Web Integration

What you're building

A simple server-generated redirect that sends customers from your site/app to the PayU-hosted payment page, then returns them to your success/failure URLs. You pass payment details & customer fields + a server-generated SHA-512 hash for integrity; PayU handles the payment UI and authentication.

The PayU Hosted Checkout integration involves the following steps:

1. Start Integration

Integrate pre-built checkout solution

2. Test Integration

Test the integration by making a test transaction

3. Go live Checklist

Follow the production checklist to go live

📘
Pre-requisite

Create an account with PayU

Get your key and salt for test and production environment. Click here to access detail guide on accessing your key and salt

Keep https success & failure URLs (surl, furl) ready, reachable from the public internet.

Ability to generate SHA-512 on the server (not recommended to do it in browser).

Environment


Test Environment	https://test.payu.in/_payment
Production Environment	https://secure.payu.in/_payment

Step 1: Start Integration

Follow the below steps to complete the integration:

Step 1.1: Prepare the request parameters

First, you need to collect all the necessary information for the transaction. Below is the list of parameters where some are mandatory and others are optional.

Parameter	Type & Description	Example
key `mandatory`	`String` Merchant key provided by PayU during onboarding.	JPG****.k
txnid `mandatory`	`String` The transaction ID is a reference number for a specific order generated by the merchant.	ypl938459435
amount `mandatory`	`String` The payment amount for the transaction.	10.00
productinfo `mandatory`	`String` A brief description of the product.	iPhone
firstname `mandatory`	`String` The first name of the customer.	Ashish
email `mandatory`	`String` The email address of the customer.	[email protected]
phone `mandatory`	`String` The phone number of the customer.
lastname `optional`	`String` The last name of the customer.	Kumar
surl `mandatory`	`String` The success URL, which is the page PayU will redirect to if the transaction is successful.	https://test-payment-middleware.payu.in/simulatorResponse
furl `mandatory`	`String` The failure URL, which is the page PayU will redirect to if the transaction fails.	https://test-payment-middleware.payu.in/simulatorResponse
hash `mandatory`	`String` It is the hash calculated by the merchant. The hash calculation logic is: `sha512(key\|txnid\|amount\|productinfo\|firstname\|email\|udf1\|udf2\|udf3\|udf4\|udf5\|\|\|\|\|\|SALT)` Reference: For detailed information on hashing, refer to Generate Hash.
address1 `optional`	`String` The first line of the billing address. Fraud Detection: This information is helpful for fraud detection and chargebacks. Please provide the correct information.	H.No- 17, Block C, Kalyan Bldg, Khardilkar Road, Mumbai
address2 `optional`	`String` The second line of the billing address.	34 Saikripa-Estate, Tilak Nagar
city `optional`	`String` The city where your customer resides as part of the billing address.	Mumbai
state `optional`	`String` The state where your customer resides as part of the billing address.	Maharashtra
country `optional`	`String` The country where your customer resides.	India
zipcode `optional`	`String` Billing address zip code is mandatory for the cardless EMI option. Character Limit: 20	400004
enforced_payment `optional`	`String` This parameter is to customize the payment options for each transaction. You can enforce specific payment modes, card schemes, and specific banks under Net Banking using this method.	creditcard\|debitcard
drop_category `optional`	`String` This parameter is used if you want to hide one or multiple payment options. For example, if you consider the payment options such as credit card, debit card, and net banking, you can hide the credit card mode of payment.	CC
udf1 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.	AELPR****E
udf2	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.
udf3 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.	02-02-1980
udf4 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.	XYZ Pvt. Ltd.
udf5 `optional`	`String` User-defined fields (udf) are used to store any information corresponding to a particular transaction.	098450845
custom_note `optional`	`String` This parameter allows you to display a message on the PayU Payment page. This can be useful if you want to provide additional information to your customers, such as an extra charge for a particular product. The message specified in the custom_note parameter will be displayed below the payment options.	You will be charged an extra amount of Rs 100 on this transaction
note_category `optional`	`String` This parameter allows you to specify which payment options the custom_note message will be displayed for. This parameter should contain a comma-separated list of the payment options that you want the custom_note displayed for. Example: "CC, NB" will show the custom_note for Credit Card & Net banking only.	CC, NB

📘
Swap the form action to the production endpoint: https://secure.payu.in/_payment when you go live.

Step 1.2: Generate Hash

Concatenate fields in this exact sequence, then SHA-512:

key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5|SALT

Use empty strings for missing udf*.
Compute on your server and include the lowercase hex digest as hash.

For more information, refer to Generate Hash.

Step 1.3: POST the html form (server renders)

<!doctype html>
<html>
  <body onload="document.forms.payu.submit()">
    <form name="payu" method="post" action="https://test.payu.in/_payment">
      <input type="hidden" name="key" value="JP***g">
      <input type="hidden" name="txnid" value="t6svtqtjRdl4ws">
      <input type="hidden" name="amount" value="499.00">
      <input type="hidden" name="productinfo" value="Pro Plan">
      <input type="hidden" name="firstname" value="Aditi">
      <input type="hidden" name="email" value="[email protected]">
      <input type="hidden" name="phone" value="9999999999">
      <input type="hidden" name="surl" value="https://yourapp.com/payu/success">
      <input type="hidden" name="furl" value="https://yourapp.com/payu/failure">
      <input type="hidden" name="hash" value="sha512(...hash sequence...)">
      <input type="submit" value="Submit" />
    </form>
  </body>
</html>

Replace the value attributes with your actual data and the generated hash. You can add more parameters to this form as needed.

📘
Important
When you POST the form to https://test.payu.in/_payment or https://secure.payu.in/_payment, we will redirect the user to PayU checkout page.

Step 1.4: Response handling & hash verification

Response Handling:

After the customer completes or abandons the payment, PayU POSTs back to your return URL with URL-encoded fields (form post). This payload includes the transaction status, txnid, mihpayid, and a hash you must verify (reverse hashing) before trusting the result.

Sample surl/furl payload:

mihpayid=403993715531077182
mode=CC
status=success
unmappedstatus=captured
key=JPM7Fg
txnid=TXN12345
amount=1000.00
productinfo=Pro Plan
firstname=Aditi
[email protected]
phone=9999999999
udf1=
...
udf5=
PG_TYPE=CC-PG
bankcode=CC
bank_ref_num=896193988312194700
field1=...
field9=Transaction is Successful
hash=<response_hash>

mihpayid=403993715531077182
mode=CC
status=failure
unmappedstatus=failed
key=JPM7Fg
txnid=TXN12345
amount=1000.00
productinfo=Pro Plan
firstname=Aditi
[email protected]
phone=9999999999
udf1=
...
udf5=
PG_TYPE=CC-PG
bankcode=CC
bank_ref_num=
field1=
field2=
...
field9=Transaction Failed
error=E000
error_Message=Bank was unable to authenticate
hash=<response_hash>

Step 1.4.1: Response verification using reverse hashing

Verify the response received above by recomputing SHA-512 using the reverse sequence:

sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key)

Compare the computed digest to hash from the POST payload (case-sensitive).
Trust the result only if the hash matches. Then update your order state.

Step 1.5: Verify the payment

Upon receiving the response, we recommend performing a reconciliation step to validate all transaction details.
You can verify your payments using either of the following methods:

Configure the webhooks to monitor the status of payments.
Webhooks enable a server to communicate with another server by sending an HTTP callback or message.
These callbacks are triggered by specific events or instances and operate at the server-to-server (S2S) level.

👉 For more details, refer to Webhooks for Payments.

Step 2: Test Integration

Before going live, it's crucial to test your integration thoroughly in the PayU test environment. Follow these steps to ensure your setup is correct and to simulate different transaction scenarios.

Step 2.1: Pre-Payment Validation

Before initiating a transaction, ensure your server-side implementation is correct.

Verify API Credentials: Double-check that you are using the correct key and salt for the test environment.
Validate Hash Calculation: The most common point of failure is an incorrect hash.
1. Temporarily print the string that you are passing into the hash function on your server.
2. Ensure the order of the parameters (key|txnid|amount|productinfo|firstname|email...|salt) exactly matches the format specified in the documentation.
3. Verify that there are no empty or null values for mandatory parameters in the hash string.
4. If you encounter a "Checksum failed" error upon redirection, this is the first thing to debug.

Step 2.2: Simulate a Successful Transaction (The Happy Path)

This test ensures that a successful payment is correctly processed and recorded.

Initiate Payment: On your website or app, add items to the cart and proceed to payment. This should trigger your code to send the transaction details to PayU and redirect the user to the PayU payment page.
Error Check: If you are not redirected and see an error message on your own site, check your server-side logs. If you are redirected to a PayU error page, refer to the Error Handling section to diagnose the issue.
Verify Payment Page: Once on the PayU page, confirm the following:
1. The transaction amount and product details are displayed correctly.
2. All the payment methods (Credit/Debit Card, UPI, Net Banking, etc.) that should be active on your account are visible. If a payment method is missing, please contact your Key Account Manager (KAM) or PayU Support.
Test a Card Transaction:
1. Select Credit Card as the payment method.
2. Use the following test card details:
  1. Card Number: 5123456789012346
  2. Expiry Date: Any valid future date (e.g., 12/2030)
  3. CVV: 123
  4. Name on Card: Test Name
3. Click Pay Now. You will be redirected to a dummy bank page to simulate 3D Secure authentication.
4. Enter the test OTP 123456 and click Submit.
Test a UPI Transaction:
1. Select UPI as the payment method.
2. Enter a test UPI ID: anything@payu or 9999999999@payu
3. Click Verify and then Pay Now. This will simulate a successful UPI transaction.

For more test credentials, refer to the Test Cards, UPI ID and Wallets guide.

Step 2.3: Simulate a Failed Transaction

It's equally important to test how your system handles failed payments.

Initiate a New Payment as you did in Step 2.
Test a Failing Card Transaction:
1. Select Credit Card as the payment method.
2. Use a test card designed to fail, for example:
  1. Card Number: 5123456789012340 (Payment failed by user)
3. Complete the payment flow. The transaction should fail.

Step 2.4: Post-Transaction Verification

After both the successful and failed transactions, you must verify the final status at multiple points.

Check the Return URL (surl / furl):
1. After a successful payment, PayU will redirect the user to the Success URL (surl) you provided. Verify that your application handles this redirect correctly and displays an appropriate success message to the user.
2. After a failed payment, PayU will redirect the user to the Failure URL (furl). Verify that your application displays a clear failure message and provides the user with options to retry.
Verify the Server-to-Server (S2S) Webhook:
1. This is the most reliable way to confirm transaction status.
2. Check your server logs to ensure that you have received the S2S POST request from PayU for the transaction.
3. Validate the hash in the webhook response to ensure the data is authentic.
4. Update the transaction status in your database based on the status received in the S2S webhook, not based on the browser redirect (surl/furl).
Cross-Verify in the PayU Dashboard:
1. Log in to your PayU test dashboard.
2. Navigate to the "Transactions" section.
3. Verify that both the successful and failed transactions are logged correctly with the corresponding status (success, failure). Check that details like txnid and amount match your records.

Step 3: Going Live: Your Final Checklist

You've successfully tested your integration. Now, follow these critical steps to switch to the live environment and start accepting real payments from your customers.

Step 3.1. Update to Production Credentials

First, you must switch your integration from using test credentials to production credentials.

Generate Live Keys**

Log in to your PayU Dashboard.
Use the toggle at the top to switch from Test Mode to Live Mode.
Navigate to Developer Tools → API Keys from the sidebar.
Copy the Live Merchant Key and Live Salt.

Update Your Code**

In your integration code, replace the test key and salt with your new live credentials.

Update the Endpoint URLs**

Ensure all API requests are now being sent to the correct production endpoints:
- For_payment API: https://secure.payu.in/_payment
- For Verify Payments API: https://info.payu.in/merchant/postservice.php?form=2

Step 3.2. Final Integration Verification

Before you announce that you're live, run through this checklist to ensure everything is configured correctly.

✅ Conduct a Live Transaction: Make a small, real transaction with a genuine credit card or UPI ID. This is the best way to confirm that your production credentials are correct and that the end-to-end flow is working.
✅ Verify the Server-to-Server (S2S) Webhook: This is the most crucial step for confirming transaction status reliably.
- After your live test transaction, check your server logs to confirm that you received the webhook from PayU.
- Ensure your system correctly processes this webhook and updates the order status in your database.
- Important: Your system should rely on this S2S webhook as the primary source of truth for a transaction's final status, not the browser redirect. For more details, refer to Webhooks.
✅ Validate the Response Hash:
- Confirm that your code correctly validates the hash for the response sent to your return URL (surl/furl) and for the S2S webhook. This security measure prevents tampering and confirms the response is genuinely from PayU. For more information, refer to Hashing Request and Response.
✅ Check Success and Failure Pages (surl / furl):
- Ensure that after a successful payment, your customer is redirected to your success page and sees a clear confirmation message.
- Simulate a failed live payment (if possible, with a card that has insufficient funds) to ensure the customer is redirected to your failure page and given instructions to retry.
✅ Implement a Reconciliation Plan:
- In case of any discrepancy (e.g., a webhook is missed), use the Verify Payment API to programmatically fetch the status of a transaction from PayU and reconcile your records.