Direct Authorization Integration
PayU enables merchants to process direct authorization for pre-authenticated transactions (external MPI/3DSS). This section describes how to integrate with PayU’s direct authorization flow.
This part of the document also includes how to integrate using 3DS Secure 2.0 Transaction. For more information, refer to 3DS Secure 2.0 Transaction.
Steps to integrate
Before you begin:Register for an account with PayU before you start integration. For more information, refer to Register for a Merchant Account.
Step 1: Post the parameters to PayU
Initiate an authorization request with the payment details provided post a successful authentication via the MPI/3DSS. For the request parameters, refer to Cards Direct Authorization Flow .
Environment
| Test Environment | https://test.payu.in/_payment |
| Production Environment | https://secure.payu.in/_payment |
Reference: To capture the transaction for Pre-Authorize (Auth and Capture) Payments, you can include pre_authorize parameter along with the following _payment API request parameters and then call theCapture Transaction API. For more information on Pre-Authorize Payments with Cards , refer to Pre-Authorize Payments > Credit Card.
Request Parameter
<th style={{ textAlign: "left" }}>
Description
</th>
<th style={{ textAlign: "left" }}>
Example
</th>
</tr>
</thead>
<tbody>
<tr>
<td style={{ textAlign: "left" }}>
key<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` Merchant key provided by PayU during onboarding.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
txnid<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The transaction ID is a reference number for a specific order that is generated by the merchant.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
amount<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The payment amount for the transaction.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
productinfo <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` A brief description of the product.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
firstname <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The first name of the customer.
</td>
<td style={{ textAlign: "left" }}>
Ashish
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
email<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The email address of the customer.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
phone<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The phone number of the customer.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
pg<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The pg parameter determines which payment tabs will be displayed on the PayU page. For cards, 'CC' will be the value.
</td>
<td style={{ textAlign: "left" }}>
CC
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
bankcode <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` Each payment option is identified with a unique bank code at PayU. The merchant must post this parameter with the corresponding payment option's bank code value in it.
</td>
<td style={{ textAlign: "left" }}>
AMEX
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
ccnum<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` Use 13-19 digit card number for credit/debit cards (15 digits for AMEX, 13-19 for Maestro) and validate with LUHN algorithm.
</td>
<td style={{ textAlign: "left" }}>
5123456789012346
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
ccname <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` This parameter must contain the name on card – as entered by the customer for the transaction.
</td>
<td style={{ textAlign: "left" }}>
Ashish Kumar
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
ccvv<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` Use 3-digit CVV number for credit/debit cards and 4-digit security code (4DBC/CID) for AMEX cards. Validate with BIN API.
</td>
<td style={{ textAlign: "left" }}>
123
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
ccexpmon <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` This parameter must contain the card's expiry month – as entered by the user for the transaction. It must always be in 2 digits or in MM format.
</td>
<td style={{ textAlign: "left" }}>
10
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
ccexpyr <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` This parameter must contain the card's expiry year – as entered by the customer for the transaction. It must be of four digits.
</td>
<td style={{ textAlign: "left" }}>
2021
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
furl<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The success URL, which is the page PayU will redirect to if the transaction is successful.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
surl<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` The failure URL, which is the page PayU will redirect to if the transaction is failed.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
hash<br />
`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` It is the hash calculated by the merchant. The hash calculation logic is:
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
txn\_s2s\_flow <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`String` This parameter must be passed with the value as **3** for Direct Authorization flow.
</td>
<td style={{ textAlign: "left" }}>
3
</td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
authentication\_info <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`JSON` This parameter contains the authentication information in a JSON format for direct authorization. For more information, refer to [authentication\_info JSON object](#authentication_info-json-object)
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
threeDS2RequestData <br />`mandatory`
</td>
<td style={{ textAlign: "left" }}>
`JSON` This parameter contains the threeDSVersion and deviceChannel fields in an array format.
For example:
\{"threeDSVersion":"2.2.0","deviceChannel":"APP/BRW"}
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
address1<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` The first line of the billing address. \* For Fraud Detection: This information is helpful when it comes to issues related to fraud detection and chargebacks. Hence, it is must to provide the correct information.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
address2 <br />`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` The second line of the billing address.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
city<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` The city where your customer resides as part of the billing address.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
state<br /> ` optional`
</td>
<td style={{ textAlign: "left" }}>
`String` The state where your customer resides as part of the billing address,
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
country<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` The country where your customer resides.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
zipcode<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` Billing address zip code is mandatory for the cardless EMI option.
Character Limit -20
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
udf1<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
udf2<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
udf3<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
udf4<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
<tr>
<td style={{ textAlign: "left" }}>
udf5<br />
`optional`
</td>
<td style={{ textAlign: "left" }}>
`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.
</td>
<td style={{ textAlign: "left" }}></td>
</tr>
</tbody>Understanding Hashing and sample code
Hashing
You must hash the request parameters using the following hash logic:
sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)For more information, refer to Generate Hash.
Hashing Sample Code
<?php
function generateHash($params, $salt) {
// Extract parameters or use empty string if not provided
$key = $params['key'];
$txnid = $params['txnid'];
$amount = $params['amount'];
$productinfo = $params['productinfo'];
$firstname = $params['firstname'];
$email = $params['email'];
$udf1 = isset($params['udf1']) ? $params['udf1'] : '';
$udf2 = isset($params['udf2']) ? $params['udf2'] : '';
$udf3 = isset($params['udf3']) ? $params['udf3'] : '';
$udf4 = isset($params['udf4']) ? $params['udf4'] : '';
$udf5 = isset($params['udf5']) ? $params['udf5'] : '';
// Construct hash string with exact parameter sequence
$hashString = $key . '|' . $txnid . '|' . $amount . '|' . $productinfo . '|' .
$firstname . '|' . $email . '|' . $udf1 . '|' . $udf2 . '|' .
$udf3 . '|' . $udf4 . '|' . $udf5 . '||||||' . $salt;
// Generate hash and convert to lowercase
return strtolower(hash('sha512', $hashString));
}
// Example usage
$params = [
'key' => 'yourKey',
'txnid' => 'yourTxnId',
'amount' => 'yourAmount',
'productinfo' => 'yourProductInfo',
'firstname' => 'yourFirstName',
'email' => 'yourEmail',
'udf1' => 'optional_value1'
// udf2, udf3, udf4, udf5 not provided - will be empty strings
];
$salt = 'yourSalt';
$hash = generateHash($params, $salt);
echo 'Generated Hash: ' . $hash;
?>
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
public class ImprovedHashGenerator {
public static String generateHash(Map<String, String> params, String salt) {
// Extract parameters or use empty string if not provided
String key = params.get("key");
String txnid = params.get("txnid");
String amount = params.get("amount");
String productinfo = params.get("productinfo");
String firstname = params.get("firstname");
String email = params.get("email");
String udf1 = params.getOrDefault("udf1", "");
String udf2 = params.getOrDefault("udf2", "");
String udf3 = params.getOrDefault("udf3", "");
String udf4 = params.getOrDefault("udf4", "");
String udf5 = params.getOrDefault("udf5", "");
// Construct hash string with exact parameter sequence
String hashString = key + "|" + txnid + "|" + amount + "|" + productinfo + "|" +
firstname + "|" + email + "|" + udf1 + "|" + udf2 + "|" +
udf3 + "|" + udf4 + "|" + udf5 + "||||||" + salt;
return sha512(hashString);
}
private static String sha512(String input) {
try {
MessageDigest md = MessageDigest.getInstance("SHA-512");
byte[] hashBytes = md.digest(input.getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (byte b : hashBytes) {
sb.append(String.format("%02x", b));
}
return sb.toString().toLowerCase();
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
public static void main(String[] args) {
// Example usage with parameters map
Map<String, String> params = new HashMap<>();
params.put("key", "yourKey");
params.put("txnid", "yourTxnId");
params.put("amount", "yourAmount");
params.put("productinfo", "yourProductInfo");
params.put("firstname", "yourFirstName");
params.put("email", "yourEmail");
params.put("udf1", "optional_value1");
// udf2, udf3, udf4, udf5 not provided - will be empty strings
String salt = "yourSalt";
String hash = generateHash(params, salt);
System.out.println("Generated Hash: " + hash);
}
}
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;
public class ImprovedHashGenerator
{
public static string GenerateHash(Dictionary<string, string> parameters, string salt)
{
// Extract parameters or use empty string if not provided
string key = parameters["key"];
string txnid = parameters["txnid"];
string amount = parameters["amount"];
string productinfo = parameters["productinfo"];
string firstname = parameters["firstname"];
string email = parameters["email"];
// Get UDF values if present, otherwise use empty string
string udf1 = parameters.ContainsKey("udf1") ? parameters["udf1"] : "";
string udf2 = parameters.ContainsKey("udf2") ? parameters["udf2"] : "";
string udf3 = parameters.ContainsKey("udf3") ? parameters["udf3"] : "";
string udf4 = parameters.ContainsKey("udf4") ? parameters["udf4"] : "";
string udf5 = parameters.ContainsKey("udf5") ? parameters["udf5"] : "";
// Construct hash string with exact parameter sequence
string hashString = $"{key}|{txnid}|{amount}|{productinfo}|{firstname}|{email}|{udf1}|{udf2}|{udf3}|{udf4}|{udf5}||||||{salt}";
return Sha512(hashString);
}
private static string Sha512(string input)
{
using (SHA512 sha512 = SHA512.Create())
{
byte[] bytes = sha512.ComputeHash(Encoding.UTF8.GetBytes(input));
StringBuilder sb = new StringBuilder();
foreach (byte b in bytes)
{
sb.Append(b.ToString("x2"));
}
return sb.ToString().ToLower();
}
}
public static void Main(string[] args)
{
// Example usage with parameters dictionary
Dictionary<string, string> parameters = new Dictionary<string, string>
{
["key"] = "yourKey",
["txnid"] = "yourTxnId",
["amount"] = "yourAmount",
["productinfo"] = "yourProductInfo",
["firstname"] = "yourFirstName",
["email"] = "yourEmail",
["udf1"] = "optional_value1"
// udf2, udf3, udf4, udf5 not provided - will be empty strings
};
string salt = "yourSalt";
string hash = GenerateHash(parameters, salt);
Console.WriteLine("Generated Hash: " + hash);
}
}import hashlib
def generate_hash(params, salt):
# Extract parameters or use empty string if not provided
key = params['key']
txnid = params['txnid']
amount = params['amount']
productinfo = params['productinfo']
firstname = params['firstname']
email = params['email']
udf1 = params.get('udf1', '')
udf2 = params.get('udf2', '')
udf3 = params.get('udf3', '')
udf4 = params.get('udf4', '')
udf5 = params.get('udf5', '')
# Construct hash string with exact parameter sequence
hash_string = f"{key}|{txnid}|{amount}|{productinfo}|{firstname}|{email}|{udf1}|{udf2}|{udf3}|{udf4}|{udf5}||||||{salt}"
# Generate SHA-512 hash
return hashlib.sha512(hash_string.encode('utf-8')).hexdigest()
# Example usage
params = {
'key': 'yourKey',
'txnid': 'yourTxnId',
'amount': 'yourAmount',
'productinfo': 'yourProductInfo',
'firstname': 'yourFirstName',
'email': 'yourEmail',
'udf1': 'optional_value1'
# udf2, udf3, udf4, udf5 not provided - will default to empty strings
}
salt = 'yourSalt'
hash_value = generate_hash(params, salt)
print("Generated Hash:", hash_value)
const crypto = require('crypto');
function generateHash(params, salt) {
// Extract parameters or use empty string if not provided
const key = params.key;
const txnid = params.txnid;
const amount = params.amount;
const productinfo = params.productinfo;
const firstname = params.firstname;
const email = params.email;
const udf1 = params.udf1 || '';
const udf2 = params.udf2 || '';
const udf3 = params.udf3 || '';
const udf4 = params.udf4 || '';
const udf5 = params.udf5 || '';
// Construct hash string with exact parameter sequence
const hashString = `${key}|${txnid}|${amount}|${productinfo}|${firstname}|${email}|${udf1}|${udf2}|${udf3}|${udf4}|${udf5}||||||${salt}`;
// Generate SHA-512 hash
return crypto.createHash('sha512').update(hashString).digest('hex');
}
// Example usage
const params = {
key: 'yourKey',
txnid: 'yourTxnId',
amount: 'yourAmount',
productinfo: 'yourProductInfo',
firstname: 'yourFirstName',
email: 'yourEmail',
udf1: 'optional_value1'
// udf2, udf3, udf4, udf5 not provided - will default to empty strings
};
const salt = 'yourSalt';
const hash = generateHash(params, salt);
console.log("Generated Hash:", hash);
authentication_info JSON object
Example
`{"eci":"05","cavv":"AAABAWFlmQAAAABjRWWZEEFgFz","flowType":"Frictionless","threeDSServerTransID":"eea30d14-71cf-41af-b961-f95b7d67dc93","threeDSTransID":"67b4c71f-19bf-4d97-bd09-4e3687dc9e42","threeDSTransStatus":"Y","threeDSTransStatusReason":"01","acquirer_bin":"401200"}`Sample request
curl -X POST "https://test.payu.in/_payment" \
-H "accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "key=JP***g&txnid=ATGNMtNsHKgBQ4&amount=199.00&firstname=PayU User&[email protected]&phone=9876543210&productinfo=iPhone&pg=cc&bankcode=cc&surl=https://apiplayground-response.herokuapp.com/&furl=https://apiplayground-response.herokuapp.com/&ccnum=5123456789012346&ccexpmon=05&ccexpyr=2022&ccvv=123&ccname=&txn_s2s_flow=3&threeDS2RequestData={\"threeDSVersion\":\"2.2.0\",\"deviceChannel\":\"APP/BRW\"}&authentication_info={\"eci\":\"05\",\"cavv\":\"AAABAWFlmQAAAABjRWWZEEFgFz+=\",\"flowType\":\"Frictionless\",\"threeDSTransID\":\"67b4c71f-19bf-4d97-bd09-4e3687dc9e42\",\"threeDSServerTransID\":\"eea30d14-71cf-41af-b961-f95b7d67dc93\",\"threeDSTransStatus\":\"Y\",\"threeDSTransStatusReason\":\"01-99\",\"additionalinfo\":{\"authudf2\":\"1_1665637507_954_104_l73c004m_IAMRB\"},\"acquirer_bin\":\"401200\"}&s2s_client_ip=83.191.88.168&s2s_device_info=221.6.48.86&hash=1447162a8519a8cbaf8726fdff99487cbac7743595cf355a27fac4a2b42a576e5f23d21ebf59b50004714f7b6b4775e34355ce6acad86f60e2c7369b5df4c55b"import requests
import json
url = "https://test.payu.in/_payment"
headers = {
"accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
}
# 3DS2 Request Data
three_ds2_request_data = {
"threeDSVersion": "2.2.0",
"deviceChannel": "APP/BRW"
}
# Authentication Info
authentication_info = {
"eci": "05",
"cavv": "AAABAWFlmQAAAABjRWWZEEFgFz+=",
"flowType": "Frictionless",
"threeDSTransID": "67b4c71f-19bf-4d97-bd09-4e3687dc9e42",
"threeDSServerTransID": "eea30d14-71cf-41af-b961-f95b7d67dc93",
"threeDSTransStatus": "Y",
"threeDSTransStatusReason": "01-99",
"additionalinfo": {
"authudf2": "1_1665637507_954_104_l73c004m_IAMRB"
},
"acquirer_bin": "401200"
}
data = {
"key": "JP***g",
"txnid": "ATGNMtNsHKgBQ4",
"amount": "199.00",
"firstname": "PayU User",
"email": "[email protected]",
"phone": "9876543210",
"productinfo": "iPhone",
"pg": "cc",
"bankcode": "cc",
"surl": "https://apiplayground-response.herokuapp.com/",
"furl": "https://apiplayground-response.herokuapp.com/",
"ccnum": "5123456789012346",
"ccexpmon": "05",
"ccexpyr": "2022",
"ccvv": "123",
"ccname": "",
"txn_s2s_flow": "3",
"threeDS2RequestData": json.dumps(three_ds2_request_data),
"authentication_info": json.dumps(authentication_info),
"s2s_client_ip": "83.191.88.168",
"s2s_device_info": "221.6.48.86",
"hash": "1447162a8519a8cbaf8726fdff99487cbac7743595cf355a27fac4a2b42a576e5f23d21ebf59b50004714f7b6b4775e34355ce6acad86f60e2c7369b5df4c55b"
}
response = requests.post(url, headers=headers, data=data)
print("Status Code:", response.status_code)
print("Response:", response.text)import java.io.IOException;
import java.net.URI;
import java.net.URLEncoder;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.stream.Collectors;
public class PayU3DS2Payment {
public static void main(String[] args) throws IOException, InterruptedException {
String url = "https://test.payu.in/_payment";
// 3DS2 Request Data JSON
String threeDS2RequestData = "{\"threeDSVersion\":\"2.2.0\",\"deviceChannel\":\"APP/BRW\"}";
// Authentication Info JSON
String authenticationInfo = "{\"eci\":\"05\",\"cavv\":\"AAABAWFlmQAAAABjRWWZEEFgFz+=\",\"flowType\":\"Frictionless\",\"threeDSTransID\":\"67b4c71f-19bf-4d97-bd09-4e3687dc9e42\",\"threeDSServerTransID\":\"eea30d14-71cf-41af-b961-f95b7d67dc93\",\"threeDSTransStatus\":\"Y\",\"threeDSTransStatusReason\":\"01-99\",\"additionalinfo\":{\"authudf2\":\"1_1665637507_954_104_l73c004m_IAMRB\"},\"acquirer_bin\":\"401200\"}";
Map<String, String> formData = new LinkedHashMap<>();
formData.put("key", "JP***g");
formData.put("txnid", "ATGNMtNsHKgBQ4");
formData.put("amount", "199.00");
formData.put("firstname", "PayU User");
formData.put("email", "[email protected]");
formData.put("phone", "9876543210");
formData.put("productinfo", "iPhone");
formData.put("pg", "cc");
formData.put("bankcode", "cc");
formData.put("surl", "https://apiplayground-response.herokuapp.com/");
formData.put("furl", "https://apiplayground-response.herokuapp.com/");
formData.put("ccnum", "5123456789012346");
formData.put("ccexpmon", "05");
formData.put("ccexpyr", "2022");
formData.put("ccvv", "123");
formData.put("ccname", "");
formData.put("txn_s2s_flow", "3");
formData.put("threeDS2RequestData", threeDS2RequestData);
formData.put("authentication_info", authenticationInfo);
formData.put("s2s_client_ip", "83.191.88.168");
formData.put("s2s_device_info", "221.6.48.86");
formData.put("hash", "1447162a8519a8cbaf8726fdff99487cbac7743595cf355a27fac4a2b42a576e5f23d21ebf59b50004714f7b6b4775e34355ce6acad86f60e2c7369b5df4c55b");
String formBody = formData.entrySet()
.stream()
.map(entry -> URLEncoder.encode(entry.getKey(), StandardCharsets.UTF_8) + "=" +
URLEncoder.encode(entry.getValue(), StandardCharsets.UTF_8))
.collect(Collectors.joining("&"));
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("accept", "application/json")
.header("Content-Type", "application/x-www-form-urlencoded")
.POST(HttpRequest.BodyPublishers.ofString(formBody))
.build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println("Status Code: " + response.statusCode());
System.out.println("Response: " + response.body());
}
}<?php
$url = "https://test.payu.in/_payment";
// 3DS2 Request Data
$threeDS2RequestData = json_encode([
"threeDSVersion" => "2.2.0",
"deviceChannel" => "APP/BRW"
]);
// Authentication Info
$authenticationInfo = json_encode([
"eci" => "05",
"cavv" => "AAABAWFlmQAAAABjRWWZEEFgFz+=",
"flowType" => "Frictionless",
"threeDSTransID" => "67b4c71f-19bf-4d97-bd09-4e3687dc9e42",
"threeDSServerTransID" => "eea30d14-71cf-41af-b961-f95b7d67dc93",
"threeDSTransStatus" => "Y",
"threeDSTransStatusReason" => "01-99",
"additionalinfo" => [
"authudf2" => "1_1665637507_954_104_l73c004m_IAMRB"
],
"acquirer_bin" => "401200"
]);
$data = array(
'key' => 'JP***g',
'txnid' => 'ATGNMtNsHKgBQ4',
'amount' => '199.00',
'firstname' => 'PayU User',
'email' => '[email protected]',
'phone' => '9876543210',
'productinfo' => 'iPhone',
'pg' => 'cc',
'bankcode' => 'cc',
'surl' => 'https://apiplayground-response.herokuapp.com/',
'furl' => 'https://apiplayground-response.herokuapp.com/',
'ccnum' => '5123456789012346',
'ccexpmon' => '05',
'ccexpyr' => '2022',
'ccvv' => '123',
'ccname' => '',
'txn_s2s_flow' => '3',
'threeDS2RequestData' => $threeDS2RequestData,
'authentication_info' => $authenticationInfo,
's2s_client_ip' => '83.191.88.168',
's2s_device_info' => '221.6.48.86',
'hash' => '1447162a8519a8cbaf8726fdff99487cbac7743595cf355a27fac4a2b42a576e5f23d21ebf59b50004714f7b6b4775e34355ce6acad86f60e2c7369b5df4c55b'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'accept: application/json',
'Content-Type: application/x-www-form-urlencoded'
));
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
if ($error) {
echo "cURL Error: " . $error . "\n";
} else {
echo "Status Code: " . $httpCode . "\n";
echo "Response: " . $response . "\n";
}
?>#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use JSON;
my $url = "https://test.payu.in/_payment";
my $ua = LWP::UserAgent->new;
$ua->timeout(30);
# 3DS2 Request Data
my $threeDS2RequestData = encode_json({
threeDSVersion => "2.2.0",
deviceChannel => "APP/BRW"
});
# Authentication Info
my $authenticationInfo = encode_json({
eci => "05",
cavv => "AAABAWFlmQAAAABjRWWZEEFgFz+=",
flowType => "Frictionless",
threeDSTransID => "67b4c71f-19bf-4d97-bd09-4e3687dc9e42",
threeDSServerTransID => "eea30d14-71cf-41af-b961-f95b7d67dc93",
threeDSTransStatus => "Y",
threeDSTransStatusReason => "01-99",
additionalinfo => {
authudf2 => "1_1665637507_954_104_l73c004m_IAMRB"
},
acquirer_bin => "401200"
});
my %data = (
'key' => 'JP***g',
'txnid' => 'ATGNMtNsHKgBQ4',
'amount' => '199.00',
'firstname' => 'PayU User',
'email' => '[email protected]',
'phone' => '9876543210',
'productinfo' => 'iPhone',
'pg' => 'cc',
'bankcode' => 'cc',
'surl' => 'https://apiplayground-response.herokuapp.com/',
'furl' => 'https://apiplayground-response.herokuapp.com/',
'ccnum' => '5123456789012346',
'ccexpmon' => '05',
'ccexpyr' => '2022',
'ccvv' => '123',
'ccname' => '',
'txn_s2s_flow' => '3',
'threeDS2RequestData' => $threeDS2RequestData,
'authentication_info' => $authenticationInfo,
's2s_client_ip' => '83.191.88.168',
's2s_device_info' => '221.6.48.86',
'hash' => '1447162a8519a8cbaf8726fdff99487cbac7743595cf355a27fac4a2b42a576e5f23d21ebf59b50004714f7b6b4775e34355ce6acad86f60e2c7369b5df4c55b'
);
my $response = $ua->request(POST $url,
Content_Type => 'application/x-www-form-urlencoded',
Accept => 'application/json',
Content => [%data]
);
if ($response->is_success) {
print "Status Code: " . $response->code . "\n";
print "Response: " . $response->decoded_content . "\n";
} else {
print "Error: " . $response->status_line . "\n";
print "Response: " . $response->decoded_content . "\n";
}Collect the response in the Cards Direct Authorization Flow under API Reference. The response for the S2S payment request is not similar to Merchant Hosted or PayU Hosted Checkout. For description of response parameters and authentication_info JSON Fields Description, refer to Additional Info for Payment APIs.
Note: This API is backward compatible and you can continue to the existing integration parameters to process the 3DS 1.0.2 transactions.
Step 2: Check response from PayU
PayU marks the transaction status based on the response received from the bank. PayU provides the final transaction response string to you through a post response. A hash generated by PayU also accompanies the post response.
Note: Verify the authenticity of the hash value before accepting or rejecting the invoice order. For more information, refer to Generate Hash.
Response parameters description
The parameters in the response for similar for all S2S flows. For more information, refer to the Additional Info for Payment APIs.
Hash validation logic for payment response (Reverse Hashing)
While sending the response, PayU takes the exact same parameters that were sent in the request (in reverse order) to calculate the hash and returns it to you. You must verify the hash and then mark a transaction as a success or failure. This is to make sure the transaction has not tampered within the response.
The order of the parameters is similar to the following code block:
sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key)Sample response
The authorization response received through S2S call output is a base64 encoded string and similar to the following sample response:
e8KgwqAic3RhdHVzIjogInN1Y2Nlc3MiLMKgwqAicmVzdWx0Ijoge8KgwqDCoMKgIm1paHBheWlkIjogIjE2MzEzOTM5NTg0IizCoMKgwqDCoCJtb2RlIjogIkNDIizCoMKgwqDCoCJzdGF0dXMiOiAic3VjY2VzcyIswqDCoMKgwqAia2V5IjogIkpQTTdGZyIswqDCoMKgwqAidHhuaWQiOiAiVFA3QlE1NVZERjJNUFBHMiIswqDCoMKgwqAiYW1vdW50IjogIjE5OS4wMCIswqDCoMKgwqAiYWRkZWRvbiI6ICIyMDIyLTExLTMwIDE4OjEyOjMwIizCoMKgwqDCoCJwcm9kdWN0aW5mbyI6ICIwQWk4NzJwcHBybnJ4ZUExMWR5OXc3M2l5aGNtIizCoMKgwqDCoCJmaXJzdG5hbWUiOiAiMEFpODcycHBwcm5yeGVBMTFkeTl3NzNpeWhjbSIswqDCoMKgwqAibGFzdG5hbWUiOiAiIizCoMKgwqDCoCJhZGRyZXNzMSI6ICIiLMKgwqDCoMKgImFkZHJlc3MyIjogIiIswqDCoMKgwqAiY2l0eSI6ICIiLMKgwqDCoMKgInN0YXRlIjogIiIswqDCoMKgwqAiY291bnRyeSI6ICIiLMKgwqDCoMKgInppcGNvZGUiOiAiIizCoMKgwqDCoCJlbWFpbCI6ICJwbGFjZWhvbGRlckBlbWFpbC5jb20iLMKgwqDCoMKgInBob25lIjogIjExMTExMTExMTExIizCoMKgwqDCoCJ1ZGYxIjogIiIswqDCoMKgwqAidWRmMiI6ICI2Njg2MjA3OTYyNTE0NTM3IizCoMKgwqDCoCJ1ZGYzIjogIiIswqDCoMKgwqAidWRmNCI6ICIiLMKgwqDCoMKgInVkZjUiOiAiIizCoMKgwqDCoCJ1ZGY2IjogIiIswqDCoMKgwqAidWRmNyI6ICIiLMKgwqDCoMKgInVkZjgiOiAiIizCoMKgwqDCoCJ1ZGY5IjogIiIswqDCoMKgwqAidWRmMTAiOiAiIizCoMKgwqDCoCJjYXJkX3Rva2VuIjogIiIswqDCoMKgwqAiY2FyZF9ubyI6ICJYWFhYWFhYWFhYWFgxMDA1IizCoMKgwqDCoCJmaWVsZDAiOiAiIizCoMKgwqDCoCJmaWVsZDEiOiAiIizCoMKgwqDCoCJmaWVsZDIiOiAiMjA0MTQ1IizCoMKgwqDCoCJmaWVsZDMiOiAiIizCoMKgwqDCoCJmaWVsZDQiOiAiIizCoMKgwqDCoCJmaWVsZDUiOiAiIizCoMKgwqDCoCJmaWVsZDYiOiAiMDAwIizCoMKgwqDCoCJmaWVsZDciOiAiQVVUSFBPU0lUSVZFIizCoMKgwqDCoCJmaWVsZDgiOiAiQVBQUk9WRUQiLMKgwqDCoMKgImZpZWxkOSI6ICJUcmFuc2FjdGlvbiBpcyBTdWNjZXNzZnVsIizCoMKgwqDCoCJwYXltZW50X3NvdXJjZSI6ICJkaXJBdXRoUzJTIizCoMKgwqDCoCJQR19UWVBFIjogIkNDLVBHIizCoMKgwqDCoCJlcnJvciI6ICJFMDAwIizCoMKgwqDCoCJlcnJvcl9NZXNzYWdlIjogIk5vIEVycm9yIizCoMKgwqDCoCJjYXJkVG9rZW4iOiAiIizCoMKgwqDCoCJuZXRfYW1vdW50X2RlYml0IjogIjE5OSIswqDCoMKgwqAiZGlzY291bnQiOiAiMC4wMCIswqDCoMKgwqAib2ZmZXJfa2V5IjogIiIswqDCoMKgwqAib2ZmZXJfYXZhaWxlZCI6ICIiLMKgwqDCoMKgInVubWFwcGVkc3RhdHVzIjogImNhcHR1cmVkIizCoMKgwqDCoCJoYXNoIjogIjNmOGZjZGQ2NzY0MmI0NDJkYjA0MjAxYzFmNTNmYmU2ZTdjMjQ5MTE1ZmQ3MThkN2NjZjU4Yjc4ZmVhOTAzOWJmYWFmYWYxYzMyZmZhNDM4NjVkOTVhODVhMDgzMjk1YzgyODZiMGFmNDc2Y2M1ZmE5OGJjNTEyNDQ2MjlhOWQyIizCoMKgwqDCoCJiYW5rX3JlZl9ubyI6ICIyMjExMzAxMjcwNTUiLMKgwqDCoMKgImJhbmtfcmVmX251bSI6ICIyMjExMzAxMjcwNTUiLMKgwqDCoMKgImJhbmtjb2RlIjogIkFNRVgiLMKgwqDCoMKgInN1cmwiOiAiaHR0cHM6Ly90ZXN0LnBheXUuY29tLyIswqDCoMKgwqAiY3VybCI6ICJodHRwczovL3Rlc3QucGF5dS5jb20vIizCoMKgwqDCoCJmdXJsIjogImh0dHBzOi8vdGVzdC5wYXl1LmNvbS8iLMKgwqDCoMKgImNhcmRfaGFzaCI6ICJmZmI0NTZiMmRhYTExM2YzNzc0ZTI3ODFmMWRhYmZhZjk3YTY4ZDgxMThhOTY4ZTJiMjBmZDc5OTY3ZDdmOWJhIsKgwqB9Cn0=The formatted response is similar to the following:
{
"status": "success",
"result": {
"mihpayid": "16313939584",
"mode": "CC",
"status": "success",
"key": "JPM7Fg",
"txnid": "TP7BQ55VDF2MPPG2",
"amount": "199.00",
"addedon": "2022-11-30 18:12:30",
"productinfo": "0Ai872ppprnrxeA11dy9w73iyhcm",
"firstname": "0Ai872ppprnrxeA11dy9w73iyhcm",
"lastname": "",
"address1": "",
"address2": "",
"city": "",
"state": "",
"country": "",
"zipcode": "",
"email": "[email protected]",
"phone": "11111111111",
"udf1": "",
"udf2": "6686207962514537",
"udf3": "",
"udf4": "",
"udf5": "",
"udf6": "",
"udf7": "",
"udf8": "",
"udf9": "",
"udf10": "",
"card_token": "",
"card_no": "XXXXXXXXXXXX2346",
"field0": "",
"field1": "",
"field2": "204145",
"field3": "",
"field4": "",
"field5": "",
"field6": "000",
"field7": "AUTHPOSITIVE",
"field8": "APPROVED",
"field9": "Transaction is Successful",
"payment_source": "dirAuthS2S",
"PG_TYPE": "CC-PG",
"error": "E000",
"error_Message": "No Error",
"cardToken": "",
"net_amount_debit": "199",
"discount": "0.00",
"offer_key": "",
"offer_availed": "",
"unmappedstatus": "captured",
"hash": "3f8fcdd67642b442db04201c1f53fbe6e7c249115fd718d7ccf58b78fea9039bfaafaf1c32ffa43865d95a85a083295c8286b0af476cc5fa98bc51244629a9d2",
"bank_ref_no": "221130127055",
"bank_ref_num": "221130127055",
"bankcode": "AMEX",
"surl": "https://test.payu.com/",
"curl": "https://test.payu.com/",
"furl": "https://test.payu.com/",
"card_hash": "ffb456b2daa113f3774e2781f1dabfaf97a68d8118a968e2b20fd79967d7f9ba"
}
}Step 3. Verify the payment
Upon receiving the response, PayU recommends you performing a reconciliation step to validate all transaction details.
You can verify your payments using either of the following methods:
Configure the webhooks to monitor the status of payments.
Webhooks enable a server to communicate with another server by sending an HTTP callback or message.
These callbacks are triggered by specific events or instances and operate at the server-to-server (S2S) level.
Know how to manage Webhooks for Payments.
3DS Secure 2.0 Transaction
Request Parameter for 3DS Secure 2.0 Transaction
Along with the parameters mentioned in Step 1, you must include the threeDS2RequestData parameter in the following JSON format for 3DS Secure 2.0 support for cards:
{
"browserInfo": {
"userAgent": "Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/93.0.4577.0 Safari/537.36",
"acceptHeader": "*/*",
"language": "en-US",
"colorDepth": "24",
"screenHeight": "600",
"screenWidth": "800",
"timeZone": "-300",
"javaEnabled": true,
"ip": "10.248.2.71"
}
}3DS Secure 2.0 browserDetails JSON Fields Description
| Field | Description | Example |
|---|---|---|
| userAgent | This field must include user agent of the device browser. | |
| acceptHeader | This field contains the format of the header. | application/json |
| language | This field contains the language for the 3D Secure Challenge. | en-US |
| colorDepth | This field contains the color depth of the screen. | 24 |
| screenHeight | This field contains the screen height of the device displaying the 3D Secure Challenge. | 640 |
| screenWidth | This field contains the screen width of the device displaying the 3D Secure Challenge. | 480 |
| javaEnabled | This field contains whether Java is enabled for the device. It can be any of the following: | true |
| timeZone | This field contains the time zone code where the payment is accepted. | 273 |
| ip | This should include the IP address of the device from which the browser is accessed. | 10.248.2.71 |
My Accordion Title
The sample cURL request with 3DS Secure 2.0:
curl --location 'https://test.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: PHPSESSID=nbn8otc350bsv6u5fqvhcbo73b; PHPSESSID=63a0499eaf13e' \
--data-urlencode 'key=JF****g' \
--data-urlencode 'firstname=Ashish' \
--data-urlencode '[email protected]' \
--data-urlencode 'amount=10' \
--data-urlencode 'phone= 9876543210' \
--data-urlencode 'productinfo=Product_info' \
--data-urlencode 'surl=http://pp30admin.payu.in/test_response' \
--data-urlencode 'furl=http://pp30admin.payu.in/test_response' \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=CC' \
--data-urlencode 'lastname=Test' \
--data-urlencode 'ccname=Test User' \
--data-urlencode 'ccvv=123' \
--data-urlencode 'ccexpmon=06' \
--data-urlencode 'ccexpyr=2024' \
--data-urlencode 'txnid=jYhbOYH9o4' \
--data-urlencode 'hash=e5b286a9c8545038de9d4e4ee4d8a2fd02e821015aff7e0323807ba174997d8643f9aa174981385e3e4dfe60b918650806ccb97b3e8e3471e1985ecadefd0184' \
--data-urlencode 'ccnum=4012000000002004' \
--data-urlencode 'txn_s2s_flow=4' \
--data-urlencode 'threeDS2RequestData={
"browserInfo": {
"userAgent": "Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/93.0.4577.0 Safari/537.36",
"acceptHeader": "*/*",
"language": "en-US",
"colorDepth": "24",
"screenHeight": "600",
"screenWidth": "800",
"timeZone": "-300",
"javaEnabled": true,
"ip": "10.248.2.71"
}
}'Updated 2 months ago