3. Fetch and Manage Tokens
Retrieve, manage and cancel tokens using Razorpay APIs for UPI Autopay mandates.
Once you capture a payment, Razorpay Checkout returns a razorpay_payment_id. You can use this id to fetch the token_id, which is used to create and charge subsequent payments.
You can retrieve the token_id using the
A token is a unique identifier that represents a registered UPI Autopay mandate between a customer and your business. When a customer approves a mandate through their UPI app during the
step, Razorpay generates atoken_id and associates it with the customer's customer_id.
The token stores the mandate's configuration, including the maximum debit amount, frequency and expiry date. You use this token_id every time you want to charge the customer a subsequent payment. A single customer can have multiple tokens for different mandates, for example, one for a monthly subscription and another for a quarterly insurance premium.
Handy Tips
- Each token is tied to a specific payment method and customer. A token created via UPI cannot be used for card-based recurring payments and vice versa.
- Tokens have a lifecycle with defined states. Always check the token state before attempting a subsequent debit. Know more in the section below.
A UPI Autopay token (mandate) transitions through the following states during its lifecycle. Ensure your integration handles all of these states to avoid unexpected failures.
Watch Out!
- Only tokens in the
confirmedstate can be used to execute subsequent payments. - If a token transitions to
paused,cancellation_initiated,cancelledorexpired, any subsequent payment attempt against that token will fail. - Tokens in the
cancellation_initiatedstate will eventually transition tocancelledonce NPCI confirms the closure. Do not treatcancellation_initiatedas a final state. - Tokens in the
rejectedstate indicate that the customer declined the mandate. You will need to initiate a new mandate registration for the customer.
The following endpoint fetches the token_id using a payment_id.
curl -u <YOUR_KEY_ID>:<YOUR_KEY_SECRET> \-X GET https://api.razorpay.com/v1/payments/pay_1Aa00000000002
{"id": "pay_FHfAzEJ51k8NLj","entity": "payment","amount": 100,"currency": "INR","status": "captured","order_id": "order_FHfANdTUYeP8lb","invoice_id": null,"international": false,"method": "upi","amount_refunded": 0,"refund_status": null,"captured": true,"description": null,"card_id": null,"bank": null,"wallet": null,"vpa": "gaurav.kumar@upi","email": "gaurav.kumar@example.com","contact": "+919876543210","customer_id": "cust_DtHaBuooGHTuyZ","token_id": "token_FHfAzGzREc1ug6","notes": {"note_key 1": "Beam me up Scotty","note_key 2": "Tea. Earl Gray. Hot."},"fee": 0,"tax": 0,"error_code": null,"error_description": null,"error_source": null,"error_step": null,"error_reason": null,"acquirer_data": {"rrn": "854977234911","upi_transaction_id": "D0BED5A062ECDB3E9B3A1071C96BB273"},"created_at": 1595447490}
Handy Tips
You can also retrieve the token_id via the
id
mandatory
string The unique identifier of the payment to be retrieved. For example, pay_1Aa00000000002.
A customer can have multiple tokens and these tokens can be used to create subsequent payments for multiple products or services. The following endpoint retrieves tokens linked to a customer.
Watch Out!
- This endpoint will not fetch the details of expired and unused tokens.
- The UPI tokens are not populated in the API response if the
save_vpafeature is not enabled in your account. Please raise a request with our to get this activated.
curl -u <YOUR_KEY_ID>:<YOUR_KEY_SECRET> \-X GET https://api.razorpay.com/v1/customers/cust_1Aa00000000002/tokens
{"entity": "collection","count": 1,"items": [{"id": "token_FHfAzGzREc1ug6","entity": "token","token": "9KHsdPaCELeQ0t","bank": null,"wallet": null,"method": "upi","vpa": {"username": "gaurav.kumar","handle": "upi","name": null},"recurring": true,"recurring_details": {"status": "confirmed","failure_reason": null},"auth_type": null,"mrn": null,"used_at": 1595447490,"created_at": 1595447490,"start_time": 1595447455,"dcc_enabled": false}]}
Handy Tips
The recurring_details.status field in the response indicates the current token state. Use this to check if the token is confirmed (active), paused, cancelled or in any other state before attempting a subsequent debit.
id
mandatory
string The unique identifier of the customer for whom tokens are to be retrieved. For example, cust_1Aa00000000002.
You can cancel tokens that are in the initiated, confirmed or paused state. Razorpay does not perform any additional validation checks before forwarding the cancellation request to NPCI.
Cancellations can fail if NPCI returns a failure response. This typically happens due to an internal issue on the remitter's side. Use the following endpoint to cancel a token. This initiates the cancellation of the mandate from NPCI.
curl -u [YOUR_KEY_ID]:[YOUR_KEY_SECRET] \-X PUT https://api.razorpay.com/v1/customers/cust_1Aa00000000002/tokens/token_1Aa00000000001/cancel
Handy Tips
- Use the Cancel Token API when you want to permanently revoke the mandate from NPCI. This ensures the customer cannot be charged further against this mandate.
- The response status
cancellation_initiatedindicates that the cancellation request has been sent to NPCI. The token enters thecancellation_initiatedstate while Razorpay waits for NPCI and the customer's bank to process the closure. Once confirmed, the token transitions tocancelled. - Do not attempt subsequent debits while the token is in the
cancellation_initiatedstate. The payment will fail.
customer_id
mandatory
string The unique identifier of the customer with whom the token is linked. For example, cust_1Aa00000000002.
token_id
mandatory
string The unique identifier of the token that is to be cancelled. For example, token_1Aa00000000001.
Given below is a list of possible errors you may face while cancelling a token.
- Description: The token provided is not a recurring/autopay token and is not eligible for cancellation via this API.
- Next Steps: Please ensure you are passing a valid UPI Autopay recurring token. Non-recurring tokens cannot be cancelled using this API.
- Description: The UPI mandate linked to this token is not in a cancellable state. The mandate may already be revoked or failed.
- Next Steps: Please check the current status of the mandate before attempting cancellation. Cancellation is only allowed when the mandate is in confirmed or active state.
- Description: The token provided does not belong to the authenticated customer. Cross-customer token access is not permitted.
- Next Steps: Please verify that the
token_idbelongs to the customer in context and retry with the correct token.
- Description: The token provided was not created under your merchant account. Cross-merchant token access is not permitted.
- Next Steps: Please ensure you are using tokens created under your own merchant account and retry with the correct
token_id.
- Description: A cancellation or update operation is already in progress for this token. Simultaneous requests on the same token are not allowed.
- Next Steps: Please wait at least 60 seconds before retrying the cancellation request. Avoid sending duplicate or parallel cancel requests for the same token.
Deleting a token removes it from Razorpay's database. The deleted token will not appear on the Dashboard or when all tokens are fetched. However, it does not cancel the mandate. If you wish to delete the mandate with Razorpay, you must first cancel it using the
.The following endpoint deletes a token.
curl -u [YOUR_KEY_ID]:[YOUR_KEY_SECRET] \-X DELETE https://api.razorpay.com/v1/customers/cust_1Aa00000000002/tokens/token_1Aa00000000001
{"deleted": true}
customer_id
mandatory
string The unique identifier of the customer with whom the token is linked. For example, cust_1Aa00000000002.
token_id
mandatory
string The unique identifier of the token that is to be deleted. For example, token_1Aa00000000001.
Is this integration guide useful?