Direct Authorization Integration
PayU enables merchants to process direct authorization for pre-authenticated transactions (external MPI/3DSS). This section describes how to integrate with PayU’s direct authorization flow.
Steps to Integrate
Before you begin:
Register for a account with PayU before you start integration. For more information, refer to Register for a Merchant Account.
Step 1: Post the parameters to PayU
Initiate an authorization request with the payment details provided post a successful authentication via the MPI/3DSS. For the request parameters, refer to Cards Direct Authorization Flow.
Environment
| Test Environment | https://test.payu.in/_payment |
| Production Environment | https://secure.payu.in/_payment |
Request parameters
| Parameter | Description | Example |
|---|---|---|
keymandatory | StringMerchant key provided by PayU during onboarding. | |
txnidmandatory | StringThe transaction ID is a reference number for a specific order that is generated by the merchant. | |
amount mandatory | StringThe payment amount for the transaction. | |
productinfo mandatory | StringA brief description of the product. | |
firstname mandatory | String The first name of the customer. | Ashish |
emailmandatory | StringThe email address of the customer. | |
phonemandatory | StringThe phone number of the customer. | |
pgmandatory | String The pg parameter determines which payment tabs will be displayed on the PayU page. For cards, 'CC' will be the value. | CC |
bankcode mandatory | String Each payment option is identified with a unique bank code at PayU. The merchant must post this parameter with the corresponding payment option’s bank code value in it. For more information, refer to Card Type Codes and Supported Banks for Cards.. | AMEX |
ccnummandatory | String Use 13-19 digit card number for credit/debit cards (15 digits for AMEX, 13-19 for Maestro) and validate with LUHN algorithm. Refer to Card Number Formats and display error message on invalid input. | 5123456789012346 |
ccname mandatory | String This parameter must contain the name on card – as entered by the customer for the transaction. | Ashish Kumar |
ccvvmandatory | String Use 3-digit CVV number for credit/debit cards and 4-digit security code (4DBC/CID) for AMEX cards. Validate with BIN API. | 123 |
ccexpmon mandatory | String This parameter must contain the card’s expiry month – as entered by the user for the transaction. It must always be in 2 digits or in MM format. For months 1-9, this parameter must be appended with 0 – like 01, 02…09. For months 10-12, this parameter must not be appended – It should be 10,11 and 12 respectively. | 10 |
ccexpyrmandatory | String This parameter must contain the card’s expiry year – as entered by the customer for the transaction. It must be of four digits. | 2021 |
furlmandatory | StringThe success URL, which is the page PayU will redirect to if the transaction is successful. | |
surlmandatory | StringThe Failure URL, which is the page PayU will redirect to if the transaction is failed. | |
hashmandatory | StringIt is the hash calculated by the merchant. The hash calculation logic is:sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT) | |
txn_s2s_flowmandatory | StringThis parameter must be passed with the value as 3 for Direct Authorization flow. | 3 |
authentication_infomandatory | JSONThis parameter contains the authentication information in a JSON format for direct authorization. For more information refer to authentication_info JSON Fields Description. | {"eci":"05","cavv":"AAABAWFlmQAAAABjRWWZEEFgFz","flowType":"Frictionless","threeDSServerTransID":"eea30d14-71cf-41af-b961-f95b7d67dc93","threeDSTransID":"67b4c71f-19bf-4d97-bd09-4e3687dc9e42","threeDSTransStatus":"Y","threeDSTransStatusReason":"01","acquirer_bin":"401200"}' |
threeDS2RequestDatamandatory | JSONThis parameter contains the threeDSVersion and deviceChannel fields in an array format. | {"threeDSVersion":"2.2.0","deviceChannel":"APP/BRW"} |
address1optional | String The first line of the billing address.For Fraud Detection: This information is helpful when it comes to issues related to fraud detection and chargebacks. Hence, it is must to provide the correct information. | |
address2optional | String The second line of the billing address. | |
cityoptional | String The city where your customer resides as part of the billing address. | |
stateoptional | String The state where your customer resides as part of the billing address, | |
countryoptional | String The country where your customer resides. | |
zipcodeoptional | String Billing address zip code is mandatory for the cardless EMI option.Character Limit-20 | |
udf1optional | String User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5. | |
udf2optional | String User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5. | |
udf3optional | String User-defined fields (udf) are used to store any information corresponding to a particular transaction. | |
udf4optional | String User-defined fields (udf) are used to store any information corresponding to a particular transaction. | |
udf5optional | String User-defined fields (udf) are used to store any information corresponding to a particular transaction. |
Hashing
You must hash the request parameters using the following hash logic:
sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)
For more information, refer to Generate Hash.
Sample request
curl -X \
POST "https://test.payu.in/_payment
-H \
"accept: application/json" -H \
"Content-Type: application/x-www-form-urlencoded" -d
"key=JP***g&txnid=ATGNMtNsHKgBQ4&amount=199.00&firstname=PayU User&[email protected]&phone=9876543210&productinfo=iPhone&pg=cc&bankcode=cc&surl=https://apiplayground-response.herokuapp.com/&furl=https://apiplayground-response.herokuapp.com/&ccnum=5123456789012346&ccexpmon=05&ccexpyr=2022&ccvv=123&ccname=&txn_s2s_flow=3&threeDS2RequestData:{ “threeDSVersion” : “2.2.0”, “deviceChannel” : “APP/BRW”}&authentication_info: { "eci": "05","cavv":"AAABAWFlmQAAAABjRWWZEEFgFz+=","flowType": "Frictionless", "threeDSTransID": "67b4c71f-19bf-4d97-bd09-4e3687dc9e42", "threeDSServerTransID": "eea30d14-71cf-41af-b961-f95b7d67dc93", "threeDSTransStatus": "Y","threeDSTransStatusReason": "01-99", "additionalinfo": { "authudf2": "1_1665637507_954_104_l73c004m_IAMRB" }, "acquirer_bin": "401200"}"&s2s_client_ip=83.191.88.168&s2s_device_info=221.6.48.86&hash=1447162a8519a8cbaf8726fdff99487cbac7743595cf355a27fac4a2b42a576e5f23d21ebf59b50004714f7b6b4775e34355ce6acad86f60e2c7369b5df4c55b
Collect the response in the Cards Direct Authorization Flow under API Reference. The response for the S2S payment request is not similar to Merchant Hosted or PayU Hosted Checkout. For description of response parameters and authentication_info JSON Fields Description, refer to Additional Info for Payment APIs.
Note:
This API is backward compatible and you can continue to the existing integration parameters to process the 3DS 1.0.2 transactions.
Step 2: Check response from PayU
PayU marks the transaction status based on the response received from the bank. PayU provides the final transaction response string to you through a post response. A hash generated by PayU also accompanies the post response.
Note:
Verify the authenticity of the hash value before accepting or rejecting the invoice order. For more information, refer to Generate Hash.
Response parameters description
The parameters in the response for similar for all S2S flows. For more information, refer to the Additional Info for Payment APIs.
Hash validation logic for payment response (Reverse Hashing)
While sending the response, PayU takes the exact same parameters that were sent in the request (in reverse order) to calculate the hash and returns it to you. You must verify the hash and then mark a transaction as a success or failure. This is to make sure the transaction has not tampered within the response.
The order of the parameters is similar to the following code block:
sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key)
Sample response
The authorization response received through S2S call output is a base64 encoded string and similar to the following sample response:
e8KgwqAic3RhdHVzIjogInN1Y2Nlc3MiLMKgwqAicmVzdWx0Ijoge8KgwqDCoMKgIm1paHBheWlkIjogIjE2MzEzOTM5NTg0IizCoMKgwqDCoCJtb2RlIjogIkNDIizCoMKgwqDCoCJzdGF0dXMiOiAic3VjY2VzcyIswqDCoMKgwqAia2V5IjogIkpQTTdGZyIswqDCoMKgwqAidHhuaWQiOiAiVFA3QlE1NVZERjJNUFBHMiIswqDCoMKgwqAiYW1vdW50IjogIjE5OS4wMCIswqDCoMKgwqAiYWRkZWRvbiI6ICIyMDIyLTExLTMwIDE4OjEyOjMwIizCoMKgwqDCoCJwcm9kdWN0aW5mbyI6ICIwQWk4NzJwcHBybnJ4ZUExMWR5OXc3M2l5aGNtIizCoMKgwqDCoCJmaXJzdG5hbWUiOiAiMEFpODcycHBwcm5yeGVBMTFkeTl3NzNpeWhjbSIswqDCoMKgwqAibGFzdG5hbWUiOiAiIizCoMKgwqDCoCJhZGRyZXNzMSI6ICIiLMKgwqDCoMKgImFkZHJlc3MyIjogIiIswqDCoMKgwqAiY2l0eSI6ICIiLMKgwqDCoMKgInN0YXRlIjogIiIswqDCoMKgwqAiY291bnRyeSI6ICIiLMKgwqDCoMKgInppcGNvZGUiOiAiIizCoMKgwqDCoCJlbWFpbCI6ICJwbGFjZWhvbGRlckBlbWFpbC5jb20iLMKgwqDCoMKgInBob25lIjogIjExMTExMTExMTExIizCoMKgwqDCoCJ1ZGYxIjogIiIswqDCoMKgwqAidWRmMiI6ICI2Njg2MjA3OTYyNTE0NTM3IizCoMKgwqDCoCJ1ZGYzIjogIiIswqDCoMKgwqAidWRmNCI6ICIiLMKgwqDCoMKgInVkZjUiOiAiIizCoMKgwqDCoCJ1ZGY2IjogIiIswqDCoMKgwqAidWRmNyI6ICIiLMKgwqDCoMKgInVkZjgiOiAiIizCoMKgwqDCoCJ1ZGY5IjogIiIswqDCoMKgwqAidWRmMTAiOiAiIizCoMKgwqDCoCJjYXJkX3Rva2VuIjogIiIswqDCoMKgwqAiY2FyZF9ubyI6ICJYWFhYWFhYWFhYWFgxMDA1IizCoMKgwqDCoCJmaWVsZDAiOiAiIizCoMKgwqDCoCJmaWVsZDEiOiAiIizCoMKgwqDCoCJmaWVsZDIiOiAiMjA0MTQ1IizCoMKgwqDCoCJmaWVsZDMiOiAiIizCoMKgwqDCoCJmaWVsZDQiOiAiIizCoMKgwqDCoCJmaWVsZDUiOiAiIizCoMKgwqDCoCJmaWVsZDYiOiAiMDAwIizCoMKgwqDCoCJmaWVsZDciOiAiQVVUSFBPU0lUSVZFIizCoMKgwqDCoCJmaWVsZDgiOiAiQVBQUk9WRUQiLMKgwqDCoMKgImZpZWxkOSI6ICJUcmFuc2FjdGlvbiBpcyBTdWNjZXNzZnVsIizCoMKgwqDCoCJwYXltZW50X3NvdXJjZSI6ICJkaXJBdXRoUzJTIizCoMKgwqDCoCJQR19UWVBFIjogIkNDLVBHIizCoMKgwqDCoCJlcnJvciI6ICJFMDAwIizCoMKgwqDCoCJlcnJvcl9NZXNzYWdlIjogIk5vIEVycm9yIizCoMKgwqDCoCJjYXJkVG9rZW4iOiAiIizCoMKgwqDCoCJuZXRfYW1vdW50X2RlYml0IjogIjE5OSIswqDCoMKgwqAiZGlzY291bnQiOiAiMC4wMCIswqDCoMKgwqAib2ZmZXJfa2V5IjogIiIswqDCoMKgwqAib2ZmZXJfYXZhaWxlZCI6ICIiLMKgwqDCoMKgInVubWFwcGVkc3RhdHVzIjogImNhcHR1cmVkIizCoMKgwqDCoCJoYXNoIjogIjNmOGZjZGQ2NzY0MmI0NDJkYjA0MjAxYzFmNTNmYmU2ZTdjMjQ5MTE1ZmQ3MThkN2NjZjU4Yjc4ZmVhOTAzOWJmYWFmYWYxYzMyZmZhNDM4NjVkOTVhODVhMDgzMjk1YzgyODZiMGFmNDc2Y2M1ZmE5OGJjNTEyNDQ2MjlhOWQyIizCoMKgwqDCoCJiYW5rX3JlZl9ubyI6ICIyMjExMzAxMjcwNTUiLMKgwqDCoMKgImJhbmtfcmVmX251bSI6ICIyMjExMzAxMjcwNTUiLMKgwqDCoMKgImJhbmtjb2RlIjogIkFNRVgiLMKgwqDCoMKgInN1cmwiOiAiaHR0cHM6Ly90ZXN0LnBheXUuY29tLyIswqDCoMKgwqAiY3VybCI6ICJodHRwczovL3Rlc3QucGF5dS5jb20vIizCoMKgwqDCoCJmdXJsIjogImh0dHBzOi8vdGVzdC5wYXl1LmNvbS8iLMKgwqDCoMKgImNhcmRfaGFzaCI6ICJmZmI0NTZiMmRhYTExM2YzNzc0ZTI3ODFmMWRhYmZhZjk3YTY4ZDgxMThhOTY4ZTJiMjBmZDc5OTY3ZDdmOWJhIsKgwqB9Cn0=
The formatted response is similar to the following:
{
"status": "success",
"result": {
"mihpayid": "16313939584",
"mode": "CC",
"status": "success",
"key": "JPM7Fg",
"txnid": "TP7BQ55VDF2MPPG2",
"amount": "199.00",
"addedon": "2022-11-30 18:12:30",
"productinfo": "0Ai872ppprnrxeA11dy9w73iyhcm",
"firstname": "0Ai872ppprnrxeA11dy9w73iyhcm",
"lastname": "",
"address1": "",
"address2": "",
"city": "",
"state": "",
"country": "",
"zipcode": "",
"email": "[email protected]",
"phone": "11111111111",
"udf1": "",
"udf2": "6686207962514537",
"udf3": "",
"udf4": "",
"udf5": "",
"udf6": "",
"udf7": "",
"udf8": "",
"udf9": "",
"udf10": "",
"card_token": "",
"card_no": "XXXXXXXXXXXX2346",
"field0": "",
"field1": "",
"field2": "204145",
"field3": "",
"field4": "",
"field5": "",
"field6": "000",
"field7": "AUTHPOSITIVE",
"field8": "APPROVED",
"field9": "Transaction is Successful",
"payment_source": "dirAuthS2S",
"PG_TYPE": "CC-PG",
"error": "E000",
"error_Message": "No Error",
"cardToken": "",
"net_amount_debit": "199",
"discount": "0.00",
"offer_key": "",
"offer_availed": "",
"unmappedstatus": "captured",
"hash": "3f8fcdd67642b442db04201c1f53fbe6e7c249115fd718d7ccf58b78fea9039bfaafaf1c32ffa43865d95a85a083295c8286b0af476cc5fa98bc51244629a9d2",
"bank_ref_no": "221130127055",
"bank_ref_num": "221130127055",
"bankcode": "AMEX",
"surl": "https://test.payu.com/",
"curl": "https://test.payu.com/",
"furl": "https://test.payu.com/",
"card_hash": "ffb456b2daa113f3774e2781f1dabfaf97a68d8118a968e2b20fd79967d7f9ba"
}
}
3DS Secure 2.0 Transaction
Request Parameter for 3DS Secure 2.0 Transaction
Along with the parameters mentioned in Step 1, you must include the threeDS2RequestData parameter in the following JSON format for 3DS Secure 2.0 support for cards:
{
browserInfo": {
"userAgent": "Mozilla\/5.0 (X11 Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/93.0.4577.0 Safari\/537.36",
"acceptHeader": "*\/*",
"language": "en-US",
"colorDepth": "24",
"screenHeight": "600",
"screenWidth": "800",
"timeZone": "-300",
"javaEnabled": true,
"ip": "10.248.2.71"
}
}
3DS Secure 2.0 browserDetails JSON Fields Description
| Field | Description | Example |
|---|---|---|
| userAgent | This field must include user agent of the device browser. | |
| acceptHeader | This field contains the format of the header. | application/json |
| language | This field contains the language for the 3D Secure Challenge. | en-US |
| colorDepth | This field contains the color depth of the screen. | 24 |
| screenHeight | This field contains the screen height of the device displaying the 3D Secure Challenge. | 640 |
| screenWidth | This field contains the screen width of the device displaying the 3D Secure Challenge. | 480 |
| javaEnabled | This field contains whether Java is enabled for the device. It can be any of the following: | true |
| timeZone | This field contains the time zone code where the payment is accepted. | 273 |
| ip | This should include the IP address of the device from which the browser is accessed. | 10.248.2.71 |
Sample cURL Request with 3DS Secure 2.0
The sample cURL request with 3DS Secure 2.0:
curl --location 'https://test.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: PHPSESSID=nbn8otc350bsv6u5fqvhcbo73b; PHPSESSID=63a0499eaf13e' \
--data-urlencode 'key=JF****g' \
--data-urlencode 'firstname=Ashish' \
--data-urlencode '[email protected]' \
--data-urlencode 'amount=10' \
--data-urlencode 'phone= 9876543210' \
--data-urlencode 'productinfo=Product_info' \
--data-urlencode 'surl=http://pp30admin.payu.in/test_response' \
--data-urlencode 'furl=http://pp30admin.payu.in/test_response' \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=CC' \
--data-urlencode 'lastname=Test' \
--data-urlencode 'ccname=Test User' \
--data-urlencode 'ccvv=123' \
--data-urlencode 'ccexpmon=06' \
--data-urlencode 'ccexpyr=2024' \
--data-urlencode 'txnid=jYhbOYH9o4' \
--data-urlencode 'hash=e5b286a9c8545038de9d4e4ee4d8a2fd02e821015aff7e0323807ba174997d8643f9aa174981385e3e4dfe60b918650806ccb97b3e8e3471e1985ecadefd0184' \
--data-urlencode 'ccnum=4012000000002004' \
--data-urlencode 'txn_s2s_flow=4' \
--data-urlencode 'threeDS2RequestData={
"browserInfo": {
"userAgent": "Mozilla\/5.0 (X11 Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/93.0.4577.0 Safari\/537.36",
"acceptHeader": "*\/*",
"language": "en-US",
"colorDepth": "24",
"screenHeight": "600",
"screenWidth": "800",
"timeZone": "-300",
"javaEnabled": true,
"ip": "10.248.2.71"
}
}'
Updated about 1 month ago