PayU enables merchants to process direct authorization for pre-authenticated transactions (external MPI/3DSS). This section describes how to integrate with PayU's direct authorization flow. Initiate an authorization request with the payment details provided post a successful authentication through the MPI/3DSS as explained in this API Reference.
The Cards Redirect Flow provides structured redirection handling for card authentication and transaction processing with comprehensive 3DS support.
Note:This API is backward compatible and you can continue to use the existing integration parameters to process the 3DS 1.0.2 transactions.
Environment
Test Environment | https://apitest.payu.in/v2/payments |
Production Environment | https://api.payu.in/v2/payments> |
Request header
Parameter | Description |
---|---|
date | The current date and time. For example, format of the date is Wed, 28 Jun 2023 11:25:19 GMT. |
authorization | The actual HMAC signature generated using the specified algorithm (sha512) and includes the hashed data. For more information, refer to authorization fields description. |
authorization fields description
Field | Description |
---|---|
username | Represents the username or identifier for the client or merchant, for example smsplus. |
algorithm | Use SHA512 algorithm for hashing and send this as header value. |
headers | Specifies which headers have been used in generating the hash, for example date. |
signature | The HMAC signature generated using the specified algorithm. For more information, refer to hashing algorithm. |
hashing algorithm
You must hash the request parameters using the following hash logic:
Hash logic: sha512(<Body data>
+ '|' + date + '|' + merchant_secret)
Where <Body data>
contains the request body posted with the request.
Sample header code
var merchant_key = 'smsplus';
var merchant_secret = 'izF09TlpX4ZOwmf9MvXijwYsBPUmxYHD';
// date
var date = new Date();
date = date.toUTCString();
// authorization
var authorization = getAuthHeader(date);
function getAuthHeader(date) {
var AUTH_TYPE = 'sha512';
var data = isEmpty(request['data']) ? "" : request['data'];
var hash_string = data + '|' + date + '|' + merchant_secret;
var hash = CryptoJS.SHA512(hash_string).toString(CryptoJS.enc.Hex);
return `hmac username="${merchant_key}", algorithm="${AUTH_TYPE}", headers="date", signature="${hash}"`;
}
Request body
Parameter | Description | Example |
---|---|---|
accountId |
|
UMXDPA |
txnId |
|
ZP6267f0d2996ce |
paymentMethod |
|
{"name": "CreditCard", "bankCode": "CC"} |
order |
|
|
additionalInfo |
|
|
callBackActions |
|
|
billingDetails |
|
|
authorization |
|
|
threeDS2RequestData |
|
paymentMethod object fields description
Field | Description | Example |
---|---|---|
name |
|
CreditCard |
bankCode |
|
CC |
paymentCard |
|
paymentCard object fields description
Parameter | Description | Example |
---|---|---|
cardNumbermandatory for physical card |
Card number. | 5497774415170603 |
validThroughmandatory for physical card |
Expiry date in MM/YYYY format. | 05/2025 |
ownerNameoptional |
Name of the card owner. | Ashish |
cvvmandatory for physical card |
CVV number of the card. | 123 |
tavvmandatory for saved card |
Cryptogram of the card for tokenized payments. | AAABAWFlmQAAAABjRWWZEEFgFz |
last4Digitsmandatory for saved card |
Last four digits of the card. | 0603 |
cardTokenTypemandatory for saved card |
Card token type. Valid values: PAYU, NETWORK, ISSUER. | PAYU |
cardTokenmandatory for saved card |
Card token of the stored card. | b5f2d8785768087678fm9 |
order object fields description
Parameter | Description | Example |
---|---|---|
productInfomandatory |
Product details. | Product details |
orderedItemoptional |
Details about the items ordered. | Array of Objects |
userDefinedFieldsoptional |
Custom fields for additional information. Fields: udf1, udf2, udf3, udf4, udf5, udf6, udf7, udf8, udf9, udf10. For more information, refer to | Object |
paymentChargeSpecificationmandatory |
Includes amount and charges. For more information, refer to paymentChargeSpecification object fields description | Object |
paymentChargeSpecification object fields description
Parameter | Description | Example |
---|---|---|
pricemandatory |
The transaction amount. | 1000 |
netAmountDebitoptional |
Net amount to be debited. | 1000 |
taxSpecificationoptional |
Tax details of the product/order. | Object |
convenienceFeeoptional |
Fees format (e.g., CC:12). | CC:12 |
offersoptional |
Offers applied or available for the payment. | Object |
userDefinedFields object fields description
Field | Description |
---|---|
udf1 | User defined field. |
udf2 | User defined field. |
udf3 | User defined field. |
udf4 | User defined field. |
udf5 | User defined field. |
udf6 | User defined field. |
udf7 | User defined field. |
udf8 | User defined field. |
udf9 | User defined field. |
udf10 | User defined field. |
additionalInfo object fields description
Parameter | Description | Example |
---|---|---|
enforcePaymethodoptional |
Force a transaction with a specified method (e.g., CC, DC). | CC |
forcePgidoptional |
Forces identification for payment gateway. | PG123 |
partnerHoldTimeoptional |
Time held by the partner for the transaction. | 60 |
userCredentialsoptional |
Credentials for user authentication. | string |
userTokenoptional |
Token for the customer. | user_token_123 |
subventionAmountoptional |
Amount paid through EMI subvention payments. | 100 |
authOnlyoptional |
Initiates an authentication-only payment (true/false). | false |
createOrderoptional |
A flag to store the order details (true/false). | true |
txnS2sFlowoptional |
For defining seamless/non-seamless flows in handling payments. | seamless |
Cards Redirect Flow-specific parameters:
Field | Description | Example |
---|---|---|
txnS2sFlow |
|
1 |
createOrder |
|
false |
placeOrder |
|
false |
callBackActions object fields description
Parameter | Description | Example |
---|---|---|
successActionmandatory |
URL to be called on payment success. | https://example.com/success |
failureActionmandatory |
URL to be called on payment failure. | https://example.com/failure |
cancelActionmandatory |
URL to be called if user cancels the payment. | https://example.com/cancel |
codActionoptional |
URL for Cash on Delivery (COD) action. | https://example.com/cod |
billingDetails object fields description
Parameter | Description | Example |
---|---|---|
firstNamemandatory |
First name of the billing contact. | Ashish |
lastNameoptional |
Last name of the billing contact. | Kumar |
address1mandatory |
Primary billing address. | 123 Main Street |
address2optional |
Secondary billing address. | Apt 4B |
phoneoptional |
Phone number of the billing contact. | 9123456789 |
emailmandatory |
Email address of the billing contact. | [email protected] |
cityoptional |
City of the billing address. | Bharatpur |
stateoptional |
State of the billing address. | Rajasthan |
countryoptional |
Country of the billing address. | India |
zipCodeoptional |
Postal/Zip code of the billing address. | 321028 |
authorization object fields description
Parameter | Description | Example |
---|---|---|
ecioptional |
Electronic Commerce Indicator. | 05 |
cavvoptional |
Cardholder Authentication Verification Value. | AAABAWFlmQAAAABjRWWZEEFgFz |
paresoptional |
Payer Authentication Response for 3D Secure 1.0. | eJzVWFmTokoWfrMABXXOtgSL... |
bankDataoptional |
Additional bank data for processing the payment. | fGpDiuSMy8FjxQHDla5kFwVr |
messageDigestoptional |
Security hash value for message verification. | 3a4df2b5c8e7f9a1d6b0c3e9 |
xidoptional |
Transaction identifier for 3D Secure authentication. | MDAwMDAwMDAwMDAwMDAwMDEyMzQ= |
threeDSenrolledoptional |
Indicates if the card is enrolled in 3D Secure. | Y |
threeDSstatusoptional |
Status of the 3D Secure authentication. | SUCCESS |
flowTypeoptional |
Flow type for 3D Secure. | Frictionless |
threeDSTransIDoptional |
3DS Transaction ID. | 67b4c71f-19bf-4d97-bd09-4e3687dc9e42 |
threeDSServerTransIDoptional |
3DS Server Transaction ID. | eea30d14-71cf-41af-b961-f95b7d67dc93 |
threeDSTransStatusoptional |
3DS transaction status. | Y |
threeDSTransStatusReasonoptional |
Reason for 3DS transaction status. | 01 |
aquirer_binoptional |
Bank Identification Number of the acquirer. | 401200 |
additionalInfooptional |
Object containing additional authorization information including payment gateway identifier, authentication flow, 3DS2 request data, and user-defined fields. | Object |
additionalInfo.paymentGatewayIdentifieroptional |
Identifier for the payment gateway. | gateway_123 |
additionalInfo.authenticationFlowoptional |
Type of authentication flow used. | 3DS2 |
additionalInfo.threeDS2RequestDataoptional |
Object containing 3DS2 request data. | {} |
additionalInfo.authUdf1optional |
User-defined field 1 for additional authorization data. | custom_value_1 |
additionalInfo.authUdf2optional |
User-defined field 2 for additional authorization data. | custom_value_2 |
additionalInfo.authUdf3optional |
User-defined field 3 for additional authorization data. | custom_value_3 |
additionalInfo.authUdf4optional |
User-defined field 4 for additional authorization data. | custom_value_4 |
additionalInfo.authUdf5optional |
User-defined field 5 for additional authorization data. | custom_value_5 |
additionalInfo.authUdf6optional |
User-defined field 6 for additional authorization data. | custom_value_6 |
additionalInfo.authUdf7optional |
User-defined field 7 for additional authorization data. | custom_value_7 |
additionalInfo.authUdf8optional |
User-defined field 8 for additional authorization data. | custom_value_8 |
additionalInfo.authUdf9optional |
User-defined field 9 for additional authorization data. | custom_value_9 |
additionalInfo.authUdf10optional |
User-defined field 10 for additional authorization data. | custom_value_10 |
threeDS2RequestData object fields description
Parameter | Description | Example |
---|---|---|
threeDSVersionoptional |
The version of 3D Secure used. | 2.2.0 |
deviceChanneloptional |
The device used for the transaction channel. | APP |
Sample request
curl --location 'https://apitest.payu.in/v2/payments' \
--header 'date: Thu, 27 Mar 2025 10:12:27 GMT' \
--header 'authorization: hmac username="UMXDPA", algorithm="sha512", headers="date", signature="ec84843a663143bb89391f6fa2d4b9404bab1543a3eee81263b4a507ebf5d289d8fad1fbcdd59da820951e3e0f9b0b0b3d1bad9b41338804e7c42a8a6197c6e9"' \
--header 'Content-Type: application/json' \
--data-raw '{
"accountId": "UMXDPA",
"txnId": "ZP6267f0d2996ce",
"amount": 10,
"paymentMethod": {
"name": "CreditCard",
"bankCode": "CC",
"paymentCard": {
"cardNumber": "5004461234560000",
"validThrough": "04/2025",
"ownerName": "John Doe",
"cvv": "987",
"last4Digits": "0000",
"cardTokenType": "NETWORK",
"cardToken": "29850879bf39848ca078727b8e1a95165a41cea1"
}
},
"order": {
"productInfo": "Cards Redirect Flow Payment",
"orderedItem": [
{
"itemId": "1",
"description": "Product Description",
"quantity": 1,
"amount": 10.0
}
],
"paymentChargeSpecification": {
"price": 10,
"netAmountDebit": 10
}
},
"additionalInfo": {
"createOrder": false,
"placeOrder": false,
"txnS2sFlow": "1"
},
"callBackActions": {
"successAction": "https://yoursite.com/success",
"failureAction": "https://yoursite.com/failure"
},
"billingDetails": {
"firstName": "John",
"lastName": "Doe",
"address1": "123 Main Street",
"city": "Mumbai",
"state": "Maharashtra",
"country": "India",
"zipCode": "400001",
"phone": "9876543210",
"email": "[email protected]"
},
"authorization": {
"eci": "05",
"cavv": "AAABAWFlmQAAAABjRWWZEEFgFz",
"flowType": "Frictionless",
"threeDSTransID": "67b4c71f-19bf-4d97-bd09-4e3687dc9e42",
"threeDSServerTransID": "eea30d14-71cf-41af-b961-f95b7d67dc93",
"threeDSTransStatus": "Y",
"threeDSTransStatusReason": "01",
"acquirer_bin": "401200",
"additionalInfo": {
"authUdf1": "string",
"authUdf2": "string"
}
},
"threeDS2RequestData": {
"threeDSVersion": "2.2.0",
"deviceChannel": "APP"
}
}'
Sample response
{
"result": {
"redirectUrl": "https://secure.payu.in/ResponseHandler.php",
"authAction": "https://api.payu.in/payments/21667772394/otps",
"paymentId": "21667772394",
"redirectTemplate": "PGh0bWw+PGJvZHk+PGZvcm0gbmFtZT0icGF5bWVudF9wb3N0IiBpZD0icGF5bWVudF9wb3N0IiBhY3Rpb249Imh0dHBzOi8vbmV0YmFua2luZy5oZGZjYmFuay5jb20vbmV0YmFua2luZy9tZXJjaGFudD9DbGllbnRDb2RlPTE1NDkxMyZNZXJjaGFudENvZGU9UEFZVUZBQ0VCT09LJlR4bkN1cnJlbmN5PUlOUiZUeG5BbW91bnQ9MjUwMDAuMDAmVHhuU2NBbW91bnQ9MCZNZXJjaGFudFJlZk5vPWs0cWh3NGVsYXY2MmxwNjJjbSZTdWNjZXNzU3RhdGljRmxhZz1OJkZhaWx1cmVTdGF0aWNGbGFnPU4mRGF0ZT0yNi8xMS8yMDI0IDAwOjAwOjAwJlJlZjE9JlJlZjI9NDAzYmIzODkxY2Y5NGEzNmI0ZGQxOTlkOWNjZWVjNmUmUmVmMz0mUmVmND0mUmVmNT0mRHluYW1pY1VybD1odHRwczovL3NlY3VyZS5wYXl1LmluL2I0NDdmZmViZDg4NDNjZTEzYzlmODVhZjhlOTA0ZmQyL0NvbW1vblBnUmVzcG9uc2VIYW5kbGVyLnBocCZDaGVja1N1bT0zMTAxMzgyNDM2",
"card": {
"binData": {
"pureS2SSupported": false,
"issuingBank": "ICICI",
"category": "creditcard",
"cardType": "MAST",
"isDomestic": true
}
}
},
"status": "PENDING"
}
Response parameters
Parameter | Description | Example |
---|---|---|
redirectUrl |
URL to which the user is redirected after the payment process is completed. |
https://secure.payu.in/ResponseHandler.php |
authAction |
URL for authentication actions like OTP submission during the payment process. |
https://api.payu.in/payments/21667772394/otps |
paymentId |
Unique identifier for the payment transaction. |
21667772394 |
redirectTemplate |
Encoded HTML template used for auto-redirecting or displaying information post-payment. |
Base64 encoded HTML |
card.binData.issuingBank |
Name of the bank that issued the card. |
ICICI |
card.binData.category |
Category of the card (creditcard, debitcard). |
creditcard |
card.binData.cardType |
Type of the card (MAST for Mastercard, VISA, etc.). |
MAST |
card.binData.isDomestic |
Boolean indicating if the card is domestic. |
true |
status |
Status of the payment transaction. |
PENDING |
Reference:To check the transaction status, refer to Verify Payment API. The Verify Payment API is mandatory for Cards Redirect Flow to obtain the final transaction status.