. Cards are saved after a successful payment with store_card=1 (Model 2) or via save_payment_instrument (Model 3).

Get Payment Instrument Repeat customers only

Retrieve saved tokens with full metadata — PayU token, network token, issuer token, masked card number, card type, and expiry. Alternative to get_user_cards with richer token details.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|get_payment_instrument|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`get_payment_instrument` — fixed value for this API	`get_payment_instrument`
`var1`	Mandatory	`merchantKey:userId` — must match what was used during `save_payment_instrument`	`JPg****f:customer1`
`hash`	Mandatory	`sha512(key\|get_payment_instrument\|var1\|salt)`	(computed)

Merchant Key *

Merchant Salt *

User Credentials (var1) *

Get Cryptogram (TAVV)

For network token transactions processed outside PayU, retrieve the cryptogram (TAVV) needed for authentication. Call get_payment_details with var3=1 to request cryptogram.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|get_payment_details|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`get_payment_details` — fixed value for this API	`get_payment_details`
`var1`	Mandatory	User credentials: `merchantKey:userId`	`JPg****f:customer1`
`var2`	Mandatory	Card token (`cardToken`) from Get Payment Instrument / Get User Cards response	`abc123tokenxyz`
`var3`	Mandatory	Transaction amount (e.g. `10`)	`10`
`var4`	Mandatory	Currency code (default: `INR`). Left blank defaults to INR.	`INR`
`var5`	Mandatory	Token type: `NETWORK` or `PAYU`. Left blank defaults to PAYU.	`NETWORK`
`hash`	Mandatory	`sha512(key\|get_payment_details\|var1\|salt)`	(computed)

Mandatory Parameters

Merchant Key *

Merchant Salt *

User Credentials (var1) *

PayU Token (var2) * Select from dropdown (populated after Get Payment Instrument or Get User Cards) or enter manually.

Amount (var3) *Amount for cryptogram generation (e.g. 1)

Currency (var4) (optional)Currency code. Default: INR

Token Type (var5) (optional) Token type for cryptogram: NETWORK or PAYU

Get User Cards API PayU Token only

Retrieve all saved (tokenized) cards for a returning customer using PayU's get_user_cards API. Returns card_token which is used as store_card_token when storecard_token_type=0.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|get_user_cards|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`a4vGC2`
`command`	Mandatory	Fixed value `get_user_cards`	`get_user_cards`
`var1`	Mandatory	User credentials: `merchantKey:userId`. Must match what was used during card save.	`a4vGC2:test_customer1`
`hash`	Mandatory	`sha512(key\|get_user_cards\|var1\|salt)`	(computed)

Mandatory Parameters

Merchant Key *

Merchant Salt *

User Credentials (var1) *Format: merchantKey:userId — must match what was used during card save

Payment: First-Time or Repeat with Token

For first-time, send plain card details (token will be created post-payment via save_payment_instrument). For repeat, choose between PayU token, network token, or issuer token.

Generate Payment Hash

Hash Formula for Model 3 _payment API

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

Field	Description	Example
`key`	Merchant Key provided by PayU	a4vGC2
`txnid`	Your unique transaction ID	TXN_1234567890
`amount`	Transaction amount	10.00
`productinfo`	Product description	Test Product
`firstname`	Customer first name	Test
`email`	Customer email	test@example.com
`udf1–udf5`	User-defined fields — pass empty string if not used	(empty)
`\|\|\|\|\|\|`	Six pipes for empty udf6–udf10 (always required)	\|\|\|\|\|\|
`salt`	Merchant Salt — never expose to client	hKvGJP28d2...

⚠ Security Rules:

Hash MUST be generated server-side — never expose your Salt on the client/browser
Empty UDF fields must remain as empty strings (not omitted) in the hash string
The |||||| (six pipes) between udf5 and salt are for empty udf6–udf10 and are always required

Not included in hash: store_card_token, storecard_token_type, user_credentials, additional_info, ccnum, ccvv, ccexpmon, ccexpyr, txn_s2s_flow, pg, bankcode, surl, furl — token type, card details, and S2S parameters are sent separately but are not part of the hash. The hash remains identical for PayU, Network, and Issuer tokens.

In this Integration Lab: The hash is auto-computed client-side for testing convenience. In production, always compute the hash on your server.

Payment API — First-Time (Plain Card Details)

Process the transaction with full card details. After payment succeeds, call save_payment_instrument in Post-Payment phase to create the token. Unlike Model 2, no store_card or user_credentials parameter is needed during payment — tokenization happens explicitly via a separate API call.

POST https://test.payu.in/_payment

Content-Type: application/x-www-form-urlencoded

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`txnid`	Mandatory	Unique transaction ID generated by the merchant	`ypl938459435`
`amount`	Mandatory	Payment amount (e.g. `10.00`)	`10.00`
`productinfo`	Mandatory	Brief description of the product	`iPhone`
`firstname`	Mandatory	Customer first name	`Ashish`
`email`	Mandatory	Customer email address	`test@gmail.com`
`phone`	Mandatory	Customer phone number	`9876543210`
`pg`	Mandatory	`CC` for Credit Card	`CC`
`bankcode`	Mandatory	Card bank code (e.g. `CC`, `AMEX`)	`CC`
`ccnum`	Mandatory	Full card number (13–19 digits, validated with LUHN)	`5123456789012346`
`ccname`	Mandatory	Name on card as entered by the customer	`Test User`
`ccvv`	Mandatory	3-digit CVV (4-digit CID for AMEX)	`123`
`ccexpmon`	Mandatory	Card expiry month in MM format	`05`
`ccexpyr`	Mandatory	Card expiry year in YYYY format	`2030`
`surl`	Mandatory	Success URL — PayU redirects here on success	https://test.payu.in/admin/test_response
`furl`	Mandatory	Failure URL — PayU redirects here on failure	https://test.payu.in/admin/test_response
`hash`	Mandatory	SHA-512 hash (see Generate Payment Hash step)	(computed)
`txn_s2s_flow`	Mandatory	`4` — enables S2S JSON response format	`4`
`s2s_client_ip`	Mandatory	Customer’s IP address	`10.200.12.12`
`s2s_device_info`	Mandatory	Customer’s User-Agent string	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`user_credentials`	Optional	`merchantKey:userId` — not required for Model 3 first-time (tokenization is done via `save_payment_instrument`)	`JPg****f:customer1`
`address1`, `address2`	Optional	Billing address (recommended for fraud detection)	123 Main Street
`city`, `state`, `country`, `zipcode`	Optional	Billing address details	Mumbai, MH, India, 400004
`udf1`–`udf5`	Optional	User-defined fields for additional transaction info	—

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Email *

Phone *

Card Number *

Name on Card *

Expiry Month *

Expiry Year *

CVV *

PG *

Bank Code (bankcode) *

Success URL (surl) *

Failure URL (furl) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Optional Parameters (included in request only if filled)

Address Line 1

Address Line 2

City

State

Country

Zipcode

UDF1

UDF2

UDF3

UDF4

UDF5

Payment API — Repeat with PayU Token

Send the PayU token from get_payment_instrument instead of full card details. Customer only enters CVV.

POST https://test.payu.in/_payment

Content-Type: application/x-www-form-urlencoded

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`txnid`	Mandatory	Unique transaction ID	`ypl938459435`
`amount`	Mandatory	Payment amount	`10.00`
`productinfo`	Mandatory	Product description	`iPhone`
`firstname`	Mandatory	Customer first name	`Ashish`
`email`	Mandatory	Customer email	`test@gmail.com`
`phone`	Mandatory	Customer phone	`9876543210`
`surl` / `furl`	Mandatory	Success / Failure callback URLs	https://test.payu.in/admin/test_response
`store_card_token`	Mandatory	PayU token from `get_payment_instrument` or `get_user_cards`	`abc123tokenxyz`
`user_credentials`	Mandatory	`merchantKey:userId` — mandatory for PayU Token payments	`JPg****f:customer1`
`storecard_token_type`	Mandatory	`0` (PayU Token)	`0`
`txn_s2s_flow`	Mandatory	`4` — S2S JSON response	`4`
`s2s_client_ip`	Mandatory	Customer’s IP address	`10.200.12.12`
`s2s_device_info`	Mandatory	Customer’s User-Agent string	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`pg`	Mandatory	`CC`	`CC`
`bankcode`	Mandatory	`CC`	`CC`
`hash`	Mandatory	SHA-512 hash	(computed)
`ccvv`	Optional	CVV — optional for saved card transactions	`123`

Mandatory Parameters

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Email *

Phone *

Store Card Token * Select from dropdown (populated from Get Payment Instrument or Get User Cards) or enter manually.

CVV (Optional)

User Credentials *

Success URL (surl) *

Failure URL (furl) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Payment API — Repeat Customer

Send a repeat payment using a stored token. Choose the token type below: PayU Token (from Get User Cards), Network Token (from Get Cryptogram), or Issuer Token.

POST https://test.payu.in/_payment

Content-Type: application/x-www-form-urlencoded

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`txnid`	Mandatory	Unique transaction ID	`ypl938459435`
`amount`	Mandatory	Payment amount	`10.00`
`productinfo`	Mandatory	Product description	`iPhone`
`firstname`	Mandatory	Customer first name	`Ashish`
`email`	Mandatory	Customer email	`test@gmail.com`
`phone`	Mandatory	Customer phone	`9876543210`
`pg`	Mandatory	`CC`	`CC`
`bankcode`	Mandatory	`CC`	`CC`
`surl`	Mandatory	Success URL	https://test.payu.in/admin/test_response
`furl`	Mandatory	Failure URL	https://test.payu.in/admin/test_response
`hash`	Mandatory	SHA-512 hash	(computed)
`storecard_token_type`	Mandatory	`0` = PayU Token \| `1` = Network Token \| `2` = Issuer Token	`0`
`store_card_token`	Mandatory	Token value: PayU token / Network DPAN / Issuer token value	`abc123tokenxyz`
`txn_s2s_flow`	Mandatory	`4` — S2S JSON response	`4`
`s2s_client_ip`	Mandatory	Customer’s IP address	`10.200.12.12`
`s2s_device_info`	Mandatory	Customer’s User-Agent string	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
`user_credentials`	Conditional	`key:customerId` — mandatory when `storecard_token_type=0`. Optional for Network/Issuer.	`JPg****f:customer1`
`additional_info`	Conditional	JSON with TAVV, TRID, last4Digits — mandatory when `storecard_token_type=1` or `2`	`{"tavv":"...","trid":"..."}`
`ccexpmon` / `ccexpyr`	Conditional	Token expiry month/year — required for Network & Issuer tokens	`05` / `2030`
`ccvv`	Optional	CVV — optional for saved card / token transactions	`123`
`address1`, `address2`	Optional	Billing address (recommended for fraud detection)	123 Main Street
`city`, `state`, `country`, `zipcode`	Optional	Billing address details	Mumbai, MH, India, 400004
`udf1`–`udf5`	Optional	User-defined fields for additional transaction info	—

📚 Which API to use for each Token Type?

Token Type	APIs to Call (in order)	Token Source
`0` — PayU Token	Get User Cards API `(get_user_cards)`	Use `card_token` from Get User Cards response as `store_card_token`
`1` — Network Token	Get Payment Instrument `(get_payment_instrument)` → Get Cryptogram / TAVV `(get_payment_details)`	Use `network_token` from Cryptogram response as `store_card_token`, plus `tavv`, `last4Digits` in `additional_info`
`2` — Issuer Token	Get Payment Instrument `(get_payment_instrument)` → Get Cryptogram / TAVV `(get_payment_details)`	Use `issuer_token.token_value` from Cryptogram response as `store_card_token`, plus `trMerchantId`, `tokenReferenceId`, `tokenBank`, `last4Digits` in `additional_info`

Tip: For Network & Issuer Tokens, you must first call Get Payment Instrument to get the card_token, then call Get Cryptogram (TAVV) with that token to obtain the TAVV/cryptogram data needed for payment. For PayU Token, simply call Get User Cards API — the card_token in the response is your Store Card Token.

Mandatory Parameters

Token Type (storecard_token_type) *

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

First Name *

Email *

Phone *

Store Card Token * Network token DPAN from get_payment_details

User Credentials (key:customerId)Optional for Network/Issuer token

PG *

Bank Code (bankcode) *

Success URL (surl) *

Failure URL (furl) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

Conditional Parameters

Network Token: Get the token, TAVV, TRID and expiry from Get Cryptogram (get_payment_details). additional_info JSON is mandatory.

Token Expiry Month (ccexpmon)

Token Expiry Year (ccexpyr)

Last 4 Digits (original card)

TAVV / Cryptogram *

TRID (Token Requestor ID)

Token Reference No

Issuer Token (storecard_token_type=2): Used when the card is a Diners (DINR) or issuer-provisioned token. All fields below are mandatory. The additional_info JSON must contain: trMerchantId, tokenReferenceId, tokenBank, last4Digits.

Parameter	Description	Source
`store_card_token`	Issuer token value	`details.issuer_token.token_value` from Cryptogram API
`ccexpmon`	Issuer token expiry month	`issuer_token.token_exp_mon`
`ccexpyr`	Issuer token expiry year	`issuer_token.token_exp_yr`
`additional_info.trMerchantId`	Wibmo Merchant ID	`details.wibmoMerchantId`
`additional_info.tokenReferenceId`	Token reference ID	`details.token_refernce_id`
`additional_info.tokenBank`	Issuing bank name	e.g. `HDFC`
`additional_info.last4Digits`	Last 4 digits of original card	`details.card_no` (last 4)

Token Expiry Month (ccexpmon) *

Token Expiry Year (ccexpyr) *

Last 4 Digits *From details.card_no (last 4 chars)

trMerchantId *Wibmo Merchant ID from Cryptogram response

tokenReferenceId *Token reference ID from Cryptogram response

tokenBank *Issuing bank name (e.g. HDFC, ICICI)

Optional Parameters (included in request only if filled)

Address Line 1

Address Line 2

City

State

Country

Zipcode

UDF1

UDF2

UDF3

UDF4

UDF5

Handle 3DS Authentication / Submit OTP

After the payment API call, check binData.pureS2SSupported in the response to determine how the customer completes 3DS authentication:

⏳ Waiting for payment response… Send a payment request in the previous step. The authentication options will appear here automatically.

① Native OTP — Submit OTP API

How it works: Your server sends the customer’s OTP to PayU via the ResponseHandler.php endpoint. The customer stays on your checkout page throughout — no redirects.

POST https://test.payu.in/ResponseHandler.php | Submit OTP

Parameter	Description	Value
`referenceId`	Unique reference from payment response — auto-filled from `metaData.referenceId`	Auto-filled
`otp`	OTP entered by the customer on your page	Test: `123456`
`data`	Must include `payuPureS2S` flag	`{"payuPureS2S":"1"}`

Mandatory Parameters

Reference ID *From metaData.referenceId in the payment response

OTP *Test environment OTP: 123456

② Pay on Bank Page — 3DS Redirect

⚠ No ACS template received yet. This will load automatically after you send the payment request in the previous step.

🔒 ACS Template Decode Guide

The acsTemplate is a Base64-encoded HTML string. Decode it to get the bank redirect form.

▼ How to Decode Base64 acsTemplate

// JavaScript – Decode Base64 acsTemplate
const acsTemplate = response.result.acsTemplate;
const decodedHtml = atob(acsTemplate);

// Open decoded HTML in popup window
const bankWindow = window.open('', 'BankAuth', 'width=800,height=600');
bankWindow.document.write(decodedHtml);
bankWindow.document.close();

Decoded HTML Structure:

<html><body>
<form name="payment_post" action="https://pgsim01.payu.in/initiate" method="post">
  <input type="hidden" name="merchantName" value="PAYU">
  <input type="hidden" name="txnAmount" value="1.00">
  <input type="hidden" name="txnRefId" value="MANDATE_xxx">
  <input type="hidden" name="ibibo_code" value="ICICENCC">
  <!-- ... more hidden fields ... -->
</form>
<script>
  window.onload = function() {
    document.forms['payment_post'].submit();  // Auto-submits to bank
  }
</script>
</body></html>

Post-Payment: Verify, Save Token & Manage

After a first-time payment, verify the transaction and save the card as a token using save_payment_instrument. For ongoing management, edit or delete tokens as needed.

Verify Payment API

Confirm the transaction status server-side. Always verify before trusting callback data. Supports verifying multiple transactions by passing pipe-separated txnid values.

POST https://test.payu.in/merchant/postservice

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|verify_payment|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`verify_payment` — fixed value for this API	`verify_payment`
`var1`	Mandatory	Transaction ID(s) — multiple txnids separated by pipe (`\|`)	`TXN_001`
`hash`	Mandatory	`sha512(key\|verify_payment\|var1\|salt)`	(computed)

Transaction ID *

Save Payment Instrument (Tokenize Card) First-time only

After a successful first-time payment, explicitly create a token by calling save_payment_instrument (also referred to as save_user_card). This returns the PayU reference ID and network/issuer tokens.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|save_payment_instrument|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`a4vGC2`
`command`	Mandatory	Fixed value `save_payment_instrument`	`save_payment_instrument`
`var1`	Mandatory	User credentials: `merchantKey:userId`	`a4vGC2:test1`
`var2`	Mandatory	Name/label for the card (card nickname)	`My HDFC Visa`
`var3`	Mandatory	PG value — payment gateway type	`CC`
`var4`	Mandatory	Bank code	`CC`
`var5`	Mandatory	Cardholder name	`Test User`
`var6`	Mandatory	Full card number (13–19 digits)	`5123456789012346`
`var7`	Mandatory	Expiry month (MM)	`05`
`var8`	Mandatory	Expiry year (YYYY)	`2030`
`var9`	Conditional	Network auth reference — mandatory for Rupay/Amex cards	—
`var10`	Conditional	AFA consent — mandatory for Visa/MC/Diners (`true`/`false`)	`true`
`var11`	Conditional	Card tokenization consent — mandatory for Visa/MC/Diners (`true`/`false`)	`true`
`hash`	Mandatory	`sha512(key\|save_payment_instrument\|var1\|salt)`	(computed)

Mandatory Parameters

Merchant Key *

Merchant Salt *

User Credentials (var1) *

Card Name (var2) *

PG (var3) * Payment gateway type

Bank Code (var4) * Bank code for the card type

Card Holder Name (var5) *

Card Number (var6) *

Expiry Month (var7) *

Expiry Year (var8) *

AFA Consent (var10)

Tokenization Consent (var11)

PCI-DSS Compliance Required

You must be PCI-DSS compliant to use Model 3 as you handle raw card details in API calls.

Delete Payment Instrument (Delete Saved Card)

Remove a saved token when the customer revokes consent or the card expires. Use delete_payment_instrument (or delete_user_card) API.

POST https://test.payu.in/merchant/postservice.php?form=2

Content-Type: application/x-www-form-urlencoded

Hash: sha512(key|delete_payment_instrument|var1|salt)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU	`JPg****f`
`command`	Mandatory	`delete_payment_instrument` — fixed value for this API	`delete_payment_instrument`
`var1`	Mandatory	User credentials: `merchantKey:userId`	`JPg****f:customer1`
`var2`	Mandatory	Card token (`cardToken`) to delete	`abc123tokenxyz`
`var3`	Optional	Network token value (if deleting specific network token)	—
`var4`	Optional	Issuer token value (if deleting specific issuer token)	—
`hash`	Mandatory	`sha512(key\|delete_payment_instrument\|var1\|salt)`	(computed)

Mandatory Parameters

Merchant Key *

Merchant Salt *

User Credentials (var1) *

Token to Delete (var2) * Select from dropdown (populated after Get Payment Instrument or Get User Cards) or enter manually.

Optional Parameters

Network Token (var3) (optional)Optional — specify to delete a specific network token

Issuer Token (var4) (optional)Optional — specify to delete a specific issuer token

ACS Template Decoder

Decode and inspect the acsTemplate returned by PayU’s payment API for 3D Secure authentication.

What is `acsTemplate`?

When you make a card payment via S2S (server-to-server), PayU returns an acsTemplate in the response. This is a base64-encoded HTML page that, when decoded and rendered in the browser, auto-submits a form to redirect the customer to the bank’s 3DS (3D Secure) authentication page where they enter their OTP.

When do you get it?

S2S Payment
Any _payment API call

Response field
result.acsTemplate

Encoding
Base64 string

How 3DS Redirect Works

①

Payment API Call

You send _payment request with card details. PayU processes and returns response with acsTemplate.

②

Decode Base64

The acsTemplate is a base64-encoded HTML string. Decode it using atob() in JS or base64_decode() in PHP.

③

Render HTML

Write the decoded HTML to a new browser window or page. The HTML contains an auto-submitting form that redirects to the bank.

④

Bank 3DS Page

Customer enters OTP on the bank’s page. After authentication, the bank redirects back to your surl/furl.

Try It — Decode ACS Template

Paste the raw acsTemplate value (base64 string) from the payment API response below.

ACS Template (base64) *

✓ Decoded HTML

Extracted Details

Code Samples — Decode & Render

// JavaScript — Decode and open in new window
var acsBase64 = response.result.acsTemplate;

// Step 1: Decode from Base64
var decodedHtml = atob(acsBase64);

// Step 2: Open in a new browser window/tab
var win = window.open('', '_blank');
win.document.open();
win.document.write(decodedHtml);
win.document.close();
// The HTML auto-submits a form → redirects to bank 3DS page

// PHP — Decode and render to browser
$acsBase64 = $response['result']['acsTemplate'];

// Step 1: Decode from Base64
$decodedHtml = base64_decode($acsBase64);

// Step 2: Output directly to browser (auto-submits to bank)
header('Content-Type: text/html; charset=UTF-8');
echo $decodedHtml;
exit;

# Python (Flask) — Decode and return as HTML response
import base64
from flask import Response

acs_base64 = response['result']['acsTemplate']

# Step 1: Decode from Base64
decoded_html = base64.b64decode(acs_base64).decode('utf-8')

# Step 2: Return as HTML response (auto-submits to bank)
return Response(decoded_html, content_type='text/html')

// Java (Spring Boot) — Decode and write to response
String acsBase64 = response.getResult().getAcsTemplate();

// Step 1: Decode from Base64
byte[] decodedBytes = Base64.getDecoder().decode(acsBase64);
String decodedHtml = new String(decodedBytes, StandardCharsets.UTF_8);

// Step 2: Write HTML to HttpServletResponse
httpResponse.setContentType("text/html;charset=UTF-8");
httpResponse.getWriter().write(decodedHtml);
httpResponse.getWriter().flush();

⚠ Important Notes

Do NOT render in iframe — Bank pages set X-Frame-Options: DENY, blocking iframe embedding. Always use window.open() or render on a full page.
Auto-submit form — The decoded HTML contains a <form> with a <script> that auto-submits. You do not need to manually submit anything.
Callback URLs — After 3DS, the bank redirects to your surl (success) or furl (failure). Ensure these are set correctly in the payment request.
pureS2SSupported — If binData.pureS2SSupported = true, you can also use the Native OTP method (Submit OTP API) instead of rendering the ACS template. Both options work.
Always present — The acsTemplate is returned in S2S flows regardless of pureS2SSupported value. It’s the universal fallback for 3DS authentication.

Getting Started
⚡ Choose Your Flow
NB One-Time Payment ▼
1 Prerequisite for NB
2 Initiate Payment
3 Handle Response
4 Validate / Verify
NB Mandate (eNACH) ▼
1 Register Mandate
2 Handle Response
3 Validate Status
4 Execute Debit
NB TPV ▼
1 Init TPV Payment
2 Handle Response
3 Validate / Verify
Tools & Utilities ▼
# Hash Generator
📋 Bank Codes Reference

Merchant Config

Key

Salt

Choose Your Integration Flow

Select the Net Banking product you want to integrate. Each card walks you through the complete flow — from initiation to verification.

NB One-Time Payment

Accept single Net Banking payments. Customer selects bank, authenticates via OTP, and completes payment.

Prerequisite→ Initiate→ Bank Auth→ Verify

Start Flow →

🔄

NB Mandate (eNACH)

Start Flow →

🛡

NB TPV (Third Party Validation)

Validate payments originate from a specific bank account. Required for mutual funds, stock trading, and KYC flows.

Beneficiary→ Initiate→ Bank Validates→ Verify

Start Flow →

🔧

Tools & Utilities

Hash generator, bank codes reference, and active bank status checker for Net Banking integration.

Hash Gen• Bank Codes• Bank Status

Open Tools →

🏦

Quick Start: Test Net Banking Payment

Use bankcode=TESTPGNB (Test Bank) for sandbox testing. Click "NB One-Time Payment" above to try it now.

Quick links: One-Time Payment Check Bank Status Bank Codes

API Reference

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt for hash generation (never sent in request)	hKvGJP28d2...
`txnid`	Mandatory	Unique transaction ID (max 25 chars)	NB_unique123
`amount`	Mandatory	Transaction amount in INR	100.00
`productinfo`	Mandatory	Product/service description	Test Product
`firstname`	Mandatory	Customer's first name	John
`email`	Mandatory	Customer's email address	john@email.com
`phone`	Mandatory	Customer's phone number	9876543210
`surl`	Mandatory	Success callback URL	https://yoursite.com/success
`furl`	Mandatory	Failure callback URL	https://yoursite.com/failure
`hash`	Mandatory	SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory	Payment gateway type — fixed `NB`	NB
`bankcode`	Mandatory	Bank code from getNetbankingStatus API	TESTPGNB
`txn_s2s_flow`	Mandatory	S2S flow identifier — fixed `4`	4
`s2s_client_ip`	Conditional	Source IP of the customer. Required for S2S flow	10.200.12.12
`s2s_device_info`	Conditional	Customer agent's device information. Required for S2S flow	Mozilla/5.0
`udf1`	Optional	User-defined field 1
`udf2`	Optional	User-defined field 2
`udf3`	Optional	User-defined field 3
`udf4`	Optional	User-defined field 4
`udf5`	Optional	User-defined field 5

Hash Formula

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

Example:
sha512(a4vGC2|NB_unique123|100.00|Test Product|John|john@email.com|||||||||||YourSaltHere)

⚠ acsTemplate Handling

When PayU returns the acsTemplate, you must:

Base64 decode the acsTemplate value
Write the decoded HTML to a new browser window/tab
The HTML auto-submits a form that redirects to the bank
After bank authentication, customer is redirected to your SURL/FURL

Quick links: One-Time Payment Check Bank Status Bank Codes Verify Payment

Bank Selection Page

Overview

This demonstrates how a merchant-hosted checkout presents the bank selection UI to customers. In a seamless (S2S) integration, you build this page — the customer picks their bank here, and you pass the corresponding bankcode to the _payment API.

💡 How it works

1. Fetch live bank availability using getNetbankingStatus API → 2. Render available banks as a selection grid → 3. Customer selects a bank → 4. Pass bankcode in the _payment API call

Axis BankAXIB

✓

HDFC BankHDFB

✓

ICICI BankICIB

✓

State Bank of IndiaSBIB

✓

Yes BankYESB

✓

Karnataka BankKTKB

✓

IndusInd BankINDB

✓

CitibankCITI

✓

Punjab National BankPNBB

✓

Bank of IndiaBKID

✓

Union Bank of IndiaUNIB

✓

Canara BankCABB

✓

Bank of BarodaBARB

✓

Indian Overseas BankIOBA

✓

Indian BankIDIB

✓

Federal BankFDRL

✓

SVC Co-operative BankSVCB

✓

DCB BankDCBB

✓

Test Bank (Sandbox)TESTPGNB

✓

💻 Integration Code Pattern

In your production checkout, you would:

Merchant-Hosted Bank Selection (Example)

// 1. Fetch available banks from PayU
fetch('/proxy.php', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    endpoint: 'postservice',
    method: 'POST',
    params: { key: merchantKey, command: 'getNetbankingStatus', var1: '', hash: hash }
  })
})
.then(res => res.json())
.then(data => {
  // 2. Render bank grid from response
  const banks = data.response; // array of bank objects
  banks.forEach(bank => {
    // Create clickable bank card with bank.bankcode, bank.title, bank.status
  });
});

// 3. On bank selection, pass bankcode to _payment API
function onBankSelected(bankcode) {
  paymentPayload.pg = 'NB';
  paymentPayload.bankcode = bankcode;
  // Send _payment request with the selected bank...
}

Step 1: Initiate Net Banking Payment

📕 Documentation

🔗 Netbanking Integration Guide

Overview

Initiate a Net Banking payment using the _payment API with pg=NB and the appropriate bank code. The response contains an acsTemplate (base64 HTML) that you decode and render to redirect the customer to their bank's login page.

Prerequisites

✓

Merchant Key & Salt
Your PayU test/production credentials

✓

Net Banking Enabled
NB payment mode enabled on your PayU account

✓

Valid Bank Code
Use getNetbankingStatus API to get active bank codes

✓

Callback URLs
Configure SURL and FURL for payment responses

How It Works

Merchant
Collects details

→

PayU API
_payment

→

Bank Page
acsTemplate

→

Customer
Authenticates

→

Callback
SURL/FURL

Step-by-Step Guide

Get active bank list

Call getNetbankingStatus API to fetch available banks and their codes.

Customer selects bank

Display available banks and let customer choose their preferred bank.

Generate hash on server

Use formula: sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

POST to PayU _payment API

Send payment request with pg=NB, bankcode, and txn_s2s_flow=4 for JSON response.

Decode acsTemplate & redirect

Base64 decode the acsTemplate and render it to redirect customer to bank.

API Reference

Endpoint: POST https://test.payu.in/_payment (Test) | POST https://secure.payu.in/_payment (Production)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt for hash generation (never sent in request)	hKvGJP28d2...
`txnid`	Mandatory	Unique transaction ID (max 25 chars)	NB_1234567890
`amount`	Mandatory	Transaction amount in INR	100.00
`productinfo`	Mandatory	Product/service description	Test Product
`firstname`	Mandatory	Customer's first name	John
`email`	Mandatory	Customer's email address	john@example.com
`phone`	Mandatory	Customer's phone number	9876543210
`surl`	Mandatory	Success callback URL	https://yoursite.com/success
`furl`	Mandatory	Failure callback URL	https://yoursite.com/failure
`hash`	Mandatory	SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory	Payment gateway type — fixed `NB`	NB
`bankcode`	Mandatory	Bank code from getNetbankingStatus API	TESTPGNB
`txn_s2s_flow`	Mandatory	S2S flow identifier — fixed `4`	4
`s2s_client_ip`	Conditional	Source IP of the customer. Required for S2S flow	10.200.12.12
`s2s_device_info`	Conditional	Customer agent's device information	Mozilla/5.0
`udf1`	Optional	User-defined field 1
`udf2`	Optional	User-defined field 2
`udf3`	Optional	User-defined field 3
`udf4`	Optional	User-defined field 4
`udf5`	Optional	User-defined field 5

Hash Formula

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

Example:
sha512(a4vGC2|NB_123456|100.00|Test Product|John|john@example.com|||||||||||YourSaltHere)

Sample Response

Success Response (JSON)

{
  "metaData": {
    "message": null,
    "referenceId": "abc123...",
    "statusCode": null,
    "txnId": "NB_123456",
    "txnStatus": "pending",
    "unmappedStatus": "pending"
  },
  "result": {
    "acsTemplate": "PGh0bWw+Li4uPC9odG1sPg==",  // Base64 encoded bank redirect page
    "otpPostUrl": "https://test.payu.in/ResponseHandler.php"
  }
}

Try It — Send Real Request

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

Bank Code * Select from dropdown or enter custom code. Use getNetbankingStatus API for all codes.

First Name *

Email *

Phone *

SURL (Success URL) *

FURL (Failure URL) *

✓ Callback URL: Using Integration Lab's callback page for formatted response display with hash verification.

S2S Parameters Conditional

Client IP (s2s_client_ip)

Device Info (s2s_device_info)

User Defined Fields Optional

udf1

udf2

udf3

udf4

udf5

Step 2: Handle Response & Redirect to Bank

Payment Successful!

Your payment has been completed successfully

🛡

Reverse Hash Verification: SUCCESS ✓

Payment authenticity confirmed. Hash matches perfectly.

API Reference

Endpoint: POST https://test.payu.in/_payment (Test) | POST https://secure.payu.in/_payment (Production)

Request Parameters

Parameter	Required	Description	Example
`key`	Mandatory	String — Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	String — Merchant salt for hash generation (never sent in request)	hKvGJP28d2...
`txnid`	Mandatory	String — Unique transaction ID (max 25 chars)	NB_1234567890
`amount`	Mandatory	String — Transaction amount in INR	100.00
`productinfo`	Mandatory	String — Product/service description	Test Product
`firstname`	Mandatory	String — Customer’s first name	John
`email`	Mandatory	String — Customer’s email address	john@example.com
`phone`	Mandatory	String — Customer’s phone number	9876543210
`surl`	Mandatory	String — Success callback URL	https://yoursite.com/success
`furl`	Mandatory	String — Failure callback URL	https://yoursite.com/failure
`hash`	Mandatory	String — SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory	String — Payment gateway type — fixed `NB`	NB
`bankcode`	Mandatory	String — Bank code from getNetbankingStatus API	TESTPGNB
`txn_s2s_flow`	Mandatory	String — S2S flow identifier — fixed `4`	4
`s2s_client_ip`	Conditional	String — Source IP of the customer (required for S2S)	10.200.12.12
`s2s_device_info`	Conditional	String — Customer agent’s device information	Mozilla/5.0
`udf1`	Optional	String — User-defined field 1
`udf2`	Optional	String — User-defined field 2
`udf3`	Optional	String — User-defined field 3
`udf4`	Optional	String — User-defined field 4
`udf5`	Optional	String — User-defined field 5

Response Parameters

Parameter	Description	Example
`metaData.txnId`	String — Your original transaction ID	NB_1234567890
`metaData.txnStatus`	String — Transaction status — `pending` means awaiting bank auth	pending
`metaData.unmappedStatus`	String — Raw status from payment gateway	pending
`metaData.referenceId`	String — PayU internal reference for this transaction	abc123...
`result.acsTemplate`	String — Base64-encoded HTML containing auto-submit form to redirect customer to bank	PGh0bWw+Li4u...
`result.otpPostUrl`	String — PayU response handler URL (used internally by bank redirect)	https://test.payu.in/ResponseHandler.php

Callback Parameters (POST to surl/furl)

Parameter	Description	Example
`status`	Transaction status — `success` or `failure`	success
`mihpayid`	PayU’s unique transaction reference ID	10731087875
`mode`	Payment mode — `NB` for Net Banking	NB
`txnid`	Your original transaction ID	NB_1234567890
`amount`	Transaction amount	100.00
`bankcode`	Bank code used for the payment	TESTPGNB
`bank_ref_num`	Bank reference number	YESB00000...
`unmappedstatus`	Detailed status — `captured` for successful payment	captured
`field9`	Payment gateway response message	Transaction Completed Successfully

Overview

After calling the _payment API, you receive an acsTemplate (base64-encoded HTML). Decode and render this to redirect the customer to their bank's login page for authentication.

Response Handling Flow

1Receive acsTemplate

→

2Base64 Decode

→

3Render HTML

→

4Customer Auth at Bank

Code Example: Decode & Redirect

JavaScript - Open Bank Page

// After receiving _payment API response
const response = await payuApiResponse;

if (response.result && response.result.acsTemplate) {
    // Decode base64 acsTemplate
    const html = atob(response.result.acsTemplate);
    
    // Option 1: Open in new window
    const win = window.open('', '_blank');
    win.document.write(html);
    win.document.close();
    
    // Option 2: Redirect in same window
    // document.open();
    // document.write(html);
    // document.close();
}

PHP - Server-side Redirect

<?php
$response = json_decode($payuResponse, true);

if (isset($response['result']['acsTemplate'])) {
    $html = base64_decode($response['result']['acsTemplate']);
    echo $html;
    exit;
}
?>

After Bank Authentication

What happens next?

After the customer completes authentication at the bank:

Redirect: PayU redirects customer to your surl (success) or furl (failure) with POST parameters
Webhook: PayU sends payment notification to your webhook URL (if configured)
Validate: Verify the payment using verify_payment API (recommended)

⚠ Test Bank Behavior

The test bank simulator (TESTPGNB) auto-completes the payment instantly. You may see "Transaction is already in terminal state" — this is normal and means the payment was processed successfully.

Step 3: Validate / Verify Payment

Overview

After the customer completes payment on the bank page and is redirected back, use the verify_payment API to confirm the transaction status. This is the authoritative source of payment status and should always be used to determine the final state.

Prerequisites

✓

Merchant Key & Salt
Your PayU credentials

✓

Transaction ID
The txnid from the payment you want to verify

API Reference

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`command`	Mandatory	API command — fixed `verify_payment`	verify_payment
`var1`	Mandatory	Transaction ID to verify	NB_123456
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

Hash Formula

sha512(key|command|var1|salt)

Example:
sha512(a4vGC2|verify_payment|NB_123456|YourSaltHere)

Sample Response

Success Response

{
  "status": 1,
  "msg": "Transaction Fetched Successfully",
  "transaction_details": {
    "NB_123456": {
      "mihpayid": "403993715525331373",
      "mode": "NB",
      "status": "success",
      "unmappedstatus": "captured",
      "key": "a4vGC2",
      "txnid": "NB_123456",
      "amount": "100.00",
      "bank_ref_num": "450699821592111537",
      "bankcode": "TESTPGNB",
      "error": "E000",
      "error_Message": "No Error"
    }
  }
}

Try It — Send Real Request

Merchant Key *

Merchant Salt *

Transaction ID *

Normal Refund

Overview

Use the cancel_refund_transaction API to initiate a refund for a successful Net Banking transaction. You'll need the mihpayid from the original transaction response.

Prerequisites

✓

Successful Transaction
A captured/successful Net Banking transaction

✓

mihpayid
PayU's unique transaction ID from the payment response

✓

Unique Token ID
Your unique identifier for this refund request

API Reference

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`command`	Mandatory	API command — fixed `cancel_refund_transaction`	cancel_refund_transaction
`var1`	Mandatory	PayU transaction ID (mihpayid)	403993715537135556
`var2`	Mandatory	Unique token/reference ID for refund	REFUND_123456
`var3`	Mandatory	Refund amount (can be partial)	500.00
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

Hash Formula

sha512(key|command|var1|salt)

Example:
sha512(a4vGC2|cancel_refund_transaction|403993715537135556|YourSaltHere)

Sample Response

Success Response

{
  "status": 1,
  "msg": "Refund Request Queued",
  "request_id": "10825083",
  "bank_ref_num": null,
  "mihpayid": "403993715537135556",
  "refund_amount": "500.00"
}

Important Notes

Refunds are processed asynchronously and may take 5-7 business days
Use check_action_status API to track refund status
Partial refunds are supported - specify the amount in var3

Try It — Send Refund Request

Merchant Key *

Merchant Salt *

PayU Transaction ID (mihpayid) *

Unique Refund Token ID *

Refund Amount *

Check Refund Status

After initiating a refund, use check_action_status to track its progress.

Merchant Key *

Merchant Salt *

Request ID (from refund response) *

Split Refund

Overview

Split Refund allows you to refund a split payment transaction where the original payment was distributed among multiple merchants/aggregators. You can refund the entire split amount or partial amounts to specific split recipients.

Prerequisites

✓

Split Payment Transaction
A successful split payment transaction

✓

mihpayid
PayU's unique transaction ID from the split payment

✓

Split Details
Original split merchant IDs and amounts

Required Parameters for API

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`command`	Mandatory	API command — fixed `cancel_refund_transaction`	cancel_refund_transaction
`var1`	Mandatory	PayU transaction ID (mihpayid)	403993715537135556
`var2`	Mandatory	Unique token/reference ID for refund	SPLIT_REFUND_123456
`var3`	Mandatory	Refund amount	500.00
`var5`	Mandatory	Split refund details JSON	{"splitInfo":[...]}
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

Hash Formula

sha512(key|command|var1|salt)

Example:
sha512(a4vGC2|cancel_refund_transaction|403993715537135556|YourSaltHere)

Split Refund Details (var5) Format

{
  "splitInfo": [
    {
      "merchantId": "SPLIT_MERCHANT_1",
      "amount": "300.00"
    },
    {
      "merchantId": "SPLIT_MERCHANT_2", 
      "amount": "200.00"
    }
  ]
}

Sample Response

Success Response

{
  "status": 1,
  "msg": "Refund Request Queued",
  "request_id": "10825084",
  "bank_ref_num": null,
  "mihpayid": "403993715537135556",
  "refund_amount": "500.00",
  "split_refund_status": "queued"
}

Important Notes

Split refunds must match the original split structure
Total refund amount across all splits cannot exceed the original transaction amount
Each split merchant receives their proportional refund
Use check_action_status API to track split refund status

Try It — Send Split Refund Request

Merchant Key *

Merchant Salt *

PayU Transaction ID (mihpayid) *

Unique Refund Token ID *

Total Refund Amount *

Split Refund Details (JSON) *

Step 1: Net Banking TPV (Third Party Validation)

📕 Documentation

🔗 Net Banking TPV Integration Guide

Overview

TPV ensures that the payment originates from a specific bank account belonging to the customer. The merchant provides beneficiary details (account number + IFSC), and PayU validates that the paying account matches before processing. Used in mutual funds, stock trading, insurance, and regulated financial products.

Prerequisites

✓

Merchant Key & Salt
Your PayU credentials

✓

Beneficiary Account
Customer's verified bank account number

✓

IFSC Code
Bank IFSC code for account verification

✓

TPV Enabled
TPV feature enabled on your PayU account

TPV Payment Flow

1Collect Beneficiary

→

2Initiate Payment

→

3Bank Auth + Validate

→

4Verify

API Reference

Endpoint: POST https://test.payu.in/_payment (Test) | POST https://secure.payu.in/_payment (Production)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt for hash generation (never sent in request)	hKvGJP28d2...
`txnid`	Mandatory	Unique transaction ID	TPV_123456
`amount`	Mandatory	Transaction amount in INR	100.00
`productinfo`	Mandatory	Product/service description	Mutual Fund SIP
`firstname`	Mandatory	Customer's first name	John
`email`	Mandatory	Customer's email address	john@example.com
`phone`	Mandatory	Customer's phone number	9876543210
`surl`	Mandatory	Success callback URL	https://yoursite.com/success
`furl`	Mandatory	Failure callback URL	https://yoursite.com/failure
`hash`	Mandatory	SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory	Payment gateway type — fixed `NB`	NB
`bankcode`	Mandatory	TPV-enabled bank code	SBITPV
`txn_s2s_flow`	Mandatory	S2S flow identifier — fixed `4`	4
`api_version`	Mandatory	API version for TPV — fixed `6`	6
`beneficiarydetail`	Mandatory	JSON with beneficiary account details	{"beneficiaryAccountNumber":"..."}
`s2s_client_ip`	Conditional	Source IP of the customer. Required for S2S flow	10.200.12.12
`s2s_device_info`	Conditional	Customer agent's device information	Mozilla/5.0
`udf1-udf5`	Optional	User-defined fields

beneficiarydetail JSON Structure

Field	Required	Description	Example
`beneficiaryAccountNumber`	Mandatory	Customer's bank account number	9876543210123456789
`ifscCode`	Mandatory	Bank IFSC code (11 characters)	SBIN0001234

Hash Formula (TPV with api_version=6)

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||beneficiarydetail|salt)

Note: 12 pipes between email and beneficiarydetail for api_version=6

Example:
sha512(a4vGC2|TPV_123|100.00|Mutual Fund|John|john@email.com||||||||||||{"beneficiaryAccountNumber":"9876...","ifscCode":"SBIN..."}|YourSalt)

Hash Formula

TPV Payment Hash

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||beneficiarydetail|SALT)

// beneficiarydetail is a JSON string:
// {"beneficiaryAccountNumber":"1234567890","ifscCode":"SBIN0001234"}

// Key parameters for TPV:
api_version = 6
beneficiarydetail = JSON.stringify({beneficiaryAccountNumber, ifscCode})

🏦 TPV Bank Options (Loading...)

Only showing TPV-enabled banks. Use the ibibo_code as bankcode in your payment request.

ibibo_code	Bank Name	Status
`AXNBTPV`	Axis Bank TPV	▲ Up
`HABOROTPV`	Bank of Baroda TPV	▲ Up
`BOITPV`	Bank of India TPV	▲ Up
`BOMTPV`	Bank of Maharashtra TPV	▲ Up
`ABOROTPV`	Canara Bank TPV	▲ Up
`CBOTPV`	Central Bank of India TPV	▲ Up
`CUBTPV`	City Union Bank TPV	▲ Up
`COBTPV`	Cosmos Bank TPV	▲ Up
`DCBTPV`	DCB Bank TPV	▲ Up
`DLBTPV`	Dhanlaxmi Bank TPV	▲ Up
`FEDTPV`	Federal Bank TPV	▲ Up
`HABOROTPV`	HDFC Bank TPV	▲ Up
`IKIBTPV`	ICICI Bank TPV	▲ Up
`IDBTPV`	IDBI Bank TPV	▲ Up
`IDFCTPV`	IDFC First Bank TPV	▲ Up
`INBTPV`	Indian Bank TPV	▲ Up
`INDUTPV`	IndusInd Bank TPV	▲ Up
`IOBTPV`	Indian Overseas Bank TPV	▲ Up
`JKBTPV`	J&K Bank TPV	▲ Up
`KBLTPV`	Karnataka Bank TPV	▲ Up
`KVBTPV`	Karur Vysya Bank TPV	▲ Up
`KOTATPV`	Kotak Mahindra Bank TPV	▲ Up
`PNBTPV`	Punjab National Bank TPV	▲ Up
`RBLTPV`	RBL Bank TPV	▲ Up
`SBTPV`	South Indian Bank TPV	▲ Up
`SBINBTPV`	State Bank of India TPV	▲ Up
`TMBTPV`	Tamilnad Mercantile Bank TPV	▲ Up
`UBOTPV`	Union Bank of India TPV	▲ Up
`UCOTPV`	UCO Bank TPV	▲ Up
`YESBKTPV`	Yes Bank TPV	▲ Up

Try It — Send TPV Payment

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount *

Product Info *

Bank Code * Enter TPV bank code (e.g., AXNBTPV for Axis Bank)

First Name *

Email *

Phone *

🛡 Beneficiary Details (TPV Validation)

Note: You can add up to 4 beneficiary accounts. Multiple accounts should be separated by pipe (|) symbol in the same order.

Example:
Account: 919013353419388|919013353419387
IFSC: UTIB9992478|UTIB9992478

Beneficiary Account Number(s) * For multiple accounts, separate with pipe (|) - Max 4 accounts

IFSC Code(s) * For multiple IFSCs, separate with pipe (|) in same order

SURL (Success URL) *

FURL (Failure URL) *

Client IP (s2s_client_ip) *

Device Info (s2s_device_info) *

User Defined Fields Optional

udf1

udf2

udf3

udf4

udf5

Request Sent

Response Received

cURL Command

🔐 Understanding acsTemplate Response

What is acsTemplate?

The acsTemplate is a Base64-encoded HTML string that contains a self-submitting form. When decoded and rendered in the browser, it automatically redirects the customer to the bank's authentication page.

Response Fields Explained

Field	Description
`metaData.txnStatus`	"pending" — Transaction awaits bank authentication
`metaData.txnId`	Your transaction ID for tracking
`metaData.referenceId`	PayU's internal reference for this transaction
`result.acsTemplate`	Base64 encoded HTML — Must be decoded and rendered to redirect user to bank
`result.otpPostUrl`	PayU's response handler URL (used internally)

How to Decode & Render acsTemplate

JavaScript - Decode and Open Bank Page

// Step 1: Decode the Base64 string
const decodedHtml = atob(response.result.acsTemplate);

// Step 2: Open in a new popup window (Recommended)
const bankWindow = window.open('', 'BankAuth', 'width=800,height=600');
bankWindow.document.write(decodedHtml);
bankWindow.document.close();

// The decoded HTML contains a form that auto-submits:
// <form action="https://bank-url/..." method="post">
//   <input name="txnAmount" value="100.00">
//   <input name="txnRefId" value="TPV_xxx">
//   ...
// </form>
// <script>document.forms[0].submit();</script>

💡 Next Steps

Click "Open Bank Page" button above to render the acsTemplate
Customer completes bank authentication (login + OTP)
Bank validates that payment is from the specified beneficiary account
Customer is redirected to your surl (success) or furl (failure)
Use verify_payment API to confirm final status

💡 TPV Use Cases

Mutual Funds — SEBI mandate requires TPV for investor verification
Stock Trading — Ensure deposits come from verified demat-linked accounts
Insurance — IRDAI compliance for premium payments from policyholder's account
Loan Repayment — Verify that EMI payments originate from the borrower's account

⚠ Important Notes

TPV validation happens at the bank level — if the account doesn't match, the payment is rejected
The beneficiarydetail JSON must be included in the hash calculation
Requires api_version=6 for beneficiary detail support
Not all banks support TPV — check with your PayU KAM for supported bank list

Step 2: Handle TPV Response

API Reference

Endpoint: POST https://test.payu.in/_payment (Test) | POST https://secure.payu.in/_payment (Production)

Request Parameters

Parameter	Required	Description	Example
`key`	Mandatory	String — Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	String — Merchant salt for hash generation (never sent in request)	hKvGJP28d2...
`txnid`	Mandatory	String — Unique transaction ID	TPV_123456
`amount`	Mandatory	String — Transaction amount in INR	100.00
`productinfo`	Mandatory	String — Product/service description	Mutual Fund SIP
`firstname`	Mandatory	String — Customer’s first name	John
`email`	Mandatory	String — Customer’s email address	john@example.com
`phone`	Mandatory	String — Customer’s phone number	9876543210
`surl`	Mandatory	String — Success callback URL	https://yoursite.com/success
`furl`	Mandatory	String — Failure callback URL	https://yoursite.com/failure
`hash`	Mandatory	String — SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory	String — Payment gateway type — fixed `NB`	NB
`bankcode`	Mandatory	String — TPV-enabled bank code	SBITPV
`txn_s2s_flow`	Mandatory	String — S2S flow identifier — fixed `4`	4
`api_version`	Mandatory	String — API version for TPV — fixed `6`	6
`beneficiarydetail`	Mandatory	String — JSON with beneficiary account details	{"beneficiaryAccountNumber":"..."}
`s2s_client_ip`	Conditional	String — Source IP of the customer (required for S2S)	10.200.12.12
`s2s_device_info`	Conditional	String — Customer agent’s device information	Mozilla/5.0
`udf1-udf5`	Optional	String — User-defined fields

Response Parameters

Parameter	Description	Example
`metaData.txnId`	String — Your original transaction ID	TPV_1775739737886
`metaData.txnStatus`	String — Transaction status — `pending` means awaiting bank auth	pending
`metaData.unmappedStatus`	String — Raw status from payment gateway	pending
`metaData.referenceId`	String — PayU internal reference for this transaction	cb2ccfe8ad1ea77...
`result.acsTemplate`	String — Base64-encoded HTML containing auto-submit form to redirect customer to bank	PGh0bWw+PGJv...
`result.otpPostUrl`	String — PayU response handler URL (used internally by bank redirect)	https://test.payu.in/ResponseHandler.php

Callback Parameters (POST to surl/furl)

Parameter	Description	Example
`status`	Transaction status — `success` or `failure`	success
`mihpayid`	PayU’s unique transaction reference ID	10731087875
`mode`	Payment mode — `NB` for Net Banking TPV	NB
`txnid`	Your original transaction ID	TPV_1775739737886
`amount`	Transaction amount	100.00
`bankcode`	Bank code used for the TPV payment	AXNBTPV
`bank_ref_num`	Bank reference number	YESB00000...
`unmappedstatus`	Detailed status — `captured` for successful TPV	captured
`field9`	Payment gateway response message	Transaction Completed Successfully

Overview

After calling the TPV _payment API, you receive an acsTemplate. The bank will validate the beneficiary account details (beneficiarydetail) during authentication.

🛡 TPV Validation Process

During bank authentication, the bank verifies that:

The customer is logging into the correct bank
The payment is originating from the account number you specified in beneficiaryAccountNumber
The IFSC matches the customer's bank branch

⚠ If Account Doesn't Match

If the customer tries to pay from a different account than specified in beneficiarydetail, the bank will reject the payment. This is the core security feature of TPV.

🔐 Understanding acsTemplate Response

What is acsTemplate?

Sample Response Structure

API Response with acsTemplate

{
  "metaData": {
    "message": null,
    "referenceId": "cb2ccfe8ad1ea77a30f33dfb68055a0af363b...",
    "statusCode": null,
    "txnId": "TPV_1775739737886",
    "txnStatus": "pending",        // Transaction is pending bank auth
    "unmappedStatus": "pending"
  },
  "result": {
    "acsTemplate": "PGh0bWw+PGJvZHk+PGZvcm0gbmFtZT0i...",  // Base64 encoded HTML
    "otpPostUrl": "https://test.payu.in/ResponseHandler.php"
  }
}

How to Decode acsTemplate

JavaScript - Decode Base64

// Method 1: Using atob() - Browser native
const decodedHtml = atob(response.result.acsTemplate);

// Method 2: Using Buffer - Node.js
const decodedHtml = Buffer.from(response.result.acsTemplate, 'base64').toString('utf-8');

// The decoded HTML looks like this:
<html><body>
<form name="payment_post" id="payment_post" 
      action="https://pgsim01.payu.in/initiate" method="post">
  <input type="hidden" name="merchantName" value="PAYU">
  <input type="hidden" name="merchantCode" value="SlEscuJA98">
  <input type="hidden" name="txnAmount" value="100.00">
  <input type="hidden" name="txnRefId" value="TPV_1775739737886">
  <input type="hidden" name="ibibo_code" value="AXNBTPV">
  <!-- ... more hidden fields ... -->
</form>
<script>
  window.onload = function() {
    document.forms['payment_post'].submit();  // Auto-submits to bank
  }
</script>
</body></html>

How to Render acsTemplate (Open Bank Page)

JavaScript - Open in New Window/Popup

// Option 1: Open in a new popup window (Recommended for S2S)
const bankWindow = window.open('', 'BankAuth', 'width=800,height=600');
const decodedHtml = atob(response.result.acsTemplate);
bankWindow.document.write(decodedHtml);
bankWindow.document.close();

// Option 2: Redirect current page (if full page redirect is acceptable)
document.open();
document.write(atob(response.result.acsTemplate));
document.close();

// Option 3: Render in an iframe (for embedded experience)
const iframe = document.getElementById('bankFrame');
iframe.contentWindow.document.open();
iframe.contentWindow.document.write(atob(response.result.acsTemplate));
iframe.contentWindow.document.close();

💡 Key Points

txnStatus: "pending" — Transaction awaits bank authentication
acsTemplate — Must be decoded (Base64) and rendered in browser
otpPostUrl — PayU's handler URL (used internally by bank redirect)
The form auto-submits on load, redirecting customer to bank login
After bank auth, customer is redirected to your surl or furl

Step 3: Validate TPV Payment

API Reference

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	String — Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	String — Merchant salt used for hash generation (never sent in request)	mGHSxpD2iB...
`command`	Mandatory	String — API command — fixed `verify_payment`	verify_payment
`var1`	Mandatory	String — Transaction ID (`txnid`) used during TPV payment initiation	TPV_1775739737886
`hash`	Mandatory	String — SHA-512 hash — `sha512(key\|verify_payment\|var1\|salt)`	(computed)

Response Parameters

Parameter	Description	Example
`status`	Transaction status — `success` or `failure`	success
`mihpayid`	PayU’s unique transaction reference ID	10731087875
`mode`	Payment mode — `NB` for Net Banking TPV	NB
`txnid`	Your original transaction ID	TPV_1775739737886
`amount`	Transaction amount	100.00
`unmappedstatus`	Detailed status — `captured` for successful TPV payment	captured
`bankcode`	Bank code confirms the bank used matches expected bank	AXNBTPV
`bank_ref_num`	Bank reference number for the transaction	YESB00000...
`firstname`	Customer first name	Test
`email`	Customer email	test@example.com
`phone`	Customer phone number	9876543210
`field9`	Payment gateway response message	Transaction Completed Successfully

Overview

After the customer completes bank authentication, use verify_payment to confirm the transaction status. For TPV transactions, the response includes additional validation details confirming that the beneficiary account was verified.

Hash Formula

Verify Payment Hash

sha512(key|command|var1|salt)
sha512(merchantKey|verify_payment|txnid|merchantSalt)

Try It — Verify TPV Transaction

Merchant Key *

Merchant Salt *

Transaction ID *

💡 What to Check in TPV Verify Response

status — "success" means payment completed and account validated
unmappedstatus — "captured" for successful TPV payment
mode — Should be "NB" for Net Banking TPV
bankcode — Confirms the bank used matches the expected bank

Step 1: Net Banking PACB (Pre-Authorize)

📕 Documentation

🔗 Pre-Authorization Guide 🔗 Capture Transaction API

Overview

PACB allows you to pre-authorize (block) funds in the customer's bank account without immediate debit. You can later capture the blocked amount fully or partially.

⚠ Activation Required: Net Banking PACB must be explicitly enabled on your PayU merchant account. Contact your PayU KAM to activate this feature.

Payment Type *

One-Time Payment

Single transaction payment

Subscription Payment

Recurring payment setup

PACB One-Time Payment

Block funds once and capture the full or partial amount. Ideal for single transactions where final amount may vary.

1Pre-Auth

→

2Bank Auth

→

3Funds Blocked

→

4Capture

Hash Formula

PACB Payment Hash

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt)

// Key parameter for PACB:
pre_authorize=1        // Enable pre-authorization mode

API Reference

Endpoint: POST https://test.payu.in/_payment (Test) | POST https://secure.payu.in/_payment (Production)

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	Merchant salt for hash generation (never sent in request)	hKvGJP28d2...
`txnid`	Mandatory	Unique transaction ID	PACB_123456
`amount`	Mandatory	Amount to pre-authorize (block)	500.00
`productinfo`	Mandatory	Product/service description	Hotel Booking Deposit
`firstname`	Mandatory	Customer's first name	John
`email`	Mandatory	Customer's email address	john@example.com
`phone`	Mandatory	Customer's phone number	9876543210
`surl`	Mandatory	Success callback URL	https://yoursite.com/success
`furl`	Mandatory	Failure callback URL	https://yoursite.com/failure
`hash`	Mandatory	SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory	Payment gateway type — fixed `NB`	NB
`bankcode`	Mandatory	Bank code from getNetbankingStatus API	TESTPGNB
`txn_s2s_flow`	Mandatory	S2S flow identifier — fixed `4`	4
`pre_authorize`	Mandatory	Enable pre-authorization — fixed `1`	1
`api_version`	Mandatory	API version for PACB — fixed `6`	6
`s2s_client_ip`	Conditional	Source IP of the customer. Required for S2S flow	10.200.12.12
`s2s_device_info`	Conditional	Customer's device/browser info	Mozilla/5.0...
`udf1-udf5`	Optional	User-defined fields

Sample Response

Pre-Auth Success Response

{
  "metaData": {
    "message": null,
    "referenceId": "abc123...",
    "txnId": "PACB_123456",
    "txnStatus": "pending",
    "unmappedStatus": "pending"    // After bank auth: "auth" = funds blocked
  },
  "result": {
    "acsTemplate": "PGh0bWw+Li4uPC9odG1sPg==",
    "mihpayid": "403993715537135556"  // Save for capture_transaction
  }
}

Try It — Initiate PACB Pre-Authorization

Merchant Category

Select your merchant category to understand which parameters are required for your use case:

LRS Merchants: All LRS-specific parameters (lrs_service_type, lrs_mandatory_limit_declaration, lrs_tnc, lrs_tcs_declaration_under_limit, UDF1 PAN, UDF3 DOB) are MANDATORY. Enable LRS params below.

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount to Block *

Product Info *

Bank Code *

First Name *For LRS: must match PAN records exactly

Last Name *Mandatory for S2S integration

Email *

Phone *

Address Parameters (Required for S2S)

Address Line 1 *Mandatory for Merchant Hosted / S2S

Address Line 2 (Optional)Can be empty or static value

City *

State *

Country *Must be 'IN' (India) - Fixed value

Zipcode *Billing PIN/ZIP code. Mandatory for cardless EMI.

Pre-Authorize *Set to 1 for PACB flow

Buyer Type (Conditional) B2B = 1: LRS rules do NOT apply

UDF Parameters (User Defined Fields)

UDF Hash Rule: udf1 through udf5 are part of hash calculation. Even if sent as empty strings, they must be present in the hash formula:
sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)

UDF1 - PAN Number (MANDATORY for LRS S2S)

0/255

LRS S2S: Must be buyer's PAN. Digital/Physical: Send if AD bank requests.

UDF2 - Free Use (STATIC/SKIP)

0/255

No regulatory purpose. Can be used freely or sent empty.

UDF3 - Buyer's DOB (MANDATORY for LRS S2S)

0/255

LRS S2S: DOB as on PAN (DD-MM-YYYY). Must match PAN Status Check API result.

UDF4 - End Merchant / Passport (CONDITIONAL)

0/255

S2S: End Merchant Legal Entity Name (for Payment Aggregators). PayU Hosted: Passport number.

UDF5 - Invoice ID * (MANDATORY for all CB)

10/255

Invoice ID/Number. MANDATORY for ALL cross-border transactions.

Enable UDF Params (UDF7 & UDF8) for Import/Export Compliance

Physical Goods (PACB-Import): Include Import/Export Code & Airway Bill Number for goods imports.

Enable LRS Params for Travel & Education Merchants

LRS (Liberalised Remittance Scheme) parameters for cross-border payments. Required for Travel & Education merchants only. NOT required for Digital Services or Physical Goods (PACB-Import only).

LRS Parameters (Travel & Education Merchants Only)

⚠️ Note: LRS parameters are only required for Travel & Education merchants. For Digital Services and Physical Goods (PACB-Import only), skip these parameters. For B2B transactions (buyer_type_business = 1), ALL LRS params are NOT required.

lrs_service_type * Determines TCS rate. Must reflect actual nature of service.

tcs_amount * TCS amount to be charged. Send "0" if no TCS applies.

lrs_mandatory_limit_declaration * RBI LRS limit declaration. Must be collected on checkout page.

lrs_tnc * Buyer agrees to PayU's Terms & Conditions.

lrs_tcs_declaration_under_limit * Declaration whether buyer's remittance is under or over ₹10,00,000 in current FY.

TCS Calculation:
• education_loan: 0% TCS always
• education_non_loan / medical: 0% up to ₹10L, 5% above
• travel / others: 0% up to ₹10L, 20% above

Redirect URLs

Success URL *

43/255

Failure URL *

43/255

Client IP *

Device Info *

⚡ Simulation Mode (Enabled)

Test the full PACB flow without PayU activation. Uses realistic mock responses.

PACB Subscription Payment

Setup recurring pre-authorizations for subscription-based services. Block and capture funds on a scheduled basis.

1Register

→

2Consent

→

3Pre-Auth

→

4Capture

→

5Recurring

Subscription vs One-Time PACB

One-Time:	Single pre-auth → Single capture
Subscription:	Mandate registration → Recurring pre-auth → Scheduled captures

API Reference

Endpoint: POST https://test.payu.in/_payment

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key	a4vGC2
`txnid`	Mandatory	Unique transaction ID	PACB_SUB_123
`amount`	Mandatory	Amount to pre-authorize	1000.00
`pg`	Mandatory	Payment gateway — fixed `NB`	NB
`bankcode`	Mandatory	Bank code	TESTPGNB
`pre_authorize`	Mandatory	Enable pre-auth — fixed `1`	1
`si`	Mandatory	Standing instruction — fixed `1`	1
`si_details`	Mandatory	JSON with subscription parameters	{"billingAmount":"1000",...}
`api_version`	Mandatory	API version — fixed `7`	7
`hash`	Mandatory	SHA-512 hash	(computed)

si_details for Subscription PACB

{
  "billingAmount": "1000.00",
  "billingCurrency": "INR",
  "billingCycle": "MONTHLY",
  "billingInterval": 1,
  "paymentStartDate": "2026-05-01",
  "paymentEndDate": "2027-04-30",
  "multiCapture": "Y"          // Enable multi-capture per cycle
}

Subscription Use Cases

SaaS subscriptions - Monthly software license fees
Utility bills - Recurring electricity/water payments
Insurance premiums - Monthly/quarterly premium deductions
EMI payments - Scheduled loan installments

🛈 Note: For full subscription implementation, use the NB Mandate (eNACH) flow which provides comprehensive recurring payment management with mandate registration, status checks, and debit execution.

💡 PACB Use Cases

Hotel bookings - Block amount at check-in, capture actual charges at checkout
Car rentals - Pre-authorize deposit, capture based on actual usage
E-commerce - Block estimated amount, capture actual after shipping calculation
Service bookings - Block full amount, capture partial if service is modified

⚠ Important Notes

Pre-authorized funds are blocked for a limited period (typically 7-14 days)
You must capture before the hold expires, or funds are automatically released
You can capture full or partial amount (partial capture releases the remainder)
Save the mihpayid from response - you'll need it for capture

Step 2: Handle PACB Response

Overview

After calling the PACB _payment API with pre_authorize=1, the customer completes bank authentication. The funds are then blocked (not debited) in their account.

🔒 Pre-Authorization vs Regular Payment

Regular Payment:	`unmappedstatus = captured` (funds debited)
PACB Pre-Auth:	`unmappedstatus = auth` (funds blocked)

Step 3: Validate Pre-Authorization

Overview

Before capturing funds, verify the pre-authorization was successful. Use verify_payment API and check that unmappedstatus is "auth".

✓ Expected Response for Successful Pre-Auth

status = "success"
unmappedstatus = "auth"
mihpayid = (save this for capture)

⚠ If unmappedstatus = "captured"

This means PACB is not enabled on your account. The funds were immediately debited instead of blocked. Contact your PayU KAM to enable PACB.

Step 4: Capture PACB Funds

⚠ Before you capture: Ensure the original transaction was truly pre-authorized. Verify the transaction first — unmappedstatus must be "auth". If it shows "captured", the funds were already debited and capture will fail with "Delayed capture not allowed".

Overview

After a successful pre-authorization, use the capture_transaction API to capture (debit) the blocked funds. You can capture the full amount or a partial amount.

Capture Flow

1Get mihpayid

→

2Call capture_transaction

→

3Funds Debited

API Reference

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`command`	Mandatory	API command — fixed `capture_transaction`	capture_transaction
`var1`	Mandatory	PayU transaction ID (mihpayid)	403993715537135556
`var2`	Mandatory	Unique capture request ID	CAP_123456
`var3`	Mandatory	Amount to capture (can be partial)	500.00
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

Hash Formula

sha512(key|command|var1|salt)

Example:
sha512(a4vGC2|capture_transaction|403993715537135556|YourSaltHere)

Sample Response

Capture Success Response

{
  "status": 1,
  "msg": "Transaction captured successfully",
  "mihpayid": "403993715537135556",
  "bank_ref_num": "450699821592111537",
  "captured_amount": "500.00",
  "original_amount": "500.00"
}

Try It — Capture Pre-Authorized Funds

⚡ Simulation Mode (Enabled)

Simulate a successful capture response without real API call.

Merchant Key *

Merchant Salt *

PayU ID (mihpayid) *

Amount to Capture *

💡 Capture Options

Full Capture: Enter the full pre-authorized amount to debit everything
Partial Capture: Enter a lesser amount - the remainder is automatically released
Multiple Captures: Some banks support multi-capture (contact PayU for enablement)

Step 1: Register Net Banking Mandate (eNACH)

API Reference

Endpoint: POST https://test.payu.in/_payment (Test) | POST https://secure.payu.in/_payment (Production)

Parameter	Required	Description	Example
`key`	Mandatory	String — Merchant key provided by PayU during onboarding	a4vGC2
`txnid`	Mandatory	String — Unique transaction ID generated by the merchant. PayU rejects duplicates.	MANDATE_1713200000
`amount`	Mandatory	String — Transaction amount. For eNACH, use `1.00` (actual billing amount is in si_details).	1.00
`productinfo`	Mandatory	String — Brief product description (max 100 chars)	SIP Investment
`firstname`	Mandatory	String — Customer first name (max 60 chars)	Test
`lastname`	Mandatory	String — Customer last name (max 60 chars)	User
`email`	Mandatory	String — Customer email address (max 50 chars)	test@example.com
`phone`	Mandatory	String — Customer phone number	9876543210
`surl`	Mandatory	String — Success callback URL	https://yoursite.com/callback.php
`furl`	Mandatory	String — Failure callback URL	https://yoursite.com/callback.php
`hash`	Mandatory	String — SHA-512 payment hash (auto-computed)	(computed)
`pg`	Mandatory	String — Payment gateway type — fixed `ENACH`	ENACH
`bankcode`	Mandatory	String — eNACH bank code from getNetbankingStatus API	ICICENCC
`si`	Mandatory	String — Must be `1` to enable Standing Instruction / Recurring Payment	1
`si_details`	Mandatory	String — JSON with billing cycle details (see si_details breakdown below)	(see below)
`beneficiarydetail`	Mandatory	String — JSON with beneficiary bank account details (see beneficiarydetail breakdown below)	(see below)
`api_version`	Mandatory	String — API version. Must be `7` so si_details is included in hash	7
`txn_s2s_flow`	Mandatory	Integer — S2S flow identifier — fixed `4`	4
`free_trial`	Optional	String — Enable free trial. When set to `1`, a zero-value auth is performed to register the mandate without charging the customer.	1
`udf1`	Optional	String — User-defined field 1
`udf2`	Optional	String — User-defined field 2
`udf3`	Optional	String — User-defined field 3
`udf4`	Optional	String — User-defined field 4
`udf5`	Optional	String — User-defined field 5

si_details JSON Parameters

Field	Required	Description	Example
`billingAmount`	Mandatory	String — Maximum amount for each recurring debit	1000.00
`billingCurrency`	Mandatory	String — Currency — must be `INR`	INR
`billingCycle`	Mandatory	String — Billing frequency: `DAILY`, `WEEKLY`, `MONTHLY`, `YEARLY`, or `ADHOC`	MONTHLY
`billingInterval`	Mandatory	Integer — Coupled with billingCycle. e.g. MONTHLY & 3 = charge every 3 months	1
`paymentStartDate`	Mandatory	String — Mandate start date in `YYYY-MM-DD`. For eNACH, must be tomorrow or later.	2026-04-16
`paymentEndDate`	Mandatory	String — Mandate end date in `YYYY-MM-DD`	2027-04-16

beneficiarydetail JSON Parameters

Field	Required	Description	Example
`beneficiaryName`	Mandatory	String — Account holder name as per bank records	Test User
`beneficiaryAccountNumber`	Mandatory	String — Bank account number of the customer	1234567890123456
`beneficiaryAccountType`	Mandatory	String — Account type: `SAVINGS` or `CURRENT`	SAVINGS
`beneficiaryIfscCode`	Mandatory	String — 11-digit IFSC code of the customer’s bank branch	ICIC0001234

📕 Documentation

🔗 NB Consent Transaction API 🔗 Recurring Payment (si_transaction) API

Overview

Register recurring payment mandates via eNACH (electronic National Automated Clearing House) for Net Banking. The customer authorizes a standing instruction for future debits from their bank account.

Prerequisites

✓ PayU Merchant Key & Salt

✓ eNACH enabled on your merchant account

✓ Bank that supports eNACH mandates

Hash Formula

Mandate Registration Hash

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||si_details|SALT)
// Note: 11 pipes between email and si_details, then si_details, then salt

si_details & beneficiarydetail JSON Structures

JSON Parameters

// si_details structure:
{
  "billingAmount": "1000.00",
  "billingCurrency": "INR",
  "billingCycle": "MONTHLY",
  "billingInterval": 1,
  "paymentStartDate": "2026-04-06",
  "paymentEndDate": "2027-04-06"
}

// beneficiarydetail structure (MANDATORY for Net Banking):
{
  "beneficiaryName": "Customer Name",
  "beneficiaryAccountNumber": "1234567890",
  "beneficiaryAccountType": "SAVINGS",
  "beneficiaryIfscCode": "ICIC0001234"
}

Try It — Register Mandate

Merchant Details

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Amount * Note: For eNACH payments, use transaction amount as 1.

Product Info *

Bank Code (eNACH) *

Customer Details

First Name *

Last Name *

Email *

Phone *

Beneficiary Bank Account (Required for Net Banking eNACH)

Account Holder Name *

Account Number *

Account Type *

IFSC Code *

Mandate Billing Details (si_details)

Billing Amount (Max per debit) *

Billing Interval

Billing Cycle

Free Trial (free_trial) (NB zero-value auth)

Payment Start Date * Note: For eNACH payments, select tomorrow's date.

End Date

Callback URLs

SURL (Success URL) *

FURL (Failure URL) *

User Defined Fields Optional

udf1

udf2

udf3

udf4

udf5

✓ Mandate Initiated — acsTemplate Received

The acsTemplate has been received. Click below to open the bank authentication page.

🔐 ACS Template Decode Guide

The acsTemplate is a Base64-encoded HTML string. Decode it to get the bank redirect form.

📖 How to Decode Base64 acsTemplate

// JavaScript - Decode Base64 acsTemplate

const acsTemplate = response.result.acsTemplate;
const decodedHtml = atob(acsTemplate);

// Open decoded HTML in popup window
const bankWindow = window.open('', 'BankAuth', 'width=800,height=600');
bankWindow.document.write(decodedHtml);
bankWindow.document.close();

Decoded HTML Structure:

<html><body>
<form name="payment_post" action="https://pgsim01.payu.in/initiate" method="post">
  <input type="hidden" name="merchantName" value="PAYU">
  <input type="hidden" name="txnAmount" value="1.00">
  <input type="hidden" name="txnRefId" value="MANDATE_xxx">
  <input type="hidden" name="ibibo_code" value="ICICENCC">
  <!-- ... more hidden fields ... -->
</form>
<script>
  window.onload = function() {
    document.forms['payment_post'].submit();  // Auto-submits to bank
  }
</script>
</body></html>

💡 Net Banking eNACH Notes

Amount: Use ₹0.00 for Net Banking mandate registration (no amount deducted)
pg=ENACH: Must use ENACH as payment gateway type (not NB)
beneficiarydetail: Mandatory for Net Banking - contains customer's bank account details
bankcode: Use eNACH-specific bank codes (e.g., ICICENCC, HABORENCC, SBIENCC)
The mihpayid from callback becomes your authpayuid
Mandate activation can take 24-48 hours after customer authorization
Subsequent debits are processed via execute_si API

Step 2: Handle Mandate Response

API Reference

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	String — Merchant key provided by PayU during onboarding	a4vGC2
`salt`	Mandatory	String — Merchant salt used for hash generation (never sent in request)	mGHSxpD2iB...
`command`	Mandatory	String — API command — fixed `verify_payment`	verify_payment
`var1`	Mandatory	String — Transaction ID (`txnid`) used during mandate registration in Step 1	MANDATE_1713200000
`hash`	Mandatory	String — SHA-512 hash — `sha512(key\|verify_payment\|var1\|salt)`	(computed)

Response Parameters

Parameter	Description	Example
`status`	Transaction status — `success` or `failure`	success
`mihpayid`	PayU’s unique transaction reference. Use this as `authpayuid` in subsequent steps (Check Status & Execute Debit).	10731087875
`mode`	Payment mode used	ENACH
`txnid`	Your original transaction ID	MANDATE_1713200000
`amount`	Transaction amount	1.00
`net_amount_debit`	Actual amount debited from customer	1.00
`bank_ref_num`	Bank reference number for the transaction	YESB00000...
`bankcode`	Bank code used for the eNACH mandate	ICICENCC
`firstname`	Customer first name	Test
`email`	Customer email	test@example.com
`phone`	Customer phone number	9876543210
`field9`	Payment gateway response message	Transaction Completed Successfully

Hash Formula

verify_payment Hash

sha512(key|verify_payment|txnid|salt)
// Example: sha512(a4vGC2|verify_payment|MANDATE_1713200000|YourSalt)

Overview

After the customer authorizes the mandate at their bank, PayU sends the response to your callback URL. Use verify_payment to get the mihpayid which becomes your authpayuid for future operations.

🔄 Mandate Registration Flow

Customer authorizes mandate at bank
Bank sends confirmation to NPCI
NPCI confirms to PayU (can take 24-48 hours)
Mandate becomes active for future debits

Verify Mandate Registration

Use verify_payment to confirm the mandate registration and get the mihpayid.

Merchant Key *

Merchant Salt *

Transaction ID (txnid) *

Step 3: Check Mandate Status

API Reference

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	String — Merchant key provided by PayU during onboarding	a4vGC2
`command`	Mandatory	String — API command — fixed `NB_mandate_status`	NB_mandate_status
`var1`	Mandatory	String — JSON string containing `authpayuid` and `requestId` (see var1 breakdown below)	(see below)
`hash`	Mandatory	String — SHA-512 hash — `sha512(key\|NB_mandate_status\|var1\|salt)`	(computed)

var1 JSON Parameters

Field	Required	Description	Example
`authpayuid`	Mandatory	String — The `mihpayid` received from mandate registration (Step 2 — Handle Response)	10731087875
`requestId`	Mandatory	String — A unique request identifier for this status check call	1892432156

Response Parameters

Parameter	Description	Example
`status`	String — Mandate status (see status values below)	SUCCESS
`action`	String — API action performed	NB_mandate_status
`authpayuid`	String — PayU’s unique mandate reference ID	10731087875
`amount`	String — Mandate billing amount	100.00
`mandateStartDate`	String — Mandate start date	2026-04-16
`mandateEndDate`	String — Mandate end date	2027-04-16

Overview

Use the NB_mandate_status API to verify the current state of the eNACH mandate. This helps you understand if the mandate is active and ready for debit execution.

Prerequisites

✓ authpayuid (mihpayid) from mandate registration response

✓ Unique requestId for this status check

Hash Formula

NB_mandate_status Hash

sha512(key|command|var1|salt)
sha512(merchantKey|NB_mandate_status|{"authpayuid":"...","requestId":"..."}|merchantSalt)

API Request Format

NB_mandate_status Request

// Endpoint: https://test.payu.in/merchant/postservice.php?form=2

{
  "key": "merchant_key",
  "command": "NB_mandate_status",
  "var1": "{\"authpayuid\":\"10731087875\",\"requestId\":\"1892432156\"}",
  "hash": "sha512(key|NB_mandate_status|var1|salt)"
}

Sample Response

Success Response

{
  "status": "SUCCESS",
  "action": "NB_mandate_status",
  "authpayuid": "10731087875",
  "amount": "100.00",
  "mandateStartDate": "2022-07-19",
  "mandateEndDate": "2023-12-20"
}

✓ Mandate Status Values

`INITIATED`	Mandate registration initiated
`SUCCESS`	Mandate is active and ready for debits
`FAILED`	Mandate registration failed
`CANCEL_INITIATED`	Cancellation request initiated
`CANCEL_PENDING`	Cancellation pending at bank
`CANCEL_SUCCESS`	Mandate successfully cancelled
`CANCEL_FAILED`	Cancellation request failed

Try It — Check Mandate Status

Merchant Key *

Merchant Salt *

Auth PayU ID (mihpayid) *

Request ID *

Step 4: Execute Recurring Debit

Overview

Once the mandate status is SUCCESS, you can execute recurring debits using the si_transaction API. This is a server-to-server call that doesn't require customer 2FA.

🔗 PayU API Reference

Required Parameters for API

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`form`	Mandatory	Fixed value for API type	2
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`command`	Mandatory	API command — fixed `si_transaction`	si_transaction
`var1`	Mandatory	JSON object with transaction details (see below)	{"authpayuid":...}
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

var1 JSON Structure

si_transaction var1 JSON

{
  "authpayuid": "403993715537190503",      // mihpayid from mandate registration
  "invoiceDisplayNumber": "INV123456",     // Invoice/reference number
  "amount": "100.00",                       // Debit amount
  "txnid": "DEBIT_1775821582262",          // Unique txnid for THIS debit
  "phone": "9999999999",                    // Customer phone
  "email": "test@example.com",              // Customer email
  "udf2": "",                               // User defined field 2
  "udf3": "",                               // User defined field 3
  "udf4": "",                               // User defined field 4
  "udf5": ""                                // User defined field 5
}

Hash Formula

sha512(key|si_transaction|var1|salt)

Example:
sha512(a4vGC2|si_transaction|{"authpayuid":"6611192557","invoiceDisplayNumber":"12345678910",...}|YourSaltHere)

Try It — Execute Debit

Merchant Key *

Merchant Salt *

authpayuid (mihpayid) *

amount *

Transaction ID *

ⓘ Note:

The Execute Debit (si_transaction) API will only work after 24 hours from mandate registration. This is a PayU policy to allow mandate activation and bank confirmation.

⚠ Important Notes

Debit amount cannot exceed the billingAmount in mandate
Customer is notified via SMS/email before each debit
Failed debits should be retried after 24-48 hours
Maintain debit history for reconciliation

🔎 Troubleshooting "Some error occurred"

Invalid authpayuid: The mihpayid must be from a successful mandate registration
Mandate not active: The mandate must be in "active" state (not pending/cancelled)
Test environment: Test merchants may not have SI enabled - use "Simulate Response" checkbox
Amount exceeds limit: Debit amount cannot exceed billingAmount from mandate registration

Step 1: Get Active Net Banking List

Overview

Use the getNetbankingStatus API to fetch the list of active Net Banking options for your merchant account. This API returns real-time bank availability so you can display only working banks to your customers.

Prerequisites

✓

Merchant Key & Salt
Your PayU credentials

✓

Net Banking Enabled
NB payment mode enabled on your merchant account

Why This Step?

Real-time availability

Get current bank status - some banks may be temporarily down.

Valid bank codes

Get correct ibibo_code values to use as bankcode in payments.

Better UX

Only show active banks to customers, reducing failed attempts.

API Reference

Endpoint: POST https://test.payu.in/merchant/postservice.php?form=2

Parameter	Required	Description	Example
`key`	Mandatory	Merchant key provided by PayU during onboarding	a4vGC2
`command`	Mandatory	API command — fixed `getNetbankingStatus`	getNetbankingStatus
`var1`	Mandatory	Bank code or `default` for all banks	default
`hash`	Mandatory	SHA-512 hash (auto-computed from key, command, var1, salt)	(computed)

Hash Formula

sha512(key|command|var1|salt)

Example (all banks):
sha512(a4vGC2|getNetbankingStatus|default|YourSaltHere)

Example (specific bank):
sha512(a4vGC2|getNetbankingStatus|AXIB|YourSaltHere)

Sample Response

Response Array

[
  {
    "id": "103",
    "ibibo_code": "AXIB",           // Use this as bankcode
    "bank_name": "Axis Bank",
    "mode": "NB",                   // Filter by this for Net Banking
    "up_status": 1,                 // 1 = Up, 0 = Down
    "priority": "1",
    "account_required_on_signup": "1"
  },
  ...
]

Try It — Send Real Request

💡 Quick Start: Click "Fetch All Active Banks" to get the complete list of available Net Banking options for your merchant account.

Merchant Key *

Merchant Salt *

Bank Code (var1)

NB Split Payment

Overview

Split Payment allows you to automatically distribute payment amounts among multiple merchants or aggregators. Configure split ratios, and PayU handles the fund distribution during settlement.

Prerequisites

✓ Split Payment enabled on merchant account

✓ Child merchant IDs configured

✓ Split configuration JSON prepared

Split Request JSON Structure

split_request Parameter

{
  "split_info": [
    {
      "merchant_id": "CHILD_MERCHANT_ID_1",
      "amount": "500.00"
    },
    {
      "merchant_id": "CHILD_MERCHANT_ID_2", 
      "amount": "300.00"
    }
  ]
}

Hash Formula (with split_request)

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||salt|split_request_json)

💡 Split Payment Use Cases

Marketplaces: Split between platform and sellers
Aggregators: Distribute among multiple vendors
Franchise: Split between HQ and franchise location
Commission: Automatically deduct commission fees

Verify Split Payment

Overview

After a split payment completes, verify the transaction and check that split distribution was applied correctly. The verify_payment response includes split details.

✓ What to Check in Split Verify Response

status — Should be "success"
split_status — Confirms split was applied
split_info — Shows distribution among merchants

NB Offers

Overview

Apply bank-specific offers, cashback, and discounts to Net Banking payments. Check eligible offers before payment and apply them using offer_key parameter.

Offer Flow

1Check Offers API

→

2Get Eligible Offers

→

3Apply offer_key

→

4Discount Applied

Check Offers API

check_offer API

// Endpoint: https://test.payu.in/merchant/postservice?form=2
// Command: check_offer

{
  "key": "merchant_key",
  "command": "check_offer",
  "var1": "amount",
  "var2": "NB",           // Payment mode
  "var3": "BANKCODE",     // e.g., AXIB, HDFB
  "hash": "sha512(key|check_offer|var1|salt)"
}

Apply Offer in Payment

Payment with Offer

// Add these parameters to _payment request:
offer_key: "OFFER_KEY_FROM_CHECK_OFFER"
offer_auto_apply: "1"   // Optional: auto-apply best offer

💡 Offer Types

Instant Discount: Reduced amount charged to customer
Cashback: Customer receives cashback post-payment
No Cost EMI: Interest waived on EMI transactions
Bank Specific: Offers valid only for specific banks

SKU-Level Offers

Overview

SKU (Stock Keeping Unit) offers allow you to apply category-specific or product-specific offers. Send cart details with SKU information to get targeted offers for specific products.

Cart Details Structure

cart_details Parameter (JSON)

{
  "items": [
    {
      "sku": "ELECTRONICS_001",
      "category": "electronics",
      "brand": "Samsung",
      "amount": "25000.00",
      "quantity": 1
    },
    {
      "sku": "FASHION_002",
      "category": "fashion",
      "brand": "Nike",
      "amount": "5000.00",
      "quantity": 2
    }
  ],
  "total": "35000.00"
}

💡 SKU Offer Examples

Electronics Category: 10% off on electronics via HDFC
Brand Specific: Extra 5% on Samsung products
Minimum Cart: Flat ₹500 off on ₹10,000+ purchase

Settlement

Overview

After successful payment, PayU settles funds to your configured bank account. Settlement cycles and timelines vary based on your merchant agreement.

Settlement Cycle

1Payment Success

→

2T+0/T+1 Processing

→

3Bank Transfer

→

4Funds Received

Check Settlement Status

get_settlement_details API

// Endpoint: https://test.payu.in/merchant/postservice?form=2
// Command: get_settlement_details

{
  "key": "merchant_key",
  "command": "get_settlement_details",
  "var1": "settlement_id",  // Or date range
  "hash": "sha512(key|get_settlement_details|var1|salt)"
}

💰 Settlement Information

Standard Settlement:	T+2 business days
Express Settlement:	T+0 or T+1 (if enabled)
Refund Impact:	Deducted from next settlement
Split Settlement:	Distributed as per split config

Hash Generator

Overview

Every PayU API request requires a SHA-512 hash for authentication. The hash proves the request came from you and hasn't been tampered with. Different APIs use different hash formulas.

Prerequisites

✓

Merchant Key
Your PayU merchant key from the dashboard

✓

Merchant Salt (v1)
Salt v1 from your PayU dashboard — never expose this client-side

✓

SHA-512 Library
A server-side SHA-512 hashing library (e.g., crypto in Node.js, hashlib in Python)

How It Works

Parameters
Gather values

→

Hash Formula
Pipe-separated

→

SHA-512
Hash algorithm

→

Hex String
Lowercase output

→

API Request
Include hash

Step-by-Step Guide

Identify the hash formula for your API

Each PayU API uses a different hash formula. Payment APIs, PostService APIs, and response verification all have distinct formulas. See the comparison table below.

Assemble the hash string with pipes

Concatenate the required parameters in exact order, separated by pipe (|) characters. Empty fields must remain as empty strings — do not skip them.

Apply SHA-512, output lowercase hex

Pass the assembled string through SHA-512 and convert the result to a lowercase hexadecimal string (128 characters).

Include hash in your API request

Add the computed hash as the hash parameter in your API request. PayU will independently compute the same hash and reject the request if they don't match.

Hash Formulas by API

API	Hash Formula
Payment	`sha512(key\|txnid\|amount\|productinfo\|firstname\|email\|udf1\|udf2\|udf3\|udf4\|udf5\|\|\|\|\|\|salt)`
Payment (api_version=7)	`sha512(key\|txnid\|amount\|productinfo\|firstname\|email\|udf1\|udf2\|udf3\|udf4\|udf5\|\|\|\|\|\|si_details\|salt)`
PostService APIs	`sha512(key\|command\|var1\|salt)`
Response Verification	`sha512(salt\|\|\|\|\|\|udf5\|udf4\|udf3\|udf2\|udf1\|email\|firstname\|productinfo\|amount\|txnid\|key\|status)`

Important Rules

All parameters must be in exact order shown above
Empty UDF fields should be empty strings, not removed
There must be exactly 6 pipe characters (||||||) before the SALT
Hash must be computed server-side – never expose salt to client
Use SHA-512 algorithm, output in lowercase hex

Try It – Generate Hash

Merchant Key * Your PayU merchant key

Merchant Salt * Salt v1 from PayU dashboard

Transaction ID * Unique transaction reference

Amount * Transaction amount

Product Info *

First Name *

Email *

UDF1-5 (optional)

Code Examples

Node.js

const crypto = require('crypto');

function generatePayUHash(key, txnid, amount, productinfo, firstname, email, salt) {
    const udf1='', udf2='', udf3='', udf4='', udf5='';
    const hashString = `${key}|${txnid}|${amount}|${productinfo}|${firstname}|${email}|${udf1}|${udf2}|${udf3}|${udf4}|${udf5}||||||${salt}`;
    return crypto.createHash('sha512').update(hashString).digest('hex');
}

// Example — Net Banking Payment
const hash = generatePayUHash('a4vGC2', 'NB_TXN_123', '100.00', 'Test Product', 'John', 'john@example.com', 'YOUR_SALT');
console.log('Hash:', hash);

PHP

<?php
function generatePayUHash($key, $txnid, $amount, $productinfo, $firstname, $email, $salt) {
    $udf1=$udf2=$udf3=$udf4=$udf5='';
    $hashString = "$key|$txnid|$amount|$productinfo|$firstname|$email|$udf1|$udf2|$udf3|$udf4|$udf5||||||$salt";
    return strtolower(hash('sha512', $hashString));
}

// Example — Net Banking Payment
$hash = generatePayUHash('a4vGC2', 'NB_TXN_123', '100.00', 'Test Product', 'John', 'john@example.com', 'YOUR_SALT');
echo "Hash: " . $hash;
?>

Python

import hashlib

def generate_payu_hash(key, txnid, amount, productinfo, firstname, email, salt):
    udf1=udf2=udf3=udf4=udf5=''
    hash_string = f"{key}|{txnid}|{amount}|{productinfo}|{firstname}|{email}|{udf1}|{udf2}|{udf3}|{udf4}|{udf5}||||||{salt}"
    return hashlib.sha512(hash_string.encode('utf-8')).hexdigest().lower()

# Example — Net Banking Payment
hash_val = generate_payu_hash('a4vGC2', 'NB_TXN_123', '100.00', 'Test Product', 'John', 'john@example.com', 'YOUR_SALT')
print(f"Hash: {hash_val}")

Java

import java.security.MessageDigest;
import java.nio.charset.StandardCharsets;

public class PayUHash {
    public static String generateHash(String key, String txnid, String amount,
            String productinfo, String firstname, String email, String salt) {
        String hashString = key+"|"+txnid+"|"+amount+"|"+productinfo+"|"+firstname+"|"+email+"|||||||||||"+salt;
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-512");
            byte[] hash = md.digest(hashString.getBytes(StandardCharsets.UTF_8));
            StringBuilder sb = new StringBuilder();
            for (byte b : hash) sb.append(String.format("%02x", b));
            return sb.toString();
        } catch (Exception e) { throw new RuntimeException(e); }
    }
}

Bank Codes Reference

Overview

Use these bank codes in the bankcode parameter when initiating Net Banking payments via the _payment API. The list below shows commonly used banks. For a live list, use the getNetbankingStatus API.

Popular Banks

Bank Code	Bank Name	Type	Status
`TESTPGNB`	Test Bank (Sandbox)	Test	Active
`SBIB`	State Bank of India	Public	Active
`HDFB`	HDFC Bank	Private	Active
`ICIB`	ICICI Bank	Private	Active
`AXIB`	Axis Bank	Private	Active
`KTKB`	Kotak Mahindra Bank	Private	Active
`YESB`	Yes Bank	Private	Active
`INDB`	IndusInd Bank	Private	Active

Other Banks

Bank Code	Bank Name	Type	Status
`PNBB`	Punjab National Bank	Public	Active
`BKID`	Bank of India	Public	Active
`UNIB`	Union Bank of India	Public	Active
`CABB`	Canara Bank	Public	Active
`BOBB`	Bank of Baroda	Public	Active
`CITI`	Citibank	Private	Active
`KTKB`	Karnataka Bank	Private	Active
`IDBB`	IDBI Bank	Public	Active
`FEDB`	Federal Bank	Private	Active
`SCBB`	Standard Chartered	Private	Active

💡 Tip

Use the getNetbankingStatus API to get real-time bank availability and the complete list of supported banks for your merchant account. Go to Prerequisite for NB section to try it live.

Example Usage

// Use bankcode in your _payment API request
{
  "key": "a4vGC2",
  "pg": "NB",
  "bankcode": "AXIB",       // Axis Bank
  "txn_s2s_flow": "4",
  "amount": "100.00",
  "txnid": "NB_TXN_123",
  // ... other required params
}

PayU Integration Lab BETA

How to Get Your Merchant Key & Salt

Sign Up or Log In to PayU Dashboard

Go to "Manage Checkout"

Click "Payment Gateway"

Copy Your Merchant Key & Salt

Select a Payment Flow

PayU Hosted Checkout

Checkout Plus

Subscription Payment

TPV Payment

UPI OTM

Split Payment

Cross Border Payment

Bank Offers

PreAuth Card Flow

PayU Hosted Cross Border Payment

Configuration Settings

One-Time Payment

Subscription Payment

Subscription Configuration

Payment Details

Customer Details

Billing Address

UDF Parameters (User Defined Fields)

LRS Parameters (Cross-Border One-Time Only)

Cross-Border Compliance Parameters

UDF Parameters (Subscription)

Cross-Border Compliance Parameters

Redirect URLs

Debug Information

CURL Command

PayU Hosted Checkout

Configuration Settings

Payment Details

Customer Details

Address Details (Optional)

UDF Parameters (Optional)

Redirect URLs

Debug Information

CURL Command

PayU Hosted Checkout Subscription

Configuration Settings

Subscription Configuration

Payment Details

Customer Details

Address Details (Optional)

UDF Parameters

Redirect URLs

Debug Information

CURL Command

PayU Hosted Checkout TPV

Configuration Settings

Payment Details

Customer Details

Address Details (Optional)

Beneficiary Details (TPV Validation)

TPV Configuration

UDF Parameters (User Defined Fields)

Redirect URLs

Debug Information

CURL Command

PayU Hosted Checkout UPI OTM

Configuration Settings

Mandate Date Configuration

Payment Details

Customer Details

Address Details (Optional)

UDF Parameters (Optional)

Redirect URLs

Live Hash Preview

Debug Information

CURL Command

PayU Hosted Checkout PreAuth

Configuration Settings

Payment Details

Customer Details

Address Details (Optional)

UDF Parameters

Redirect URLs