General Integration
The Server-to-Server integration is performed at the server level, that is, your server (merchant server) and PayU server. The transaction is initiated from your server; hence redirection hop is eliminated. Since the details are captured on your page, customers gain confidence and enhance the checkout experience.
Note:
You must be PCI-DSS certified to use Server-to-Server integration. For more information on PCI-DSS certification, contact your Account Manager at PayU.
Before you begin:
Register for an account with PayU before you start integration. For more information, refer to Register for a Merchant Account.
Integration security
After receiving a response from PayU, you must calculate the hash again and validate it against the hash that you sent in the request to ensure the transaction is secure. PayU recommends implementing the transaction details APIs and webhook/callback as an extra security measure. You can find more information on this process in the Transaction Detail APIs and Webhooks documentation.
You need to ensure that sensitive information related to the integration is not part of the payment request to PayU. The details including — but are not limited to — the following are considered sensitive information:
- Salt value
- plain text hash string
Along with the request, the sensitive information should not be a part of any merchant-level URL. The following are considered sources for the merchant-level URL:
- The last web address accessed by a browser before loading PayU’s checkout page.
- URLs shared as part of payment request to PayU in the parameters: surl, furl, curl, nurl, and termUrl.
- Notification URLs configured with the merchant account.
- Invoice Completion URLs configured with the merchant account.
Note:
It is important to compare the parameters sent by PayU in the response with the ones you sent in the request to make sure none of them have been changed. You should verify specific parameters such as the transaction ID and amount. PayU is not responsible for any security breaches or losses resulting from your failure to implement the necessary security measures.
Step 1: Post the parameters to PayU
The first request from you to PayU with the required transaction mandatory/ optional parameters. This needs to be a server-to-server Curl call request. For the sample request and response, refer to Collect Payment - General Integration .
Environment
| Test Environment | <https://test.payu.in/_payment> |
| Production Environment | <https://secure.payu.in/_payment> |
Request parameters
Parameter | Description | Example |
|---|---|---|
key
|
| |
txnid |
| |
amount |
| |
productinfo |
| |
firstname |
| Ashish |
email |
| |
phone |
| |
pg |
| CC |
bankcode |
| AMEX |
ccnum |
| 5123456789012346 |
ccname |
| Ashish Kumar |
ccvv |
| 123 |
ccexpmon |
| 10 |
ccexpyr |
| 2021 |
furl |
| |
surl |
| |
hash |
| |
txn_s2s_flow |
| |
address1 |
| |
address2 |
| |
city |
| |
state |
| |
country |
| |
zipcode |
| |
udf1 |
| |
udf2 |
| |
udf3 |
| |
udf4 |
| |
udf5 |
|
Hashing
You must hash the request parameters using the following hash logic:
sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)For more information, refer to Generate Hash.
Sample request
curl -X POST "https://test.payu.in/_payment
-H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d
"key=JP***g&txnid=tJA4IWme0jIsDw&amount=10.00&firstname=PayU User&[email protected]&phone=9876543210&productinfo=iPhone&pg=cc&bankcode=cc&surl=https://apiplayground-response.herokuapp.com/&furl=https://apiplayground-response.herokuapp.com/&ccnum=5123456789012346&ccexpmon=05&ccexpyr=2022&ccvv=123&ccname=&txn_s2s_flow=4&hash=36b4ab309154a9cbc0a0b9829c086a196cb2edd758b1e918cf7f20fbc1f596f17cc4ba5682eee32317365c99e8b461692595328eea7bb9c6e689bc4b923abe81"Step 2: Check response from PayU
Sample response
{
"metaData": {
"message": null,
"referenceId": "2710cd2a20e08a006034861feea27f084a425e94920df9b1856eb6e90793067b",
"statusCode": "E000",
"txnId": "payuTestTransaction2909041",
"unmappedStatus": "captured"
},
"result": {
"mihpayid": "412345678912362515",
"mode": "CC",
"status": "success",
"key": "J****g",
"txnid": "payuTestTransaction2909041",
"amount": "100",
"addedon": "2020-06-09 16:54:26",
"productinfo": "Product Info",
"firstname": "Postman",
"lastname": "",
"address1": "",
"address2": "",
"city": "",
"state": "",
"country": "",
"zipcode": "",
"email": "[email protected]",
"phone": "9123456781",
"udf1": "",
"udf2": "",
"udf3": "",
"udf4": "",
"udf5": "",
"udf6": "",
"udf7": "",
"udf8": "",
"udf9": "",
"udf10": "",
"card_no": "XXXXXXXXXXXX2346",
"field0": "",
"field1": "",
"field2": "",
"field3": "",
"field4": "",
"field5": "NW9WYkV0dzJCclpsMWNRbzg0VVk=",
"field6": "02",
"field7": "AUTHPOSITIVE",
"field8": "",
"field9": "Successful Transaction",
"payment_source": "payuPureS2SAuth",
"PG_TYPE": "CC-PG",
"error": "E000",
"error_Message": "Success",
"unmappedstatus": "captured",
"hash": "df540d8fc8265e9382415993e468cfe0884574ddc617b96053082195752e11e4405888bb96030e749be780805dcf8499241a3c51fb26f978cdb6d328cda2a138",
"bank_ref_num": "",
"bankcode": "CC"
}
}
Next StepsResponse Parameters
Note:
The response contains a combination of the following JSON objects (metaData, result, and binData) based on the use case used in S2S, and the fields in each of them are described in the following tables.
Collect the response in the Collect Payment API - Server-to-Server under API Reference. The response for the S2S payment request is not similar to Merchant Hosted or PayU Hosted Checkout. For description of response parameters, refer to Additional Info for Payment APIs.
Updated 5 days ago