Payout Seamless IMPS Integration

For onboarding in both the UAT and production environments, the merchant needs to provide the following information:

Technical Information Required:

  1. IP Address: (For dynamic IPs, please provide a range of IP addresses.)

  2. Callback URL/WebHook URL: This is used to notify your server of any changes in transaction status from our back office.

Once the merchant has provided all the required technical details, we will complete the necessary configuration in our back office and provide the Merchant ID (MID/PID) along with login credentials.

Let's see how it works:

  1. The merchant will send a payout request through our API. Along with that, the merchant has to send the customer's account_no, account_holder, ifsc, the amount, payment_mode as imps.

  2. Once we receive the request in the correct format, we will share a payment reference string (ref_code) that is necessary for any future references or actions related to the transaction.

  3. After the payout is processed, whether successful or failed, we will send callback data to the provided callback URL (WebHook URL) with the details of the transaction.

  4. To confirm the status of the payout, the merchant can use the polling API to check the current status and update their system accordingly with the payment outcome. (Status Polling)

PAYOUT REQUEST :

Before proceeding with this section of the document, the developer must review the basic workflow. This page explains how to submit a payment request.

Note: All requests must originate from whitelisted IP addresses. (Please ensure that your IP is whitelisted before making a request.)

Payout Request

POST https://<domain>/payout/api/request.php

Headers

Name
Value

Content-Type

application/json

Body

Name
Type
Description
Mandatory

payment_mode

string

imps

Yes

pid

string

provided MID/PID

Yes

order_id

string

unique order id(10 to 13 alphanumeric string)

Yes

amount

int

amount

Yes

account_holder

string

Receiver's account name

Yes

account_no

string

Receiver's account number

Yes

bank

string

Receiver's bank name

No

ifsc

string

Receiver's bank IFSC code

Yes

bank_address

string

Receiver's bank address

No

email

string

Receiver's email

Yes

phone

string

Receiver's phone

Yes

{
    "payment_mode":"imps",
    "pid":"2323232323",
    "order_id":"6876mhnytg", 
    "amount": 8128,
    "account_holder":"user1",
    "account_no":"78473xxx", 
    "bank":"SBI",
    "ifsc":"SBI002",
    "bank_address":"icicici pune",
    "email":"[email protected]",
    "phone":"8754850254"
}

Sample Response Body

{
    "ref_code":"7701004b34f1db47cbf7edf3eb376703158df1e88b4c1c4a8b2b04d9ebe500d07683f0f5615eccc0c038cb621823f0aadb6df1adc44904e0ba1044c0cbcbeb4e",
    "status":"Pending",
    "message":"Request Saved successfully"
}

CALLBACK

We trigger your callback URL whenever there is a change in the transaction status.

Valid Transaction status are:

  1. Approved

  2. Declined

  3. Pending

  4. Processing

  5. Failed

  6. Refunded

The most famous transaction changes are (but not limited):

  1. Pending => Processing

  2. Pending => Approved

  3. Pending => Declined/Failed

  4. Approved => Declined/Failed

The callback landing page must be hosted on your server at a secret path, but it should still be publicly accessible from our whitelisted IPs. (Please ensure you accept data only from our IPs by implementing proper IP whitelisting.)

In the POST body, you will receive the following properties in JSON format:

Name
Type
Description

order_id

string

Your order id shared

requested_amount

int

requested amount

processed_amount

int

received amount

bank_reference

string

bank reference/UTR details if available

sender_pg

string

sender account name id if available

ref_code

string

unique code for the transaction

status

string

status of payment at this time

post_hash

string

post hash for security verification

payment_type

string

payment type

request_time

string

payment request time

action_time

string

payment made time

upi_vpa

string

receiver vpa if available

account_no

string

receiver account number

account_holder

string

receiver name

ifsc

string

receiver IFSC code

bank_name

string

receiver bank name if available

bank_address

string

receiver bank address if available

transaction_info

array

status change log of transaction

Follow the steps to verify the integrity of received data:

  1. Capture and Decode the Payload

Capture the raw JSON data from the POST body and decode it into an array or object. The following examples assume you have this data in a variable named $array (PHP), array (JavaScript), or array (Python).

// Capture and decode the raw POST body
$data = file_get_contents("php://input");
$array = json_decode($data, true);

  1. Extract and Decrypt the Remote Hash

First, extract the post_hash string from the JSON payload and Base64-decode it. Then, pass the resulting binary data to the decrypt function (provided in the reference section below).

// Get the Base64 string from the array
$post_hash_base64 = $array['post_hash'];
 
// Decode it to get the raw binary ciphertext
$ivHashCiphertext = base64_decode($post_hash_base64);
 
//$secret_key is your provided SECRET KEY
// Decrypt using the function from the reference section below
$remote_hash = decrypt($ivHashCiphertext, $secret_key);

The decrypt function for your language is provided in the reference section below.

function decrypt($ivHashCiphertext, $password) 
{    
    $method = "AES-256-CBC";    
    $iv = substr($ivHashCiphertext, 0, 16);    
    $hash = substr($ivHashCiphertext, 16, 32);    
    $ciphertext = substr($ivHashCiphertext, 48);    
    $key = hash('sha256', $password, true);    
    if (!hash_equals(hash_hmac('sha256', $ciphertext . $iv, $key, true),$hash)) 
    return null;    
    return openssl_decrypt($ciphertext, $method, $key,    		    
    OPENSSL_RAW_DATA, $iv);                               
}

  1. Compute the Local Hash

Compute the local hash using the MD5 128-bit hashing algorithm. The hash is created by concatenating the order_id, amount_processed, and status from the callback payload, followed by your secret_key.

// Get the values from the same callback $array
$order_id = $array['order_id'];
$processed_amount = (string)$array['processed_amount']; 
$status = $array['status'];
 
$local_hash = md5($order_id . $processed_amount . $status . $secret_key);

  1. Compare the Hashes

Securely compare the decrypted remote_hash with the local_hash you just computed.

if ($remote_hash !== null && hash_equals($local_hash, $remote_hash)) {  
    // Mark the transaction as success & process the order  
    $hash_status = "Hash Matched";    
} else {  
    // Verification failed       
    $hash_status = "Hash Mismatch";  
}

  1. Acknowledge the Payment Gateway

To confirm you have received the callback and to prevent our gateway from sending retries, you must do two things:

a. Respond with an HTTP 200 OK status code.

b. Respond with a JSON body containing the key "acknowledge" set to the string "yes".

// --- THIS IS THE IMPORTANT PART ---
// 1. Send an HTTP 200 OK status code
http_response_code(200);

// 2. Prepare the required JSON response
$response = [
    'acknowledge' => 'yes',
    'hash_status' => $hash_status // Optional: for your own logs
];
 
// 3. Send the response
header('Content-Type: application/json; charset=utf-8');
echo json_encode($response);
exit;

STATUS POLLING :

POST https://<domain>/payout/api/status_polling.php

This API is used to poll the status of a specific transaction.

Headers

Name
Value

Content-Type

application/json

Body

Name
Type
Description

pid

string

Provided Merchant ID/PID

ref_code

string

unique ref_code which is generated in payout request

post_hash

string

The Base64-encoded encrypted hash. (See steps below).

Steps to generate post_hash :

  1. Generate the Request post_hash

1.1 Create Plaintext Hash: Concatenate the ref_code, pid, and your secret_key, then create an MD5 hash.

$ref_code = "YOUR_REF_CODE";
$pid = "YOUR_PID";
$secret_key = "YOUR_SECRET_KEY";

$local_hash = md5($ref_code . $pid . $secret_key);

1.2 Encrypt the Hash: Encrypt the $local_hash using the encrypt function shown below.

$encrypted_hash = encrypt($local_hash, $secret_key);
function encrypt($plaintext, $password) 
{    
    $method = "AES-256-CBC";    
    $key = hash('sha256', $password, true);    
    $iv = openssl_random_pseudo_bytes(16);    
    $ciphertext = openssl_encrypt($plaintext, $method, $key,       
        OPENSSL_RAW_DATA, $iv);    
    $hash = hash_hmac('sha256', $ciphertext . $iv, $key, true);    
    return $iv . $hash . $ciphertext;
}

1.3 Base64 Encode: Base64-encode the raw binary output from the encrypt function. This final string is your post_hash.

  1. Send the POST Request

Send a POST request containing pid, ref_code, and post_hash as a JSON body , and you will receive a response after validating the data.

PHP (cURL) Example:
<?php
// Your transaction data
$pid = "YOUR_PID";
$ref_code = "YOUR_REF_CODE";
$secret_key = "YOUR_SECRET_KEY";

// --- Step 1: Generate Hash ---
$local_hash = md5($ref_code . $pid . $secret_key);
$encrypted_hash = encrypt($local_hash, $secret_key);
$post_hash = base64_encode($encrypted_hash);

// --- Step 2: Send Request ---
$api_url = "https://<domain>/payout/api/status_polling.php";

$data = [
    'pid' => $pid,
    'ref_code' => $ref_code,
    'post_hash' => $post_hash
];

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $api_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);

$server_output = curl_exec($ch);
curl_close($ch);

?>

  1. Processing the API Response

The API will respond with a JSON object. If the request is successful and the ref_code is found, it will return the transaction details. If it fails (e.g., bad hash, ref_code not found), it will return an error message.

Success Response Parameters

A successful response will contain the following parameters as JSON body:

Name
Type
Description

order_id

string

Your order id shared

requested_amount

int

requested amount

processed_amount

int

received amount

bank_reference

string

bank reference/UTR details if available

sender_pg

string

sender account name id if available

ref_code

string

unique code for the transaction

status

string

status of payment at this time

post_hash

string

post hash for security verification

payment_type

string

payment type

request_time

string

payment request time

action_time

string

payment made time

upi_vpa

string

receiver vpa if available

account_no

string

receiver account number

account_holder

string

receiver name

ifsc

string

receiver IFSC code

bank_name

string

receiver bank name if available

bank_address

string

receiver bank address if available

transaction_info

array

status change log of transaction

Error Response

An error response will contain an error key.

{
    "error": "error message"
}

  1. Verify the Response post_hash

Before trusting any data from the response, you must verify its post_hash to ensure the data is from us and has not been tampered with. This verification logic is identical to the logic used for verifying a callback.

You do not need to send an "Acknowledge" response for a status poll.

4.1 Compute the Local Hash

From the JSON response, get the order_id, processed_amount, and status. Concatenate them with your secret_key and create an MD5 hash.

// $response_data is the decoded JSON response from /api/status_polling.php
$order_id = $response_data['order_id'];
$processed_amount = (string)$response_data['processed_amount'];
$status = $response_data['status'];
 
$local_hash = md5($order_id . $processed_amount. $status . $secret_key);

4.2 Decrypt the Remote Hash

Get the post_hash string from the JSON response. Base64-decode it, then pass the raw binary data to the decrypt function.

// Get the Base64 string from the response
$post_hash_base64 = $response_data['post_hash'];
 
// Decode it to get the raw binary ciphertext
$ivHashCiphertext = base64_decode($post_hash_base64);
 
// Decrypt using the function from the reference section below
$remote_hash = decrypt($ivHashCiphertext, $secret_key);

The decrypt function for your language is provided in the reference section below.

function decrypt($ivHashCiphertext, $password) 
{    
    $method = "AES-256-CBC";    
    $iv = substr($ivHashCiphertext, 0, 16);    
    $hash = substr($ivHashCiphertext, 16, 32);    
    $ciphertext = substr($ivHashCiphertext, 48);    
    $key = hash('sha256', $password, true);    
    if (!hash_equals(hash_hmac('sha256', $ciphertext . $iv, $key, true),$hash)) 
    return null;    
    return openssl_decrypt($ciphertext, $method, $key,    		    
    OPENSSL_RAW_DATA, $iv);                               
}

4.3 Compare the Hashes

Securely compare the local_hash you just computed with the remote_hash you decrypted. If they match, you can trust the data.

if ($remote_hash !== null && hash_equals($local_hash, $remote_hash)) {
    // --- SUCCESS: Data is verified ---
    // You can now trust the data and update your database.
    // echo "Status: " . $response_data['status'];
} else {
    // --- FAILURE: Hash mismatch! ---
    // Do NOT trust this data.
}

TRANSACTION STATUS :

  1. Approved: Payment has been successfully approved by our system.

  2. Failed: Payment failed on the bank's side.

  3. Processing: The bank is currently processing the payment.

  4. Declined: Payment has been declined by our system.

  5. Pending: The user session is active, and the payment is awaiting completion.

  6. Refunded : The amount is refunded to customer

ERROR :

  1. No valid channel found : This error raise if no active channel/provider mapped against your MID

  2. Bank error , please contact admin : Unknown bank side error

  3. Hash value is not defined : This error raises for status check if the provided hash is not matched with genereted one

  4. Ref code does not exist : This error raise in the status check , if ref_code is not provided for status check

COMPLAINT

We have a dedicated Complaint Section where merchants can manage transaction-related complaints. Through this section, merchants can submit complaints with all necessary details and optional evidence. Upon submission, a unique complaint reference ID is generated, allowing merchants to track the complaint’s status and receive real-time updates via the status-check API. This ensures a smooth, secure, and efficient process for resolving any transaction issues.

Complaint

RECONCILIATION

This API endpoint allows authorized users to retrieve approved payout transactions based on a specific pid (Partner ID) and date. The API performs authentication using a token and signature verification to ensure secure communication.

Reconciliation

PAYOUT PROOF API

The Proof Images API allows you to retrieve proof images associated with payout transactions. This endpoint provides secure access to transaction evidence through API key authentication and request signature verification.

Payout proof API

PAYOUT STATUS CHECK

This API endpoint allows you to check the status of a specific payout transaction. It authenticates requests using a partner ID (pid) and a securely hashed signature.

Payout status check

PreviousPayin P2C Non-Seamless IntegrationNextPayout Seamless UPI Integration

Last updated