1. Build Integration for Cards (New Integration)

Steps to integrate S2S JSON API and accept payments using cards.


You can integrate with Razorpay APIs to start accepting card payments. Razorpay APIs support the latest 3DS2 authentication protocol.

Handy Tips
If you are an existing Razorpay user, that is, you integrated with our S2S APIs before October 15, 2022, you need to make certain integration changes to

.

Watch Out!

You must have a PCI compliance certificate to get this feature enabled on your account.

3DS2 is an authentication protocol, the successor of 3DS1, that enables businesses and payment providers to send additional information (such as customer device or browser data) to verify the transaction's authenticity. Razorpay integration is compliant with the 3DS2 protocol.

Know more: Razorpay supports

.

Handy Tips

  • Integration does not differ for the challenge flow or frictionless flow.
  • Frictionless flow is not applicable for payments on cards issued in India.

Follow the steps below to integrate S2S JSON API with browser flow and accept payments using cards.

1.1

.

1.2

.

1.3

.

1.4

.

1.5

.

1.6

.

Watch Out!

Do not hardcode the URL returned in the API responses.

Order is an important step in the payment process.

  • An order should be created for every payment.
  • You can create an order using the . It is a server-side API call. Know how to Orders API.
  • The order_id received in the response should be passed to the checkout. This ties the order with the payment and secures the request from being tampered.

You can create an order:

  • Using the sample code on the Razorpay Postman Public Workspace.
  • By manually integrating the API sample codes on your server.

You can use the Postman workspace below to create an order:

Handy Tips

Under the Authorization section in Postman, select Basic Auth and add the Key Id and secret as the Username and Password, respectively.

Use this endpoint to create an order using the Orders API.

POST
/orders
curl -X POST https://api.razorpay.com/v1/orders
-U [YOUR_KEY_ID]:[YOUR_KEY_SECRET]
-H 'content-type:application/json'
-d '{
"amount": 500,
"currency": "INR",
"receipt": "qwsaq1",
"partial_payment": true,
"first_payment_min_amount": 230,
"notes": {
"key1": "value3",
"key2": "value2"
}
}'
{
"id": "order_IluGWxBm9U8zJ8",
"entity": "order",
"amount": 5000,
"amount_paid": 0,
"amount_due": 5000,
"currency": "INR",
"receipt": "rcptid_11",
"offer_id": null,
"status": "created",
"attempts": 0,
"notes": [],
"created_at": 1642662092
}

Request Parameters

amount

mandatory

integer Payment amount in the smallest currency sub-unit. For example, if the amount to be charged is ₹299.00, then pass 29900 in this field. In the case of three decimal currencies, such as KWD, BHD and OMR, to accept a payment of 295.991, pass the value as 295990. And in the case of zero decimal currencies such as JPY, to accept a payment of 295, pass the value as 295.

Watch Out!

As per payment guidelines, you should pass the last decimal number as 0 for three decimal currency payments. For example, if you want to charge a customer 99.991 KD for a transaction, you should pass the value for the amount parameter as 99990 and not 99991.

currency

mandatory

string The currency in which the transaction should be made. See the

. Length must be 3 characters.

Handy Tips

Razorpay has added support for zero decimal currencies, such as JPY, and three decimal currencies, such as KWD, BHD, and OMR, allowing businesses to accept international payments in these currencies. Know more about

(May 2024).

receipt

optional

string Your receipt id for this order should be passed here. Maximum length is 40 characters.

notes

optional

json object Key-value pair that can be used to store additional information about the entity. Maximum 15 key-value pairs, 256 characters (maximum) each. For example, "note_key": "Beam me up Scotty”.

partial_payment

optional

boolean Indicates whether the customer can make a partial payment. Possible values:

  • true: The customer can make partial payments.
  • false (default): The customer cannot make partial payments.

first_payment_min_amount

optional

integer Minimum amount that must be paid by the customer as the first partial payment. For example, if an amount of ₹7,000.00 is to be received from the customer in two installments of #1 - ₹5,000.00, #2 - ₹2,000.00 then you can set this value as 500000. This parameter should be passed only if partial_payment is true.

Know more about

.

Response Parameters

Descriptions for the response parameters are present in the

parameters table.

Error Response Parameters

The error response parameters are available in the

.

After the order is created, your next step is to create a payment. The following API will create a payment with card as the payment method. The

capture the customer's browser details, which are sent to the banks to aid their risk analysis.

curl -X POST \
https://api.razorpay.com/v1/payments/create/json \
-u [YOUR_KEY_ID]:[YOUR_KEY_SECRET] \
-H "Content-Type: application/json" \
-d '{
"amount": 100,
"currency": "INR",
"contact": "9900008989",
"email": "gaurav.kumar@example.com",
"order_id": "order_DPzFe1Q1dEOKed",
"method": "card",
"card":{
"number": "4111111111111111",
"name": "Gaurav",
"expiry_month": "11",
"expiry_year": "30",
"cvv": "100"
},
"authentication":{
"authentication_channel": "browser"
},
"browser":{
"java_enabled": false,
"javascript_enabled": false,
"timezone_offset": 11,
"color_depth": 23,
"screen_width": 23,
"screen_height": 100
},
"ip": "105.106.107.108",
"referer": "https://merchansite.com/example/paybill",
"user_agent": "Mozilla/5.0"
}'

Handy Tips

The payment request and response would remain the same for both frictionless and challenge scenarios.

amount

mandatory

integer Payment amount in the smallest currency sub-unit. For example, if the amount to be charged is ₹299.00, then pass 29900 in this field. In the case of three decimal currencies, such as KWD, BHD and OMR, to accept a payment of 295.991, pass the value as 295990. And in the case of zero decimal currencies such as JPY, to accept a payment of 295, pass the value as 295.

Watch Out!

As per payment guidelines, you should pass the last decimal number as 0 for three decimal currency payments. For example, if you want to charge a customer 99.991 KD for a transaction, you should pass the value for the amount parameter as 99990 and not 99991.

currency

mandatory

string Currency code for the currency in which you want to accept the payment. For example, INR. Refer to the list of supported currencies. The length must be 3 characters.

Handy Tips

Razorpay has added support for zero decimal currencies, such as JPY, and three decimal currencies, such as KWD, BHD, and OMR, allowing businesses to accept international payments in these currencies. Know more about

(May 2024).

order_id

mandatory

string Unique identifier of the Order generated in the first step.

email

mandatory

string Email address of the customer. The maximum length supported is 40 characters.

contact

mandatory

string Phone number of the customer. The maximum length supported is 15 characters, inclusive of country code.

method

mandatory

string Name of the payment method. Possible value is card.

card

mandatory

object Details associated with the card.

number

string Unformatted card number.

name

string Name of the cardholder.

expiry_month

string Expiry month for the card in MM format.

expiry_year

string Expiry year for the card in YY format.

cvv

string CVV printed on the back of the card.

Handy Tips

  • CVV is not required by default for tokenised cards across all networks.
  • CVV is optional for tokenised card payments. Do not pass dummy CVV values.
  • To implement this change, skip passing the cvv parameter entirely, or pass a null or empty value in the CVV field.
  • We recommend removing the CVV field from your checkout UI/UX for tokenised cards.
  • If CVV is still collected for tokenised cards and the customer enters a CVV, pass the entered CVV value to Razorpay.

user-agent

mandatory

string The User-Agent header of the user's browser. The default value will be passed by Razorpay if not provided by you.

ip

mandatory

string The customer's IP address.

authentication

optional

object Details of the authentication channel.

authentication_channel

string The authentication channel for the payment. Possible values:

  • browser (default)
  • app

browser

mandatory

object Information regarding the customer's browser. This parameter need not be passed when authentication_channel=app.

java_enabled

boolean Indicates whether the customer's browser supports Java. Obtained from the navigator HTML DOM object.

javascript_enabled

boolean Indicates whether the customer's browser can execute JavaScript.Obtained from the navigator HTML DOM object.

timezone_offset

integer Time difference between UTC time and the cardholder's browser local time. Obtained from the getTimezoneOffset() method applied to the Date object.

screen_width

integer Total width of the payer's screen in pixels. Obtained from the screen.width HTML DOM property.

screen_height

integer Obtained from the navigator HTML DOM object.

color_depth

integer Obtained from the payer's browser using the screen.colorDepth HTML DOM property.

language

string Obtained from the payer's browser using the navigator.language HTML DOM property. Maximum limit of 8 characters.

notes

optional

object Key-value object used for passing tracking info. Refer to

for more details.

callback_url

optional

string URL endpoint where Razorpay will submit the final payment status.

referrer

optional

string Referrer header passed by the client's browser.

If the payment request is valid, the response contains the following fields.

razorpay_payment_id

string Unique identifier of the payment. Present for all responses.

next

array A list of action objects available to you to continue the payment process. Present when the payment requires further processing.

action

string An indication of the next step available to you to continue the payment process. Possible values:

  • otp_generate: Use this URL to allow the customer to generate OTP and complete the payment on your webpage.
  • redirect: Use this URL to redirect the customer to submit the OTP on the bank page.

url

string URL to be used for the action indicated.

If you would like the customer to enter the OTP on your website instead of the bank page, use the otp_generate URL. When this URL is triggered, you get the following response:

curl -u [YOUR_KEY_ID]
-X POST https://api.razorpay.com/v1/payments/pay_FVmAstJWfsD3SO/otp_generate
-H "Content-Type: application/json" \

id

mandatory

string Unique identifier of the payment.

If the payment request is valid, the response contains the following fields.

razorpay_payment_id

string Unique identifier of the payment. Present for all responses.

next

array A list of action objects available to you to continue the payment process. Present when the payment requires further processing.

action

string An indication of the next step available for payment processing. Possible values:

  • opt_submit - Use this URL to allow the customer to submit OTP and complete the payment on your webpage.
  • opt_resend - Use this URL to resend OTP to the customer.

url

string URL to be used for the action indicated.

If the customer faces any latency issues, you can choose to cancel this request and redirect the customer to the bank page to enter the OTP and complete the payment. Thus, you can avoid payment failure by switching the customer to the bank page payment flow.

Razorpay sends the respective success or failure response after the customer submits the OTP on your page.

The following endpoint submits the OTP:

POST
payments/:id/otp/submit

After the payment is completed, the final response is posted to the URL given in callback_url of the request, and can then be verified.

Once the payment is completed by the customer, a POST request is made to the callback_url provided in the payment request. The data contained in this request will depend on whether the payment was a success or a failure.

If the payment made by the customer is successful, the following fields are sent:

  • razorpay_payment_id
  • razorpay_order_id
  • razorpay_signature
{
"razorpay_payment_id": "pay_29QQoUBi66xm2f",
"razorpay_order_id": "order_9A33XWu170gUtm",
"razorpay_signature": "9ef4dffbfd84f1318f6739a3ce19f9d85851857ae648f114332d8401e0949a3d"
}

If the payment has failed, the callback will contain details of the error. Refer to

for details.

Signature verification is a mandatory step to ensure that the callback is sent by Razorpay. The razorpay_signature contained in the callback can be regenerated by your system and verified as follows.

Create a string to be hashed using the razorpay_payment_id contained in the callback and the Order ID generated in the first step, separated by a |. Hash this string using SHA256 and your API Secret.

generated_signature = hmac_sha256(order_id + "|" + razorpay_payment_id, secret);
if (generated_signature == razorpay_signature) {
payment is successful
}

/**
* This class defines common routines for generating
* authentication signatures for Razorpay Webhook requests.
*/
public class Signature
{
private static final String HMAC_SHA256_ALGORITHM = "HmacSHA256";
/**
* Computes RFC 2104-compliant HMAC signature.
* * @param data
* The data to be signed.
* @param key
* The signing key.
* @return
* The Base64-encoded RFC 2104-compliant HMAC signature.
* @throws
* java.security.SignatureException when signature generation fails
*/
public static String calculateRFC2104HMAC(String data, String secret)
throws java.security.SignatureException
{
String result;
try {
// get an hmac_sha256 key from the raw secret bytes
SecretKeySpec signingKey = new SecretKeySpec(secret.getBytes(), HMAC_SHA256_ALGORITHM);
// get an hmac_sha256 Mac instance and initialize with the signing key
Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
mac.init(signingKey);
// compute the hmac on input data bytes
byte[] rawHmac = mac.doFinal(data.getBytes());
// base64-encode the hmac
result = DatatypeConverter.printHexBinary(rawHmac).toLowerCase();
} catch (Exception e) {
throw new SignatureException("Failed to generate HMAC : " + e.getMessage());
}
return result;
}
}

Use Payments Rainy Day kit to overcome payments exceptions such as:

Handy Tips

On the Dashboard, ensure that the payment status is captured. Refer to the payment capture settings page to know how to

.

You can track the payment status in three ways:

To verify the payment status from the Dashboard:

  1. Log in to the and navigate to TransactionsPayments.
  2. Check if a Payment Id has been generated and note the status. In case of a successful payment, the status is marked as Captured.
Check if the payment id is generated and the status is captured


Is this integration guide useful?