This scenario is applicable where a customer is providing the complete card number do the transaction (card number, card expiry, CVV, and name on card)
HTTP Method: POST
Applicable scenarios
- It is a guest checkout
- It is a standard checkout request where there is no need to save the card
NotePlain card details coming from the merchant, so no changes are applicable in the request & response.
Request and response elements will remain intact as it is.
Environment
Test Environment | https://apitest.payu.in/v2/payments |
Production Environment | https://api.payu.in/v2/payments |
Request headers
Parameter | Description |
---|---|
date | The current date and time. For example, format of the date is Wed, 28 Jun 2023 11:25:19 GMT. |
authorization | The actual HMAC signature generated using the specified algorithm (sha512) and includes the hashed data. For more information, refer to authorization fields description. |
authorization fields description
Field | Description |
---|---|
username | Represents the username or identifier for the client or merchant, for example smsplus. |
algorithm | Use SHA512 algorithm for hashing and send this as header value. |
headers | Specifies which headers have been used in generating the hash, for example date. |
signature | The HMAC signature generated using the specified algorithm. For more information, refer to hashing algorithm. |
hashing algorithm
You must hash the request parameters using the following hash logic:
Hash logic: sha512(<Body data>
+ '|' + date + '|' + merchant_secret)
Where <Body data>
contains the request body posted with the request.
Sample header code
var merchant_key = 'smsplus';
var merchant_secret = 'izF09TlpX4ZOwmf9MvXijwYsBPUmxYHD';
// date
var date = new Date();
date = date.toUTCString();
// authorization
var authorization = getAuthHeader(date);
function getAuthHeader(date) {
var AUTH_TYPE = 'sha512';
var data = isEmpty(request['data']) ? "" : request['data'];
var hash_string = data + '|' + date + '|' + merchant_secret;
var hash = CryptoJS.SHA512(hash_string).toString(CryptoJS.enc.Hex);
return `hmac username="${merchant_key}", algorithm="${AUTH_TYPE}", headers="date", signature="${hash}"`;
}
Request body
Parameter | Description | Example |
---|---|---|
accountId |
|
MERCHANT123 |
referenceId |
|
REF123456 |
amount |
|
1000 |
currency |
|
INR |
paymentSource |
|
WEB |
paymentMethod |
|
{ |
order |
|
|
additionalInfo |
|
|
callBackActions |
|
|
billingDetails |
|
paymentMethod JSON object Fields
Field | Description | Example |
---|---|---|
namemandatory for seamless
|
string Payment method name (e.g., CreditCard, DebitCard, NetBanking, UPI). This replaces the 'pg' parameter from v1.Character limit : 10Possible values: • CreditCard • DebitCard • NetBanking • UPI • Wallet • EMI • BNPL |
CreditCard |
bankCodemandatory for seamless
|
string Bank code or payment gateway code. This replaces the 'bankcode' parameter from v1.Character limit : 10Common values: • CC (Credit Card) • DC (Debit Card) • NB (Net Banking) • UPI (UPI payments) • WALLET (Wallet payments) |
CC |
paymentCard object fields description
Field | Description |
---|---|
cardNumber |
|
validThrough |
|
ownerName |
|
cvv |
|
tavv |
|
last4Digits |
|
cardTokenType |
|
cardToken |
|
Error HandlingIf any error message is displayed with an error code, refer to the Error Codes section to understand the reason for these error codes.
Sample request
curl --location 'https://apitest.payu.in/v2/payments' \
--header 'date: Thu, 27 Mar 2025 10:12:27 GMT' \
--header 'authorization: hmac username="smsplus", algorithm="sha512", headers="date", signature="ec84843a663143bb89391f6fa2d4b9404bab1543a3eee81263b4a507ebf5d289d8fad1fbcdd59da820951e3e0f9b0b0b3d1bad9b41338804e7c42a8a6197c6e9"' \
--header 'Content-Type: application/json' \
--header 'Cookie: PHPSESSID=sclorpmpb4ngion5e996os22ao' \
--data-raw '{
"accountId": "smsplus",
"txnId": "b5f2d8785768087678fn4",
"paymentMethod": {
"name": "CreditCard",
"bankCode": "CC",
"paymentCard": {
"cardNumber": 5497774415170603,
"validThrough": "05/2025",
"cvv": 123,
"cardToken": "29850879bf39848ca078727b8e1a95165a41cea1",
"ownerName": "Ashish",
"issuer": "ICICI",
"bin": "500446",
"last4Digits": "0000",
"cardHash": null,
"cardTokenType": "NETWORK",
"tavv": "/wAAAAAAPtP+g6IAmbSeg1gAAAA="
}
},
"order": {
"productInfo": "qwertyuiopasdfghjkl",
"orderedItem": [
{
"itemId": "1",
"description": "string",
"quantity": 1
}
],
"userDefinedFields": {
"udf1": "",
"udf2": "",
"udf3": "",
"udf4": "",
"udf5": "",
"udf6": "",
"udf7": "",
"udf8": "",
"udf9": "",
"udf10": ""
},
}
},
"callBackActions": {
"successAction": "https://pp78admin.payu.in/test_response",
"failureAction": "https://pp78admin.payu.in/test_response",
"cancelAction": "https://pp78admin.payu.in/test_response"
},
"billingDetails": {
"firstName": "sartaj",
"lastName": "",
"phone": "9876543210",
"email": "[email protected]",
"city": "Bharatpur",
"state": "Rajasthan",
"country": "India",
"zipCode": "321028"
},
"authorization": {
"eci": "05",
"cavv": "AAABAWFlmQAAAABjRWWZEEFgFz",
"flowType": "Frictionless",
"threeDSTransID": "67b4c71f-19bf-4d97-bd09-4e3687dc9e42",
"threeDSServerTransID": "eea30d14-71cf-41af-b961-f95b7d67dc93",
"threeDSTransStatus": "Y",
"threeDSTransStatusReason": "01",
"aquirer_bin": "401200",
"additionalInfo": {
"authUdf1": "string",
"authUdf2": "string"
}
},
"threeDS2RequestData": {
"threeDSVersion": "2.2.0",
"deviceChannel": "APP"
}
}'
Response parameters
Parameter | Description |
---|---|
referenceId |
This parameter contains the reference ID of the transaction. |
paymentId |
This parameter contains the payment ID of the transaction. |
message |
This parameter contains the status message of the transaction. |
Sample response
Array
(
[referenceId] => b5f2d8785768087678fm9
[paymentId] => 1999110000001769
[message] => Please call verify api to get the transaction status
)
Reference:To check the transaction status, refer toVerify Payment API.
Response
In addition to the parameters in the response of a Merchant Hosted Checkout transaction with a card, PayU returns network token, network token expiry for PCI complied or PayU token & its expiry for non-PCI complied merchants.