For CIT (Customer Initiated Transaction) card payments using Server-to-Server integration, you need to use the _payment API with S2S flow parameters. This section covers all the request parameters, sample requests, and response formats.

HTTP Method: POST

Environment


Test Environment	https://test.payu.in/_payment
Production Environment	https://secure.payu.in/_payment

Content Type: application/x-www-form-urlencoded

Request Parameters

The following table lists all the request parameters for S2S card transactions:

Parameter	Description	Example
key `mandatory`	`String` Merchant key provided by PayU during onboarding.	`JPM7Fg`
txnid `mandatory`	`String` The transaction ID is a reference number for a specific order generated by the merchant. Must be unique.	`payuTestTxn12345`
amount `mandatory`	`String` The payment amount for the transaction.	`100.00`
productinfo `mandatory`	`String` A brief description of the product. Character Limit: 100	`iPhone`
firstname `mandatory`	`String` The first name of the customer. Character Limit: 60	`Ashish`
email `mandatory`	`String` The email address of the customer. Character Limit: 50	`test@gmail.com`
phone `mandatory`	`String` The phone number of the customer.	`9876543210`
surl `mandatory`	`String` The Success URL - page PayU will redirect to if the transaction is successful.	`https://example.com/success`
furl `mandatory`	`String` The Failure URL - page PayU will redirect to if the transaction fails.	`https://example.com/failure`
hash `mandatory`	`String` Hash calculated for transaction security. Formula: `sha512(key\|txnid\|amount\|productinfo\|firstname\|email\|udf1\|udf2\|udf3\|udf4\|udf5\|\|\|\|\|\|SALT)`	`<generated_hash>`
pg `mandatory`	`String` Payment gateway type. For cards, use `CC`.	`CC`
bankcode `mandatory`	`String` Bank code for the payment option. Use `CC` for credit cards, `DC` for debit cards.	`CC`
ccnum `mandatory`	`String` 13-19 digit card number (15 for AMEX, 13-19 for Maestro). Validate with LUHN algorithm.	`5506900480000008`
ccvv `mandatory`	`String` 3-digit CVV (4 digits for AMEX).	`123`
ccname `mandatory`	`String` Cardholder name as entered by the customer.	`Test User`
ccexpmon `mandatory`	`String` Card expiry month in MM format (01-12).	`09`
ccexpyr `mandatory`	`String` Card expiry year in YYYY format.	`2026`
txn_s2s_flow `mandatory`	`Integer` Parameter to enable S2S flow. Set to `4` for S2S4 flow.	`4`
s2s_client_ip `mandatory`	`String` Client IP captured by merchant in S2S flow. Required for fraud detection.	`10.200.12.12`
s2s_device_info `mandatory`	`String` User Agent captured by merchant in S2S flow.	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) PayU-API-Test/1.0`
lastname `optional`	`String` The last name of the customer. Character Limit: 60	`Kumar`
address1 `optional`	`String` First line of billing address. Character Limit: 100	`123 Main Street`
address2 `optional`	`String` Second line of billing address. Character Limit: 100	`Apartment 4B`
city `optional`	`String` Customer's city.	`Mumbai`
state `optional`	`String` Customer's state.	`Maharashtra`
country `optional`	`String` Customer's country. Character Limit: 50	`India`
zipcode `optional`	`String` Billing address zip code. Character Limit: 20	`400001`
curl `optional`	`String` Cancel URL - page PayU redirects to if transaction is cancelled.	`https://example.com/cancel`
udf1 `conditional`	`String` User-defined field 1. For PACB: Buyer's PAN number.	`AELPR****E`
udf2 `optional`	`String` User-defined field 2. Character Limit: 255	-
udf3 `conditional`	`String` User-defined field 3. For PACB: Buyer's DOB (DD-MM-YYYY).	`02-02-1980`
udf4 `conditional`	`String` User-defined field 4. For PA2PA: Merchant legal entity name.	`XYZ Pvt. Ltd.`
udf5 `optional`	`String` User-defined field 5. Invoice ID or invoice number.	`098450845`
user_credentials `conditional`	`String` Format: `merchant_key:customer_id`. Required for token provisioning & PayU token flows.	`PRiQvJ:customer_1112`
store_card `optional`	`Integer` Set to `1` to store the card token.	`1`
storecard_token_type `conditional`	`Integer` Token type: `0` for PayU tokens, `1` for Network tokens, `2` for Issuer tokens.	`0`
store_card_token `conditional`	`String` Token value for stored card transactions.	`10a7d7a45b72644460f108`
additional_info `conditional`	`JSON` Additional info for network tokens containing `last4Digits`, `tavv`, `trid`, `tokenRefNo`.	`{"last4Digits":"0008","tavv":"...","trid":"...","tokenRefNo":"..."}`

Payment Options

Option A: Plain Cards

Standard card transaction without tokenization.

curl --location --request POST 'https://test.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'key=JPM7Fg' \
--data-urlencode 'txnid=payuTestTransaction12345' \
--data-urlencode 'amount=100.00' \
--data-urlencode 'firstname=Ashish' \
--data-urlencode 'email=test@payu.in' \
--data-urlencode 'phone=9988776655' \
--data-urlencode 'productinfo=Product Info' \
--data-urlencode 'surl=https://test.payu.in/admin/test_response' \
--data-urlencode 'furl=https://test.payu.in/admin/test_response' \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=CC' \
--data-urlencode 'ccnum=5506900480000008' \
--data-urlencode 'ccname=Test User' \
--data-urlencode 'ccvv=123' \
--data-urlencode 'ccexpmon=09' \
--data-urlencode 'ccexpyr=2026' \
--data-urlencode 'udf1=AELPR****E' \
--data-urlencode 'udf2=' \
--data-urlencode 'udf3=01-12-1980' \
--data-urlencode 'udf4=XYZ Pvt. Ltd' \
--data-urlencode 'udf5=098450845' \
--data-urlencode 'txn_s2s_flow=4' \
--data-urlencode 's2s_client_ip=10.200.12.12' \
--data-urlencode 's2s_device_info=Mozilla/5.0 (Windows NT 10.0; Win64; x64) PayU-API-Test/1.0' \
--data-urlencode 'hash=YOUR_CALCULATED_HASH'

Option B: Plain Cards + Tokenization

To store the card for future use, add tokenization parameters:

curl --location --request POST 'https://test.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'key=JPM7Fg' \
--data-urlencode 'txnid=payuTestTransaction12345' \
--data-urlencode 'amount=100.00' \
--data-urlencode 'firstname=Ashish' \
--data-urlencode 'email=test@payu.in' \
--data-urlencode 'phone=9988776655' \
--data-urlencode 'productinfo=Product Info' \
--data-urlencode 'surl=https://test.payu.in/admin/test_response' \
--data-urlencode 'furl=https://test.payu.in/admin/test_response' \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=CC' \
--data-urlencode 'ccnum=5506900480000008' \
--data-urlencode 'ccname=Test User' \
--data-urlencode 'ccvv=123' \
--data-urlencode 'ccexpmon=09' \
--data-urlencode 'ccexpyr=2026' \
--data-urlencode 'txn_s2s_flow=4' \
--data-urlencode 's2s_client_ip=10.200.12.12' \
--data-urlencode 's2s_device_info=Mozilla/5.0 (Windows NT 10.0; Win64; x64) PayU-API-Test/1.0' \
--data-urlencode 'user_credentials=JPM7Fg:customer_1112' \
--data-urlencode 'store_card=1' \
--data-urlencode 'hash=YOUR_CALCULATED_HASH'

Option C: Using PayU Tokens

For transactions using previously stored PayU tokens:

curl --location --request POST 'https://test.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'key=JPM7Fg' \
--data-urlencode 'txnid=payuTestTransaction12345' \
--data-urlencode 'amount=100.00' \
--data-urlencode 'firstname=Ashish' \
--data-urlencode 'email=test@payu.in' \
--data-urlencode 'phone=9988776655' \
--data-urlencode 'productinfo=Product Info' \
--data-urlencode 'surl=https://test.payu.in/admin/test_response' \
--data-urlencode 'furl=https://test.payu.in/admin/test_response' \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=CC' \
--data-urlencode 'ccvv=123' \
--data-urlencode 'txn_s2s_flow=4' \
--data-urlencode 's2s_client_ip=10.200.12.12' \
--data-urlencode 's2s_device_info=Mozilla/5.0 (Windows NT 10.0; Win64; x64) PayU-API-Test/1.0' \
--data-urlencode 'user_credentials=JPM7Fg:customer_1112' \
--data-urlencode 'storecard_token_type=0' \
--data-urlencode 'store_card_token=10a7d7a45b72644460f108' \
--data-urlencode 'hash=YOUR_CALCULATED_HASH'

📘
Note:
Use the Get User Cards API with the same user_credentials used when storing the card to retrieve the store_card_token value.

Option D: Using Network Tokens

For transactions using network tokens (Visa/Mastercard tokens):

curl --location --request POST 'https://test.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'key=JPM7Fg' \
--data-urlencode 'txnid=payuTestTransaction12345' \
--data-urlencode 'amount=100.00' \
--data-urlencode 'firstname=Ashish' \
--data-urlencode 'email=test@payu.in' \
--data-urlencode 'phone=9988776655' \
--data-urlencode 'productinfo=Product Info' \
--data-urlencode 'surl=https://test.payu.in/admin/test_response' \
--data-urlencode 'furl=https://test.payu.in/admin/test_response' \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=CC' \
--data-urlencode 'ccvv=123' \
--data-urlencode 'ccexpmon=09' \
--data-urlencode 'ccexpyr=2026' \
--data-urlencode 'txn_s2s_flow=4' \
--data-urlencode 's2s_client_ip=10.200.12.12' \
--data-urlencode 's2s_device_info=Mozilla/5.0 (Windows NT 10.0; Win64; x64) PayU-API-Test/1.0' \
--data-urlencode 'storecard_token_type=1' \
--data-urlencode 'store_card_token=5506900495826660' \
--data-urlencode 'additional_info={"last4Digits":"0008","tavv":"UAQAAAAMKJAQg+w+0IagAAAAAAAA","trid":"400000340044","tokenRefNo":"DM4MMC1US00000003e1ebda85d81490d97cdc87975c7c3bc"}' \
--data-urlencode 'hash=YOUR_CALCULATED_HASH'

⚠️
Important:
When using network tokens, the ccexpyr and ccexpmon should contain the token expiry values, not the original card expiry values.

Sample Response

Successful Response (S2S4 Flow)

{
  "metaData": {
    "message": null,
    "referenceId": "5a3e7cb9884e003dce1f28f965478a9a12fb9244fc15be91b0b3de48763a12e7",
    "statusCode": null,
    "txnId": "payuTestTransaction12345",
    "txnStatus": "Enrolled",
    "unmappedStatus": "pending",
    "resendOtp": {
      "isSupported": true,
      "attemptsLeft": 2
    },
    "submitOtp": {
      "attemptsLeft": 3
    }
  },
  "result": {
    "otpPostUrl": "https://test.payu.in/ResponseHandler.php",
    "acsTemplate": "PGh0bWw+PGJvZHk+PGZvcm0gbmFtZT0icGF5bWVudF9wb3N0IiBpZD0i..."
  },
  "binData": {
    "pureS2SSupported": true,
    "issuingBank": "AXIS",
    "category": "creditcard",
    "cardType": "MAST",
    "isDomestic": true
  }
}

Response Parameters

Parameter	Description
`metaData`	JSON object containing transaction metadata
`metaData.referenceId`	PayU reference ID to be sent back in subsequent calls
`metaData.txnId`	Merchant's transaction ID
`metaData.txnStatus`	Transaction status (e.g., "Enrolled")
`metaData.unmappedStatus`	Status for flow control: `pending`, `captured`, or `failed`
`result.otpPostUrl`	URL to post OTP for verification
`result.acsTemplate`	Base64 encoded HTML form for bank ACS redirect
`binData.pureS2SSupported`	Whether native S2S OTP flow is supported
`binData.issuingBank`	Card issuing bank
`binData.category`	Card category (`creditcard` or `debitcard`)
`binData.cardType`	Card network (`VISA`, `MAST`, `RUPAY`)
`binData.isDomestic`	Whether the card is domestic

Error Handling

If any error message is displayed with an error code, refer to Error Codes to understand the reason. For error codes during various transaction stages, refer to Transaction Stages - Error References.

📘
Reference:
For the character limit of each parameter and detailed description, refer to Additional Info for Payment APIs.

EXAMPLE QUESTIONS