The v2 Save Card API is used for saving a card to the vault. After successfully storing a card, it returns the cardToken.
HTTP Method: POST
Environment
| Production Environment | https://info.payu.in/storecard/card/v1 |
| Test Environment | https://apitest.payu.in/storecard/card/v1 |
Request Parameters
Authentication header
| Parameter | Description |
|---|---|
| date | The current date and time. For example, format of the date is Wed, 28 Jun 2023 11:25:19 GMT. |
| authorization | The actual HMAC signature generated using the specified algorithm (sha512) and includes the hashed data. For more information, refer to authorization fields description table below. |
authorization fields description
| Parameter | Description |
|---|---|
| username | Represents the username or identifier for the client or merchant, in this case, it's "smsplus". |
| algorithm | Use SHA512 algorithm for hashing and send this as header value. |
| headers | Specifies which headers have been used in generating the hash. In this case, only the "date" header is used. |
| signature | The actual HMAC signature generated using the specified algorithm (sha512) and includes the hashed data. For more information, refer to hashing algorithm. |
hashing algorithm
You must hash the request parameters using the following hash logic:
sha512(<Body data> + '|' + date + '|' + merchant_secret}Where, <Body data> contains the request Body posted with the request.
Sample authorization header code
var merchant_key = pm.environment.get('merchantKey') || 'PRiQvJ';
var merchant_secret = pm.environment.get('merchantSalt') || 'mGHSxpD2iBVywParGQrGBlaXjnwkGJMQ';
// Generate current date in RFC 1123 format
var date = new Date().toUTCString();
// Get request body data (empty for GET/DELETE)
var data = "";
if (pm.request.method === "POST" && pm.request.body && pm.request.body.raw) {
data = pm.request.body.raw;
}
// Generate authorization header
var hash_string = data + '|' + date + '|' + merchant_secret;
var hash = CryptoJS.SHA512(hash_string).toString(CryptoJS.enc.Hex);
var authorization = 'hmac username="' + merchant_key + '", algorithm="sha512", headers="date", signature="' + hash + '"';
// Set environment variables
pm.environment.set('date', date);
pm.environment.set('authorization', authorization);Header parameters
| Parameter | Description |
|---|---|
datemandatory | The current date and time. For example, format of the date is Wed, 28 Jun 2023 11:25:19 GMT. |
Body parameters
| Parameter | Reference | Example |
|---|---|---|
userCredentialmandatory | String The user credentials are posted in this parameter in the following format: MerchantKey:UserId | JP***G:abc |
cardNamemandatory | String The nickname of the card is specified in this parameter. | My_card |
cardModemandatory | String The card mode is specified in this parameter. For more information on card mode codes, refer to Card Type Codes and Supported Banks for Cards. | CC |
cardTypemandatory | String The card type of the card is specified in this parameter. For more information on card type codes, refer to Card Type Codes and Supported Banks for Cards | AMEX |
nameOnCardmandatory | String The name on the card is specified in this parameter. | Ashish |
cardNomandatory | String The card number is specified in this parameter. For the test cards to do mock API calls, refer to Test Cards, UPI ID and Wallets. | 4761360079851258 |
cardExpiryMonthmandatory | Integer The card expiry month is specified in this parameter. | 12 |
cardExpiryYearmandatory | Integer The card expiry year is specified in this parameter. | 2029 |
authRefNumbermandatory for Rupay and AMEX cards | String This parameter can be any of the following based on the Rupay or AMEX card used:• The authorization reference number received during authorization call of Rupay card transactions. • The AEVV received during authorization call of Amex card transactions. Notes: • This parameter is mandatory for Rupay cards. Authentication reference number will be sent by the PG in the authorization response. Currently, this check is skipped by Rupay. • This parameter is mandatory for AMEX cards. American Express Verification Value will be sent by the PG in the authorization response. | 6381242223626382106105 |
Sample request
curl --location 'https://apitest.payu.in/storecard/card/v1' \
--header 'authorization: hmac username="PRiQvJ", algorithm="sha512", headers="date", signature="30d8f518edda5b0962c35c0057024cabb6e7f19727488cb1874e75652bcea7499811dbf3ddac419c50c2fe56a8e032129bb0d6eaeaa3f971b3c2b5ccbfd12aa3"' \
--header 'date: Fri, 24 Apr 2026 07:05:59 GMT' \
--header 'Content-Type: application/json' \
--header 'Cookie: PHPSESSID=krida5voc39gqosfud8tt6n8as' \
--data '{
"userCredential": "sms:123",
"cardName": "testAll",
"cardMode": "CC",
"cardType": "CC",
"nameOnCard": "test",
"cardNo": "4761360079851258",
"cardExpiryMonth": 12,
"cardExpiryYear": 2029
}'Sample response
Success scenario
{
"message": "Card Stored Successfully.",
"status": 1,
"result": {
"cardToken": "18cc810671348c3d3241",
"cardNo": "XXXXXXXXXXXX1258",
"cardName": "testAll",
"networkToken": "4761360000000009"
}
}Success scenarios for various cards
VISA
{
"message": "Card Stored Successfully.",
"status": 1,
"result": {
"cardToken": "917757449926e57ff2662",
"cardNo": "XXXXXXXXXXXX1165",
"cardName": "My_card",
"networkToken": "44173XXX1000XXX1",
"issuerToken": "QQ3LkzgZOnEjY428"
}
}Mastercard
{
"message": "Card Stored Successfully.",
"status": 1,
"result": {
"cardToken": "917e296b5b6da5d20fbfb",
"cardNo": "XXXXXXXXXXXX2346",
"cardName": "Test_Card",
"networkToken": "3117328711111210",
"issuerToken": "AQ3LkzgBNyEjY213"
}
}American Express
{
"message": "Card Stored Successfully.",
"status": 1,
"result": {
"cardToken": "917e29XXX6da5XXCbfb",
"cardNo": "XXXXXXXXXXX1002",
"cardName": "AMEX_Card",
"networkToken": "51273287XXX61215",
"issuerToken": "Va3RaqBNyPnY673"
}
}Rupay
{
"message": "Card Stored Successfully.",
"status": 1,
"result": {
"cardToken": "91XXX96b5b6da5dXXXbfb",
"cardNo": "XXXXXXXXXXXX0001",
"cardName": "Rupay_Card",
"networkToken": "712XXX870976XX2",
"issuerToken": "Ya4HawKgbLmr312"
}
}Diners
{
"message": "Card Stored Successfully.",
"status": 1,
"result": {
"cardToken": "91XXX296b5b6da5XXXbfb",
"cardNo": "XXXXXXXXXXXX0009",
"cardName": "Diner_Card",
"networkToken": "8koNXXXC1bT0Hv5a",
"issuerToken": "LQ3QkzXXXnEjY428"
}
}Failure scenario
- If card number is invalid
{
"message": "CardNumber is invalid",
"status": 0
}Response parameters for Save a Card API
The following table describes the parameters in the response:
Note: For every successful payment transaction, PayU returns the mihpayid and cardToken parameters to the merchants, but
networkTokenandissuerTokenare returned only if you are PCI-DSS compliant.
| Parameter | Description | Example |
|---|---|---|
| message | The description of the response whether the card details were stored successfully or not stored. | Card Stored Successfully. |
| status | The status of the response can be any of the following: • 1: Success • 0: Failure | 1 |
| result | This contains the token details in a JSON format. For more information, refer to result JSON fields description. |
result JSON fields description
| Parameter | Description | Example |
|---|---|---|
| cardToken | The cardToken returned by PayU for the successful response. | 18cc810671348c3d3241 |
| cardNo | The redacted card number with the last four digits that was saved. | XXXXXXXXXXXX1258 |
| cardName | The nickname of the card that was saved. | testAll |
| networkToken | The network token returned in this parameter (returned only when the merchant is PCI-DSS compliant). | 1234 5*** 9*** 3456 |
| issuerToken | The issuer token returned in this parameter (returned only when the merchant is PCI-DSS compliant). | 3456 7*** A*** EFGH |