Decoupled Flow Integration

The S2S decoupled flow for cards involves the following steps for the redirect experience.

Steps to integrate

1. Initiate payment request with PayU

Create and send a payment request to PayU with all required parameters and merchant configuration

2. Redirect the customer

Redirect the customer to PayU's secure payment gateway to complete the transaction

3. Authorize (charge) the Payment

Process the payment authorization and charge the customer's selected payment method

4. Check the response from PayU

Handle and process the response received from PayU after payment completion

5. Verify payment

Verify the payment status using PayU's verification API and implement proper validation

👍
Before you begin:
Register for an account with PayU before you start integration. For more information, refer to Register for a Merchant Account.

📘
Notes:

This API is backward compatible and you can continue to the existing integration parameters to process the 3DS 1.0.2 transactions.

If you are using legacy integration of decoupled flow for S2S, refer to Legacy Flow for Server-to-Server.

Step 1: Initiate payment request with PayU

The merchant initiates PayU with the required transaction mandatory or optional parameters. This needs to be a server-to-server curl call request. URL, parameters, and their descriptions. For more information, refer to Cards Decoupled Flow.

Environment


Test Environment	https://test.payu.in/_payment
Production Environment	https://secure.payu.in/_payment

Request parameters

Parameter	Description	Example
key `mandatory`	`String`Merchant key provided by PayU during onboarding.
txnid `mandatory`	`String`The transaction ID is a reference number for a specific order that is generated by the merchant.
amount `mandatory`	`String`The payment amount for the transaction.
productinfo `mandatory`	`String`A brief description of the product.
firstname `mandatory`	`String` The first name of the customer.	Ashish
email `mandatory`	`String`The email address of the customer.
phone `mandatory`	`String`The phone number of the customer.
pg `mandatory`	`String` The pg parameter determines which payment tabs will be displayed on the PayU page. For cards, 'CC' will be the value.	CC
bankcode `mandatory`	`String` Each payment option is identified with a unique bank code at PayU. The merchant must post this parameter with the corresponding payment option's bank code value in it. For more information, refer to Card Type Codes and Supported Banks for Cards.	AMEX
ccnum `mandatory`	`String` Use 13-19 digit card number for credit/debit cards (15 digits for AMEX, 13-19 for Maestro) and validate with LUHN algorithm. Refer to Card Number Formats and display error message on invalid input.	5123456789012346
ccname `mandatory`	`String` This parameter must contain the name on card – as entered by the customer for the transaction.	Ashish Kumar
ccvv `mandatory`	`String` Use 3-digit CVV number for credit/debit cards and 4-digit security code (4DBC/CID) for AMEX cards. Validate with BIN API.	123
ccexpmon `mandatory`	`String` This parameter must contain the card's expiry month – as entered by the user for the transaction. It must always be in 2 digits or in MM format. For months 1-9, this parameter must be appended with 0 – like 01, 02…09. For months 10-12, this parameter must not be appended – It should be 10,11 and 12 respectively.	10
ccexpyr `mandatory`	`String` This parameter must contain the card's expiry year – as entered by the customer for the transaction. It must be of four digits.	2021
furl `mandatory`	`String`The success URL, which is the page PayU will redirect to if the transaction is successful.
surl `mandatory`	`String`The Failure URL, which is the page PayU will redirect to if the transaction is failed.
hash `mandatory`	`String`It is the hash calculated by the merchant. The hash calculation logic is: `sha512(key\|txnid\|amount\|productinfo\|firstname\|email\|udf1\|udf2\|udf3\|udf4\|udf5\|\|\|\|\|\|SALT)`
txn_s2s_flow `mandatory`	`String`This parameter must be passed with the value as 4 for Legacy Decoupled flow.
auth_only `mandatory`	`String`This parameter must be passed with the value as 1 for this parameter.
termUrl `mandatory`	`String`This parameter must contain the URL which will receive the authentication response from ACS.
authentication_flow `mandatory`	`String`This parameter must be passed with value as REDIRECT.
s2s_client_ip `mandatory`	`String`This parameter must have the source IP of the customer.
s2s_device_info `mandatory`	`String`This parameter must have the customer agent's device.
notifyurl optional	`String`It is used to send response regarding current transaction to notify about the current transaction done in merchant site.
address1 `optional`	`String` The first line of the billing address. For Fraud Detection: This information is helpful when it comes to issues related to fraud detection and chargebacks. Hence, it is must to provide the correct information.
address2 `optional`	`String` The second line of the billing address.
city `optional`	`String` The city where your customer resides as part of the billing address.
state `optional`	`String` The state where your customer resides as part of the billing address,
country `optional`	`String` The country where your customer resides.
zipcode `optional`	`String` Billing address zip code is mandatory for the cardless EMI option. `Character Limit`-20
udf1 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.
udf2 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.
udf3 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.
udf4 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.
udf5 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.

Understanding Hashing and sample code

Hashing

You must hash the request parameters using the following hash logic:

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)

For more information, refer to Generate Hash.

Hashing Sample Code

<?php
function generateHash($params, $salt) {
    // Extract parameters or use empty string if not provided
    $key = $params['key'];
    $txnid = $params['txnid'];
    $amount = $params['amount'];
    $productinfo = $params['productinfo'];
    $firstname = $params['firstname'];
    $email = $params['email'];
    $udf1 = isset($params['udf1']) ? $params['udf1'] : '';
    $udf2 = isset($params['udf2']) ? $params['udf2'] : '';
    $udf3 = isset($params['udf3']) ? $params['udf3'] : '';
    $udf4 = isset($params['udf4']) ? $params['udf4'] : '';
    $udf5 = isset($params['udf5']) ? $params['udf5'] : '';
    
    // Construct hash string with exact parameter sequence
    $hashString = $key . '|' . $txnid . '|' . $amount . '|' . $productinfo . '|' . 
                  $firstname . '|' . $email . '|' . $udf1 . '|' . $udf2 . '|' . 
                  $udf3 . '|' . $udf4 . '|' . $udf5 . '||||||' . $salt;
    
    // Generate hash and convert to lowercase
    return strtolower(hash('sha512', $hashString));
}

// Example usage
$params = [
    'key' => 'yourKey',
    'txnid' => 'yourTxnId',
    'amount' => 'yourAmount',
    'productinfo' => 'yourProductInfo',
    'firstname' => 'yourFirstName',
    'email' => 'yourEmail',
    'udf1' => 'optional_value1'
    // udf2, udf3, udf4, udf5 not provided - will be empty strings
];
$salt = 'yourSalt';

$hash = generateHash($params, $salt);
echo 'Generated Hash: ' . $hash;
?>

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;

public class ImprovedHashGenerator {

    public static String generateHash(Map<String, String> params, String salt) {
        // Extract parameters or use empty string if not provided
        String key = params.get("key");
        String txnid = params.get("txnid");
        String amount = params.get("amount");
        String productinfo = params.get("productinfo");
        String firstname = params.get("firstname");
        String email = params.get("email");
        String udf1 = params.getOrDefault("udf1", "");
        String udf2 = params.getOrDefault("udf2", "");
        String udf3 = params.getOrDefault("udf3", "");
        String udf4 = params.getOrDefault("udf4", "");
        String udf5 = params.getOrDefault("udf5", "");
        
        // Construct hash string with exact parameter sequence
        String hashString = key + "|" + txnid + "|" + amount + "|" + productinfo + "|" + 
                         firstname + "|" + email + "|" + udf1 + "|" + udf2 + "|" + 
                         udf3 + "|" + udf4 + "|" + udf5 + "||||||" + salt;
        
        return sha512(hashString);
    }

    private static String sha512(String input) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-512");
            byte[] hashBytes = md.digest(input.getBytes(StandardCharsets.UTF_8));
            StringBuilder sb = new StringBuilder();
            for (byte b : hashBytes) {
                sb.append(String.format("%02x", b));
            }
            return sb.toString().toLowerCase();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    public static void main(String[] args) {
        // Example usage with parameters map
        Map<String, String> params = new HashMap<>();
        params.put("key", "yourKey");
        params.put("txnid", "yourTxnId");
        params.put("amount", "yourAmount");
        params.put("productinfo", "yourProductInfo");
        params.put("firstname", "yourFirstName");
        params.put("email", "yourEmail");
        params.put("udf1", "optional_value1");
        // udf2, udf3, udf4, udf5 not provided - will be empty strings
        
        String salt = "yourSalt";

        String hash = generateHash(params, salt);
        System.out.println("Generated Hash: " + hash);
    }
}

using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;

public class ImprovedHashGenerator
{
    public static string GenerateHash(Dictionary<string, string> parameters, string salt)
    {
        // Extract parameters or use empty string if not provided
        string key = parameters["key"];
        string txnid = parameters["txnid"];
        string amount = parameters["amount"];
        string productinfo = parameters["productinfo"];
        string firstname = parameters["firstname"];
        string email = parameters["email"];
        
        // Get UDF values if present, otherwise use empty string
        string udf1 = parameters.ContainsKey("udf1") ? parameters["udf1"] : "";
        string udf2 = parameters.ContainsKey("udf2") ? parameters["udf2"] : "";
        string udf3 = parameters.ContainsKey("udf3") ? parameters["udf3"] : "";
        string udf4 = parameters.ContainsKey("udf4") ? parameters["udf4"] : "";
        string udf5 = parameters.ContainsKey("udf5") ? parameters["udf5"] : "";
        
        // Construct hash string with exact parameter sequence
        string hashString = $"{key}|{txnid}|{amount}|{productinfo}|{firstname}|{email}|{udf1}|{udf2}|{udf3}|{udf4}|{udf5}||||||{salt}";
        
        return Sha512(hashString);
    }

    private static string Sha512(string input)
    {
        using (SHA512 sha512 = SHA512.Create())
        {
            byte[] bytes = sha512.ComputeHash(Encoding.UTF8.GetBytes(input));
            StringBuilder sb = new StringBuilder();
            foreach (byte b in bytes)
            {
                sb.Append(b.ToString("x2"));
            }
            return sb.ToString().ToLower();
        }
    }

    public static void Main(string[] args)
    {
        // Example usage with parameters dictionary
        Dictionary<string, string> parameters = new Dictionary<string, string>
        {
            ["key"] = "yourKey",
            ["txnid"] = "yourTxnId",
            ["amount"] = "yourAmount",
            ["productinfo"] = "yourProductInfo",
            ["firstname"] = "yourFirstName",
            ["email"] = "yourEmail",
            ["udf1"] = "optional_value1"
            // udf2, udf3, udf4, udf5 not provided - will be empty strings
        };
        
        string salt = "yourSalt";

        string hash = GenerateHash(parameters, salt);
        Console.WriteLine("Generated Hash: " + hash);
    }
}

import hashlib

def generate_hash(params, salt):
    # Extract parameters or use empty string if not provided
    key = params['key']
    txnid = params['txnid']
    amount = params['amount']
    productinfo = params['productinfo']
    firstname = params['firstname']
    email = params['email']
    udf1 = params.get('udf1', '')
    udf2 = params.get('udf2', '')
    udf3 = params.get('udf3', '')
    udf4 = params.get('udf4', '')
    udf5 = params.get('udf5', '')
    
    # Construct hash string with exact parameter sequence
    hash_string = f"{key}|{txnid}|{amount}|{productinfo}|{firstname}|{email}|{udf1}|{udf2}|{udf3}|{udf4}|{udf5}||||||{salt}"
    
    # Generate SHA-512 hash
    return hashlib.sha512(hash_string.encode('utf-8')).hexdigest()

# Example usage
params = {
    'key': 'yourKey',
    'txnid': 'yourTxnId',
    'amount': 'yourAmount',
    'productinfo': 'yourProductInfo',
    'firstname': 'yourFirstName',
    'email': 'yourEmail',
    'udf1': 'optional_value1'
    # udf2, udf3, udf4, udf5 not provided - will default to empty strings
}
salt = 'yourSalt'

hash_value = generate_hash(params, salt)
print("Generated Hash:", hash_value)

const crypto = require('crypto');

function generateHash(params, salt) {
    // Extract parameters or use empty string if not provided
    const key = params.key;
    const txnid = params.txnid;
    const amount = params.amount;
    const productinfo = params.productinfo;
    const firstname = params.firstname;
    const email = params.email;
    const udf1 = params.udf1 || '';
    const udf2 = params.udf2 || '';
    const udf3 = params.udf3 || '';
    const udf4 = params.udf4 || '';
    const udf5 = params.udf5 || '';
    
    // Construct hash string with exact parameter sequence
    const hashString = `${key}|${txnid}|${amount}|${productinfo}|${firstname}|${email}|${udf1}|${udf2}|${udf3}|${udf4}|${udf5}||||||${salt}`;
    
    // Generate SHA-512 hash
    return crypto.createHash('sha512').update(hashString).digest('hex');
}

// Example usage
const params = {
    key: 'yourKey',
    txnid: 'yourTxnId',
    amount: 'yourAmount',
    productinfo: 'yourProductInfo',
    firstname: 'yourFirstName',
    email: 'yourEmail',
    udf1: 'optional_value1'
    // udf2, udf3, udf4, udf5 not provided - will default to empty strings
};
const salt = 'yourSalt';

const hash = generateHash(params, salt);
console.log("Generated Hash:", hash);

Sample request

curl --location \
 --request \
 POST 'https://secure.payu.in/_payment' --header 'Content-Type: application/x-www-form-urlencoded' \
 --header 'Cookie: PHPSESSID=mj185cifujktpv1igu9tmuoaal; PAYUID=6b0d4cbbe43702a8a938a4d4c546ae01; PHPSESSID=6388ab6306272' \
 --data \
-urlencode 'hash=5e0f040fb08759d621caf04baab4bd893e1d9f5d3edfc2aa42bea00c2ac7140b14b7883028a3b7fc5df6fb728f7542d85c2930c3f3dc4bab6a8b3da1ff33d9fe' --data \
-urlencode 'key=smsplus' --data \
-urlencode 'txnid=payuTestTransaction8169502' --data \
-urlencode 'amount=1.1' --data \
-urlencode 'firstname=Postman' --data \
-urlencode '[email protected]' --data \
-urlencode 'phone=9988776655' --data \
-urlencode 'productinfo=Product Info' --data \
-urlencode 'surl=https://admin.payu.in/test_response' --data \
-urlencode 'furl=https://admin.payu.in/test_response' --data \
-urlencode 'notifyurl=https://admin.payu.in/test_response' --data \
-urlencode 'codurl=https://admin.payu.in/test_response' --data \
-urlencode 'ipurl=https://admin.payu.in/test_response' --data \
-urlencode 'lastname=' --data \
-urlencode 'udf1=' --data \
-urlencode 'udf2=' --data \
-urlencode 'udf3=' --data \
-urlencode 'udf4=' --data \
-urlencode 'udf5=' --data \
-urlencode 'pg=CC' --data \
-urlencode 'bankcode=CC' --data \
-urlencode 'ccnum=XXXXXXXXXXX8006' --data \
-urlencode 'ccname=ASHISH' --data \
-urlencode 'ccvv=XXX' --data \
-urlencode 'ccexpmon=05' --data \
-urlencode 'ccexpyr=2023' --data \
-urlencode 'txn_s2s_flow=4' --data \
-urlencode 'auth_only=1' --data \
-urlencode 'termUrl=https://admin.payu.in/test_response' --data \
-urlencode 'authentication_flow=REDIRECT'

Sample response

📘
Understanding response parameters:
The response for the S2S payment request is not similar to Merchant Hosted or PayU Hosted Checkout. For description of response parameters, refer to Additional Info for Payment APIs.

{
   "metaData": {
      "message": null,
      "referenceId": "00c44a4c8306f9cbe5ecf6133afe08a7",
      "statusCode": null,
      "txnId": "payuTestTransaction447674",
      "txnStatus": "Enrolled",
      "unmappedStatus": "pending"
   },
   "result": {
      "otpPostUrl": "",
      "acsTemplate": "PGh0bWw+PGJvZHk+PGZvcm0gbmFtZT0icGF5bWVudF9wb3N0IiBpZD0icGF5bWVudF9wb3N0IiBhY3Rpb249Imh0dHBzOi8vd3d3LjNkc2VjdXJlMS5pY2ljaWJhbmsuY29tL0FDU1dlYi9FbnJvbGxXZWIvSUNJQ0lCYW5rL3NlcnZlci9BY2Nlc3NDb250cm9sU2VydmVyP2lkY3Q9ODExMi5WIiBtZXRob2Q9InBvc3QiPjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Ik1EIiB2YWx1ZT0iYzJlOWU0NTYwMzdmMDMzZTVjYzNkN2I2ZTU1NjE4OWFkZjQxZWVhYmY3MDY4NDRkZmY3MGFhYzkxZjZiOGU3M2JiMTg0NjI4NmM4Zjk5ZWE3NjhjZjM4ZjdjMTIzNjljfDUyMzcyNzQ5MzY0Nzk1MGYzMjY4NGJkNmYxYWIwN2FhNjQ3NDAxNmYiPjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlBhUmVxIiB2YWx1ZT0iZU5wVlVrMXYyekFNL1N0Qjc3RytyTW9PV0FGTkRhdzVKTTNTN3RLYmJER3hoL2lqbGowMCsvV1RIR2ZkVHVLamlFZStSOEpiMlNObXIxaU1QV3JZb25QbWhJdktQdHpsOFQzbE9lVkxMbzkyR1Z0TWxvbFE2VkpZeFRrMVZDcGw3elRzSHcvNG9lRVg5cTVxRzgwaUduRWdOK2daKzZJMHphREJGQi9yelU3SGlVaVZCREpEcUxIZlpKb3puc1lKbFFrVmd0SjdJTmMwTktaRzdXclhuVWNIWkVKUXRHTXo5QmN0cEsrN0FSajdzeTZIb1hNclF0d2tKK3JNWll5cWh1UW1UMWw4dElVNVdta1pUeFJGcTR4TUZVdXBORGw1YXV1NmJmYW5BN3F1YlJ3K204YWVzUWNTU0lGOGFkaVBJWEoraU0vSzZ2ZTMwL0NTYmNYTEsvMzluaFdYN2M5MXVjMStpQjMvL2dBa1ZJQTFBMnBPdWRkSDJZS0psVkFyNGYyWjhtRHFNTDNlN0E0TEZqSHFUYmttb0F0OUhxK0FoWTkvRStERjlkZ1VOd2R1Q1FEVFQ0Kyt3amY0RzRORlYzZ1I4L09sNE9rNTdLUVlndnZ6Z040T0pTU1RLc2wzL0xSVzViZXdwNmtra0ZmZVp5Nm9uTmdEQUJKSXlId0NaTDRlSC8xM1ZYOEFEOUxGSGc9PSI+PGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iVGVybVVybCIgdmFsdWU9Imh0dHBzOi8vc2VjdXJlLnBheXUuaW4vYmFiOTE0ZmRjYWZkNWQxMjg3MGVkN2E1OTcxOTA1YWIvQ29tbW9uUGdSZXNwb25zZUhhbmRsZXIiPjwvZm9ybT48c2NyaXB0IHR5cGU9J3RleHQvamF2YXNjcmlwdCc+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB3aW5kb3cub25sb2FkPWZ1bmN0aW9uKCl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZG9jdW1lbnQuZm9ybXNbJ3BheW1lbnRfcG9zdCddLnN1Ym1pdCgpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICA8L3NjcmlwdD48L2JvZHk+PC9odG1sPg=="
   },
   "binData": {
      "pureS2SSupported": false,
      "issuingBank": "ICICI",
      "category": "creditcard",
      "cardType": "VISA",
      "isDomestic": true
   }
}

Step 2: Redirect the customer

Basis a successful response of the authentication API, you need to redirect the user to the bank page using acsTemplate. This API specifies the response that is posted to termUrl after the authentication for the transaction has been processed.

📘
Notes:

All callbacks POST form data on the merchant's termUrl that is passed in Initiate Transaction API.

Validation of the response happens on the basis of the hash value being returned in the hash value of the response.

Request parameters

Parameter	Description
rawBankData `mandatory`	`String` This parameter contains the raw response that is received from bank after authentication. The response is urlencoded and in query string format.
referenceId `mandatory`	`String` This parameter contains the reference id being returned for the transaction
bankData `mandatory`	`JSON` This parameter contains the JSON string that is to be used for authorization call.This parameter is received in case of successful OTP submission of decoupled transactions. The postToBank contains messageDigest and pares that is to be posted back for authorization. For more information on the fields in this JSON, refer to bankData JSON Fields Description.
authenticationStatus `mandatory`	`String` This parameter contains the authentication status of the transaction
hash `mandatory`	`String` This parameter contains the calculated hash of the data that is posted to the merchant. For security purpose it is recommended to validate the hash value before consuming the response. The hash calculation logic is: `sha512(authenticationStatus\|bankData\|rawBankData\|referenceId\|salt)`

bankData JSON fields description

Field	Description	Applicable for EMV 3DS
cres `mandatory`	`String`This field contains the Base64 encoded value received from ACS as part of the authentication response.	Yes
referenceId `mandatory`	`String` This field is returned in case of decoupled flow. This field contains the reference id for the transaction
messageDigest `mandatory`	`String` This field is returned in case of decoupled flow. This field contains the MD value being returned by the bank.
pares `mandatory`	`String` This field is returned in case of decoupled flow. This field contains the pares being returned by the bank
additionalInfo `mandatory`	`String` This field is returned in case of decoupled flow. This field contains the data that is being used for the gateways that do not return pares.
authorizationUrl `mandatory`	`String` This integration document assumes that you have opt-ed out for the particular configuration. The authorization URL in legacy integrations are present basis the config at PayU. Please reach out to [email protected] to know more about.

Sample response

{ 
    "rawBankData" : ""  
    "referenceId":  "00c44a4c8306f9cbe5ecf6133afe08a7" 
    "bankData" : { 
    "referenceId": "00c44a4c8306f9cbe5ecf6133afe08a7", 
    "messageDigest": "c2e9e456037f033e5cc3d7b6e556189adf41eeabf706844dff70aac91f6b8e73bb1846286c8f99ea768cf38f7c12369c|523727493647950f32684bd6f1ab07aa6474016f", 
    "pares": "eNrVmdeS47i2pl+lo8+loje968jOCHojGtGLvKM3opHoyacfZmZVde06PWfOzMXEjCIUgkBiYRHAWv8H4s0phyzj7CyZh+z9TcvGMSqy36r0r99jFAfhGIT/gLE8/QNNM/IPEiGoP5CUgGEwAjGCSH9/f7vRVjZ+NvgsnTVLNoxV371D/wL/Bb8B3/+exoekjLrp/S1KXoysv6MkQhHYG/Dt71ubDTL3DkMwhZIgRoIIAoL4G/BV/Qb83f42f5TG0+GtSt9Dp5gMTkMMGzxCLtm1mik1zkV02PzrDfi44y2NpuwdBuHTNgj9BiF/IsSfyOnbZ/3b88Mc3fbzaRuCwDfg54q3c2SGrEv2dwQ7nfnx7y3bnn2XnXecdn6U34C/fXtG3Tv40wcFQeK0fda+Off3t6lqf/YJ/RMi/4ShN+Cz/m2comme34M34FvpLYmW5Z2maYYVTJqWzadhJqu+0t8/57N+3vKWJdU7eA7rx+9nK7op+qGayvbD1X+veAM+XAE+p+79za6K7uxsyH7b2qYb//q9nKbnnwCwruu/VuRf/VAA8PkgAEgB5w3pWBX/8ftXqyyVu7z/32rGRl3fVUnUVEc0nQtEy6ayT3/74ds/mXGsD0sQYPHsH6epPxII7f74qAERCDttAv9s9Kcn++/08quzwxj9MZYR9NHBL4be36wszz5WRPaba8l//f4f36OAq4psnP5Puvve1c8WvtvzombO3mc3DXRwZEp92R+80+1LH1P8RNQ4/9f3dl93vgE//Pvm/NdM/TQiXzc6RMf6GG04qXdxrxgV1PAQ4FJa38tkuNT", 
    "additionalInfo": 
    { 
        "authUdf1": "", 
        "authUdf2": "", 
        "authUdf3": "", 
        "authUdf4": "", 
        "authUdf5": "", 
        "authUdf6": "", 
        "authUdf7": "", 
        "authUdf8": "", 
        "authUdf9": "", 
        "authUdf10": "" 
    } 
}, 
    "authenticationStatus"  :  "success", 
    "hash" : "664b8ddd1b5b2d1b68abb7eee5ea6e001a02773499ddcd86956ba0833315e7d4e69c641d7b0b3e7590532e21e71936da173f4eda716fc09f83cd1117f0d0c37c"}

Step 3: Authorize (charge) the payment

The authorization request is the final step of transaction processing. This again needs to be an S2S call from the merchant's server to PayU server.

Request parameters

Post URL: The data to be posted has to be exactly the same as the JSON response received in the authentication response in Step 2. The data must include the following parameters.

Environment


Test	https://test.payu.in/AuthorizeTransaction.php
Production	https://secure.payu.in/AuthorizeTransaction.php

Parameter	Description
key `mandatory`	`String` The merchant key is provided by PayU and acts as a unique identifier for a specific merchant account in PayU's database.
txnid `mandatory`	`String` The transaction ID is the order reference number generated by the merchant to track a particular order. It can be used only once and PayU's system does not accept a duplicate Transaction ID.
amount `mandatory`	`String` It should contain the payment amount of the particular transaction. The amount must be greater than Rs. 8000 for the cardless EMI option.
hash `mandatory`	`String` It is used to avoid the possibility of transaction tampering. The hash must in the following structure: `valueOf(key)\| valueOf(txnid) \| valueOf(amount) \|valueOf(authentication_info) \| valueOf(salt)`
authentication_info `mandatory`	`JSON` The JSON value received in the bankData on the Term URL or pass the fields as in the JSON example.

Example for authentication_info JSON

{
   "referenceId": "00c44a4c8306f9cbe5ecf6133afe08a7",
   "cres": "eyJhY3NUcmFuc0lEIjoiODc3OTFjZWUtMjUxNC00MzZjLWJlZDgtYTYzYTg3YmJkZjAxIiwiY2hhbGxlbmdlQ29tcGxldGlvbkluZCI6IlkiLCJtZXNzYWdlVHlwZSI6IkNSZXMiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMS4wIiwidGhyZWVEU1NlcnZlclRyYW5zSUQiOiJkNDFmNjIwMC0wNDM1LTQ5ZWUtYWExMS1mMzY2ZjA2NjFjNmYiLCJ0cmFuc1N0YXR1cyI6IlkifQ==",
   "messageDigest": "",
   "pares": "",
   "additionalInfo": {
      "authUdf1": "",
      "authUdf2": "",
      "authUdf3": "",
      "authUdf4": "",
      "authUdf5": "",
      "authUdf6": "",
      "authUdf7": "",
      "authUdf8": "",
      "authUdf9": "",
      "authUdf10": ""
   }
}

authentication_info JSON Fields Description

Field	Description	Applicable to EMV 3DS
cres	This field contains the Base 64 encoded value received from ACS as part of the authentication response	Yes
referenceId	This field contains the same referenceId which sent in response of the first call
additionalInfo	This field can be used in the case of schemes where different parameters may need from merchant side.
messageDigest	This field includes the Base 64 encoding of (sha56 hash of the JSON data (post to server).
pares	This parameter contains the pares being returned by the bank.

Step 4: Check the response from PayU

The response from PayU for Merchant Hosted and S2S integration is similar.

Hash validation logic for payment response (Reverse Hashing)

While sending the response, PayU takes the exact same parameters that were sent in the request (in reverse order) to calculate the hash and returns it to you. You must verify the hash and then mark a transaction as a success or failure. This is to make sure the transaction has not tampered within the response.

The order of the parameters is similar to the following code block:

sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key)

Response parameters

The parameters in the response for similar for all S2S flows. For more information, refer to Additional Info for Payment APIs.

Sample response

The formatted JSON response is similar to the following:

{
   "metaData": {
      "message": "No Error",
      "referenceId": "b6035f64240b1862295bc571952cf984",
      "statusCode": "E000",
      "txnId": "payuTestTransaction2746829",
      "unmappedStatus": "success",
      "submitOtp": {
         "status": "success"
      }
   },
   "result": {
      "mihpayid": "15270336226",
      "mode": "CC",
      "status": "success",
      "key": "4wvMqy",
      "txnid": "payuTestTransaction2746829",
      "amount": "1.10",
      "addedon": "2022-06-01 17:39:29",
      "productinfo": "Product Info",
      "firstname": "Postman",
      "lastname": "",
      "address1": "",
      "address2": "",
      "city": "",
      "state": "",
      "country": "",
      "zipcode": "",
      "email": "[email protected]",
      "phone": "9988776655",
      "udf1": "",
      "udf2": "",
      "udf3": "",
      "udf4": "",
      "udf5": "",
      "udf6": "",
      "udf7": "",
      "udf8": "",
      "udf9": "",
      "udf10": "",
      "card_token": "",
      "card_no": "XXXXXXXXXXXX8006",
      "field0": "",
      "field1": "6540854745166970506094",
      "field2": "947167",
      "field3": "1.10",
      "field4": "15270336226",
      "field5": "100",
      "field6": "",
      "field7": "AUTHPOSITIVE",
      "field8": "",
      "field9": "Transaction is Successful",
      "payment_source": "payuPureS2SAuth",
      "PG_TYPE": "CC-PG",
      "error": "E000",
      "error_Message": "No Error",
      "cardToken": "",
      "net_amount_debit": "1.1",
      "discount": "0.00",
      "offer_key": "",
      "offer_availed": "",
      "unmappedstatus": "captured",
      "hash": "cdc409dfd15a842b8d15d6627d0027619882ed800773fa413cef491ae8ff2ef0cdfa654680ba4c8f3567313c6a6b00b94cb3bb5e16bad21d26be01216a69af41",
      "bank_ref_no": "6540854745166970506094",
      "bank_ref_num": "6540854745166970506094",
      "bankcode": "CC",
      "surl": "",
      "curl": "",
      "furl": "",
      "card_hash": "fdb59253e36daf8b3969525ae3799ccb4bb41993a5d2fcaf22737ec3ac8b90ab"
   }
}

Step 5. Verify the payment

Upon receiving the response, we recommend performing a reconciliation step to validate all transaction details.
You can verify your payments using either of the following methods:

Configure the webhooks to monitor the status of payments.
Webhooks enable a server to communicate with another server by sending an HTTP callback or message.
These callbacks are triggered by specific events or instances and operate at the server-to-server (S2S) level.

👉 For more details, refer to Webhooks for Payments.

Updated 15 days ago

Before you begin:

Notes:

Step 1: Initiate payment request with PayU

Hashing

Hashing Sample Code

Understanding response parameters:

Step 2: Redirect the customer

Notes:

bankData JSON fields description

Step 3: Authorize (charge) the payment

Environment

Example for authentication_info JSON

authentication_info JSON Fields Description

Step 4: Check the response from PayU

Hash validation logic for payment response (Reverse Hashing)

Step 5. Verify the payment

EXAMPLE QUESTIONS