How to access the Indian Payment Channel API? A Developer's Guide

How to access the Indian Payment Channel API? A Developer's Guide

# India Payment Channel API Access Guide

As an expert in Indian payment platforms, I will give you a detailed overview of how to access the APIs of the leading payment channels in India.

Major Indian payment gateways

1. Razorpay
2. PayU India
3. CCAvenue
4. Instamojo
5. Paytm Payment Gateway

Common Access Process

1. Register for a merchant account
- Visit the official website of your chosen payment gateway to register for a merchant account
- Submission of KYC documents (usually includes PAN card, GSTIN, bank account proof, etc.)
- Waiting for approval (usually takes 1-3 working days)

2. API key acquisition
- Generate or view API key pairs in Dashboard.
- Key ID/Public Key
- Key Secret/Private Key

3. API integration options
Most Indian payment gateways support.
“`
a) Checkout page integration (simplest)
b) Webhooks real-time notification processing
c) SDK Integration (Node.js, PHP, Python, etc.)
d) Raw API calls (RESTful interface)
“`

Razorpay sample code (Node.js)

"`javascript
const Razorpay = require('razorpay');
const instance = new Razorpay({
key_id: 'YOUR_KEY_ID',
key_secret: 'YOUR_KEY_SECRET'
});

//Creating an order
const options = {
amount: req.body.price *100, //amount in paisa (100 paisa = 1 rupee)
currency: "INR",
receipt: "order_rcptid_11"
};

instance.orders.create(options).then((order)=>{
res.json(order);
}).catch((err)=>{
res.status(500).send(err);
});
“`

PayU India Sample (PHP)

"`php

// Razorpay UPI Intent Example
const options = {
amount: 50000, // ₹500 (in paisa)
currency: "INR",
method: "upi",
customer: {
contact: "+919876543210",
email: "[email protected]"
},
upi_link: true, //Enable UPI Intent flow
};

instance.paymentLink.create(options);

Description of key parameters::

  • vpa: Virtual Payment Address (e.g. user@upi)
  • flow: collect or intent (default)
  • expire_by:: UPI link validity (UNIX timestamp)

EMI Options Configuration

Special care is required when dealing with instalments:

$emiOptions = [

    'bank' => 'HDFC', //supported bank codes 

    'tenure' => [3,6], // number of instalment months allowed 

    'interest_rate' => ['3'=>0,'6'=>2] // interest rate for each period (%)

];

2. Webhook security implementation

JWT signature verification (PayU example)

from jwt import decode, InvalidSignatureError



def verify_webhook(request).

    try.

        payload = decode(

            request.headers['X-PayU-Signature'],

            key='YOUR_MERCHANT_SECRET',

            algorithms=['HS256']

        )

        return payload['payload']

    except InvalidSignatureError.

        abort(403) # rejects unauthenticated request

        

@app.route('/webhook', methods=['POST'])

def handle_webhook().

    verified_data = verify_webhook(request)

safety feature::
✅ IP whitelist validation (get the official IP segment of the gateway)
✅ HMAC signature double-checking
✅ Nonce anti-replay attack

API Error Handling Strategy

Common error codes and responses:

HTTP status code Error Code Suggested treatment
400 BAD_REQUEST Checking parameter formats and required fields
401 UNAUTHORIZED Re-generate authentication tokens
429 RATE_LIMITED Implementation of the index retreat retesting mechanism
502/504 Design of asynchronous compensation mechanisms

Recommended Retry Logic Implementation (Node.js).

async function makePaymentRequest(params, retries=3){

   try{

     return await gateway.charge(params);

   }catch(err){

     if(retries>0 && isRetriable(err)){

       await new Promise(r=>setTimeout(r,1000*(4-retries)));

       return makePaymentRequest(params,retries-1); 

     }

     throw err.

   }

}



function isRetriable(err){

   const codes = ['ECONNRESET','ETIMEDOUT','EPIPE'];

   return codes.includes(err.code) || err.statusCode >= 500;

}

PCI DSS Compliance Requirements

Norms that must be followed to process card data in India:

  1. SAQ A-EP Applicable Scenarios::
    ✔️ fully hosted payment page
    ✔️ has no sensitive data flowing through its own servers

  2. List of necessary measures::
    🔹 Quarterly Vulnerability Scan (QSA Certification Tool)
    🔹 Annual Penetration Test Reports
    🔹 TLS 1.2+ mandatory implementation (HSTS header setting)

3.Logging specifications:
📝 Keep a transaction log for at least 12 months
🚫 Prohibition of storing CVV/CVC numbers
🛡️ encrypted storage of PAN numbers (using AES256+ key rotation)

BharatQR Special Integration

For offline merchants need to support the Unified QR Code.

// Example of generating BharatQR content (BHIM SDK)

String qrData = new QRBuilder()

                .setMerchantId("MER123456")

                .setStoreId("STORE001")

                . .setTerminalId("POS01")

                .setAmount(new BigDecimal("250.50"))

                .buildBharatQRString(); .

                

//Response format specification        

{

"qrType": "BHARATQR".

"content": "000201010212..." , 

"imageUrl": "https://api.upi.qr/v1/generate?data=..."

}

⚠️ Note that dynamic QR codes are usually valid for 10 minutes

We hope this advanced content will help you build a more robust payment system. Please be sure to refer to the latest official documentation for each platform as NPCI and RBI regulatory requirements are updated regularly. For more detailed implementation of a particular gateway, I can provide guidance specific to a particular platform.