Payin P2C Seamless UPI Integration

UPI is a set of APIs developed by NPCI to enable instant online payments. It simplifies immediate payments via mobile devices. Payments can be initiated by both the sender (payer) and the receiver (payee) and can be completed using virtual payment addresses, Aadhaar integration, mobile numbers, and more. The payer’s smartphone can securely capture credentials for these transactions.

Merchant On-boarding: The merchant must provide the following information for on-boarding in both the UAT and production environments:

IP Address (For dynamic IPs, please provide the range of IP addresses).
Merchant Callback URL to post the final transaction status from our system.

Once the merchant provides the required technical details, we will complete the necessary back-office configurations and provide a Merchant ID (MID/PID).

Let's see how it works:

Merchant sends a payment collection request through our API, they must include the order_id, pid, amount, upi_id, name, email, and phone details.
PAYMENT REQUEST : Upon receiving a request in the correct format, we will provide a UPI payment string, which is necessary for generating a QR code or creating a payment intent.
CALLBACK : After the customer completes the payment, you will receive callback data at the provided callback URL.
STATUS POLLING : To confirm or check the payment status, you can use the polling_api at any time to update your system about the payment.

PAYMENT REQUEST :

Before proceeding with this section, please ensure you have reviewed the Basic Workflow of the system. This page outlines how to send a payment request effectively.

Important Note: All requests must originate from whitelisted IP addresses. Please verify that your IP is properly whitelisted before initiating any requests.

Payment Request

POST https://<domain>/api/request.php

Merchant makes a payment request.

Headers

Name

Value

Content-Type

application/json

Body

Name

Type

Description

Mandatory

pid

string

provided MID/PID

Yes

order_id

string

unique order id

Yes

amount

string

requested amount

Yes

upi_id

string

customer's upi id

name

string

customer's name

Yes

email

string

customer's email

Yes

phone

string

customer's phone

Yes

{
    "pid":"0951272386617",
    "order_id":"jdherfecuh0",
    "amount":"87",
    "upi_id":"[email protected]",
    "name":"john",
    "email":"[email protected]",
    "phone":"8974554630"
}

Sample Response Body

{
    "ref_code": "18855d71b83ce84c13b0f924b4efbb40a4b0bbd4cda7f9747906eb49dc8b3fcb",
    "qr_code": "upi://[email protected]&pn=5fk2p&am=87&tn=5fk2p",
    "status": "success",
    "redirect_url": ""
}

CALLBACK

We invoke your callback URL with callback data whenever there is a status change against the transaction.

Valid Transaction status are:

Approved
Declined
Late Approved
Pending
User Timed Out

The most famous transaction changes are (but not limited):

Pending=>Approved
Pending=>Declined
Pending=>User Timed Out
User Timed Out=>Late Approved

The callback landing page has to be set on your server at some secret path but it should be publicly available from our white-listed IP. ( make it accessible only from our server IP )

In the POST body, you will get the following properties in JSON:

Name

Type

Description

order_id

string

Your order id shared

requested_amount

int

requested amount

received_amount

int

received amount

bank_ref

string

transaction reference/bank reference/UTR if available

ref_code

string

unique code for the transaction

status

string

status of payment at this time

post_hash

string

signature post hash for security verification

Follow the steps to verify the integrity of received data:

base64_decode post_hash:

Capture JSON data from the POST body.
JSON decode the data to an array or object.
Extract the post_hash from the decoded data.
For encrypted post_hash base64_decode the post_hash.

$data = file_get_contents("php://input");
$array = json_decode($data,  true);
$encrypted_hash=base64_decode($array['post_hash']);

Decrypt hash

Once you decrypt $encrypted_hash, you will get get plain remote_hash.

PHP Decrypt function

$remote_hash=decrypt($encrypted_hash);
function decrypt($ivHashCiphertext, $password) 
{    
    $method = "AES-256-CBC";    
    $iv = substr($ivHashCiphertext, 0, 16);    
    $hash = substr($ivHashCiphertext, 16, 32);    
    $ciphertext = substr($ivHashCiphertext, 48);    
    $key = hash('sha256', $password, true);    
    if (!hash_equals(hash_hmac('sha256', $ciphertext . $iv, $key, true),$hash)) 
    return null;    
    return openssl_decrypt($ciphertext, $method, $key,    		    
    OPENSSL_RAW_DATA, $iv);                               
}
$remote_hash=decrypt($encrypted_hash,$secret_key);

Node JS Decrypt function

const crypto = require('crypto');

function decrypt(ivHashCiphertext, password) {
    // If ivHashCiphertext is a string, assume it's base64 encoded
    if (typeof ivHashCiphertext === 'string') {
        ivHashCiphertext = Buffer.from(ivHashCiphertext, 'base64');
    }

    const method = 'aes-256-cbc';

    // Extract the initialization vector (first 16 bytes)
    const iv = ivHashCiphertext.slice(0, 16);

    // Extract the hash (next 32 bytes)
    const hash = ivHashCiphertext.slice(16, 48);

    // Extract the ciphertext (remaining bytes)
    const ciphertext = ivHashCiphertext.slice(48);

    // Generate the key using SHA-256 hash of the password
    const key = crypto.createHash('sha256').update(password, 'utf8').digest();

    // Compute HMAC-SHA256 of (ciphertext || iv) using the key
    const hmac = crypto.createHmac('sha256', key)
        .update(Buffer.concat([ciphertext, iv]))
        .digest();

    // Compare the computed HMAC with the extracted hash
    if (!crypto.timingSafeEqual(hmac, hash)) {
        return null; // Hashes do not match; return null
    }

    try {
        // Decrypt the ciphertext using AES-256-CBC
        const decipher = crypto.createDecipheriv(method, key, iv);
        const plaintext = Buffer.concat([
            decipher.update(ciphertext),
            decipher.final()
        ]);
        return plaintext.toString('utf8'); // Return the decrypted text as a UTF-8 string
    } catch (err) {
        // Decryption failed; return null
        return null;
    }
}

Compute the local hash using the MD5 128-bit hashing algorithm. Generate the hash locally.

$local_hash = md5($order_id.$received_amount.$status.$secret_key);

Decrypt function for python given at the end of this document.

Verify hash (Compare hash given at requestand local hash)

if ($remote_hash == $local_hash)
{  // consider received amount to update  // Mark the transaction as success & process the order  // You can write code process the order here  // Update your db with payment success  
    $hash_status = "Hash Matched";    
}  
else  
{  // Verification failed       
    $hash_status = "Hash Mismatch";  
}

Acknowledge the payment gateway (You should Acknowledge back to the payment gateway that you saved the status of payment, otherwise we will retry Callback)

$data['hash_status']=$hash_status; 
// 'Hash Matched' or 'Hash Mismatch' 
$data['acknowledge']=$acknowledge; // 'yes' or 'no'
header('Content-Type: application/json; charset=utf-8');
echo json_encode($data); // output as a json file

Definition of Payment Status:

Approved: Payment is Approved by our system
Late Approved: Payment is Approved by our system after manual reconciliation
Declined: Payment is declined by our system
Pending: User session in active waiting to finish payment
User Timed Out: User didn’t finished payment within the session period

STATUS POLLING :

POST https://<domain>/api/status_polling.php

This API is for polling the status for a particular transaction.

Headers

Name

Value

Content-Type

application/json

Body

Name

Type

Description

Mandatory

pid

string

Merchant ID/PID

Yes

ref_code

string

unique ref_code which is generated in payment request

Yes

post_hash

string

post hash for signature verification

Yes

Steps to generate post_hash :

Create a hash using md5 algorithm by appending values of ref_code, pid, secret_key

$local_hash = md5($ref_code . $pid  . $row['secret_key']);

NodeJS Example:

const local_hash = crypto.createHash('md5').update(ref_code + pid + secret_key).digest('hex');
const encodedStr=encrypt(local_hash, secret_key).toString('base64');

Encrypt hash (You need to encrypt the hash using the secret key

$encrypted_hash=encrypt($local_hash,  $row['secret_key']); 
function encrypt($plaintext, $password) 
{    
    $method = "AES-256-CBC";    
    $key = hash('sha256', $password, true);    
    $iv = openssl_random_pseudo_bytes(16);    
    $ciphertext = openssl_encrypt($plaintext, $method, $key,       
    OPENSSL_RAW_DATA, $iv);    
    $hash = hash_hmac('sha256', $ciphertext . $iv, $key, true);    
    return $iv . $hash . $ciphertext;
}

encrypted_hash=encrypt(local_hash,  row['secret_key']); 
def encrypt(plaintext, password):
    key = hashlib.sha256(password.encode()).digest()
    iv = os.urandom(16)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    ciphertext = cipher.encrypt(pad(plaintext.encode(), AES.block_size))
    hash_value = hash_hmac("SHA256",ciphertext + iv,key,True)
    return iv + hash_value + ciphertext
 
 
def hash_hmac(algorithm, data, key, raw_output=False):
    if isinstance(data, str):
        data = data.encode('utf-8')
    if isinstance(key, str):
        key = key.encode('utf-8')

    hmac_hash = hmac.new(key, data, getattr(hashlib, algorithm.lower()))
    if raw_output:
        return hmac_hash.digest()
    else:
        return hmac_hash.hexdigest()

function encrypt(plaintext, password) {
    const method = 'aes-256-cbc';

    // Generate key using SHA-256 hash of the password
    const key = crypto.createHash('sha256').update(password).digest();

    // Generate a random IV (initialization vector)
    const iv = crypto.randomBytes(16);

    // Create AES cipher
    const cipher = crypto.createCipheriv(method, key, iv);

    // Encrypt plaintext
    let ciphertext = cipher.update(plaintext, 'utf8');
    ciphertext = Buffer.concat([ciphertext, cipher.final()]);

    // Generate HMAC hash of (ciphertext + iv)
    const hmac = crypto.createHmac('sha256', key);
    hmac.update(Buffer.concat([ciphertext, iv]));
    const hash = hmac.digest();

    // Concatenate iv + hash + ciphertext
    const encrypted = Buffer.concat([iv, hash, ciphertext]);

    // Return the encrypted data (as Buffer)
    return encrypted;
}

base64_encode encrypted_hash for transport over the network.

//Compute the payment hash locally

$encoded_hash=base64_encode($encrypted_hash);

Send a post request to the given URL

//Send a post request that contains pid,ref_code and post_hash(as jSON post body) to url_of_polling_api and you will get a response after validating the data.

<?php
//A very simple PHP example that sends a HTTP POST to a remote site
$data['pid']=pid;
$data['ref_code']=ref_code;
$data['post_hash']=post_hash;
$ch = curl_init();
$url=you will get api url in the call
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_POST, 1); // In real life you should use something like:
curl_setopt($ch, CURLOPT_POSTFIELDS,json_encode($data,true));
// Receive server response …
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$server_output = curl_exec($ch);
curl_close($ch);
if($server_output){// You can follow step 5 to process response}
?>

Process Response (You will get a JSON response)

Name

Type

Description

order_id

string

Merchant ID/PID

ref_code

string

unique ref_code which is generated in payment request

post_hash

string

post hash for signature verification

Status API Response Process

$data = file_get_contents("php://input");              
$row1=json_decode($data, true);                
echo $row1['order_id'];                
echo $row1['upi_id'];               
echo $row1['amount'];                
echo $row1['webhook_acknowledged'];            
echo $row1['status'];                
echo $row1['post_hash']; //  decode post hash
$encrypted_hash=base64_decode($row1['post_hash']);  // decrypt encrypted hash
$remote_hash = decrypt($encrypted_hash,$row['secret_key']);
$local_hash = md5($order_id . $data['amount'].
$data['status'].$row['secret_key']);   // generate local hash

PHP Decrypt function

function decrypt($ivHashCiphertext, $password)
{
    $method = "AES-256-CBC";
    $iv = substr($ivHashCiphertext, 0, 16);
    $hash = substr($ivHashCiphertext, 16, 32);
    $ciphertext = substr($ivHashCiphertext, 48);
    $key = hash("sha256", $password, true);

    if (
        !hash_equals(hash_hmac("sha256", $ciphertext . $iv, $key, true), $hash)
    ) {
        return null;
    }
    return openssl_decrypt($ciphertext, $method, $key, OPENSSL_RAW_DATA, $iv);
}

Python Decrypt function

def decrypt(ivHashCiphertext, password):
    # Segregating IV,Hash,Cipher
    iv = ivHashCiphertext[:16]
    hash_val = ivHashCiphertext[16:48]
    ciphertext = ivHashCiphertext[48:]
    key = hashlib.sha256(password.encode()).digest()

    if not hmac.compare_digest(
        hash_hmac("SHA256",ciphertext + iv,key,True), hash_val
    ):
        return None

    backend = default_backend()
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
    decryptor = cipher.decryptor()
    decrypted_text = decryptor.update(ciphertext) + decryptor.finalize()

    return decrypted_text.decode()

Node JS Decrypt function

const crypto = require('crypto');

function decrypt(ivHashCiphertext, password) {
    // If ivHashCiphertext is a string, assume it's base64 encoded
    if (typeof ivHashCiphertext === 'string') {
        ivHashCiphertext = Buffer.from(ivHashCiphertext, 'base64');
    }

    const method = 'aes-256-cbc';

    // Extract the initialization vector (first 16 bytes)
    const iv = ivHashCiphertext.slice(0, 16);

    // Extract the hash (next 32 bytes)
    const hash = ivHashCiphertext.slice(16, 48);

    // Extract the ciphertext (remaining bytes)
    const ciphertext = ivHashCiphertext.slice(48);

    // Generate the key using SHA-256 hash of the password
    const key = crypto.createHash('sha256').update(password, 'utf8').digest();

    // Compute HMAC-SHA256 of (ciphertext || iv) using the key
    const hmac = crypto.createHmac('sha256', key)
        .update(Buffer.concat([ciphertext, iv]))
        .digest();

    // Compare the computed HMAC with the extracted hash
    if (!crypto.timingSafeEqual(hmac, hash)) {
        return null; // Hashes do not match; return null
    }

    try {
        // Decrypt the ciphertext using AES-256-CBC
        const decipher = crypto.createDecipheriv(method, key, iv);
        const plaintext = Buffer.concat([
            decipher.update(ciphertext),
            decipher.final()
        ]);
        return plaintext.toString('utf8'); // Return the decrypted text as a UTF-8 string
    } catch (err) {
        // Decryption failed; return null
        return null;
    }
}

Verify Response

#PHP Example if $local_hash equal to $remote_hash then the data is verified:

if($remote_hash==$local_hash)
{ // validated status }
else {  // invalid status  }

In python you need to import the following packages:

import base64
import os
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import hashlib
import hmac

COMPLAINT

We have a dedicated Complaint Section where merchants can manage transaction-related complaints. Through this section, merchants can submit complaints with all necessary details and optional evidence. Upon submission, a unique complaint reference ID is generated, allowing merchants to track the complaint’s status and receive real-time updates via the status-check API. This ensures a smooth, secure, and efficient process for resolving any transaction issues.

Complaint

RECONCILIATION

This API endpoint allows authorized users to retrieve payment transactions based on a specific pid (Partner ID) and date. The API performs authentication using a token and signature verification to ensure secure communication.

Reconciliation

PreviousPayout P2P Seamless IMPS Integration NextPayin P2C Non-Seamless UPI Integration

Last updated 1 year ago