3DS 2 Migration Guide - Browser Flow Cards Integration
If you integrated with our APIs before October 15, 2022, you should make the following changes to your integration to accept card payments with the 3DS 2 protocol.
If you integrated with our S2S APIs before October 15, 2022, you must make the following changes to your integration to accept card payments with the 3DS 2 authentication protocol.
Watch Out!
You must have a PCI compliance certificate to get this feature enabled on your account.
Ensure you make the following changes in your Create a Payment API request. There is no change in the response.
Given below is the sample code:
curl -X POST \https://api.razorpay.com/v1/payments/create/json \-u [YOUR_KEY_ID]:[YOUR_KEY_SECRET] \-H "Content-Type: application/json" \-d '{"amount": 100,"currency": "INR","contact": "9900008989","email": "gaurav.kumar@example.com","order_id": "order_DPzFe1Q1dEOKed","method": "card","card":{"number": "4111111111111111","name": "Gaurav","expiry_month": "11","expiry_year": "2030","cvv": "100"},"authentication":{"authentication_channel": "browser"},### 3DS2.0 Browser Parameters###"browser":{"java_enabled": false,"javascript_enabled": false,"timezone_offset": 11,"color_depth": 23,"screen_width": 23,"screen_height": 100},"ip": "105.106.107.108","referer": "https://merchansite.com/example/paybill","user_agent": "Mozilla/5.0"}'
Handy Tips
- The payment request and response would remain the same for both frictionless and challenge scenarios.
- The payment request would remain the same for redirection and native OTP flows.
amount
mandatory
integer
Payment amount in the smallest currency sub-unit. For example, if the amount to be charged is ₹299, then pass 29900
in this field.
currency
mandatory
string
Currency code for the currency in which you want to accept the payment. For example, INR. Refer to the list of supported currencies. The length must be 3 characters.
order_id
mandatory
string
Unique identifier of the Order generated in the first step.
mandatory
string
Email address of the customer. The maximum length supported is 40 characters.
contact
mandatory
string
Phone number of the customer. The maximum length supported is 15 characters, inclusive of country code.
method
mandatory
string
Name of the payment method. The possible value is card
.
card
mandatory
object
Details associated with the card.
number
string
Unformatted card number.
name
string
Name of the cardholder.
expiry_month
string
Expiry month for the card in MM format.
expiry_year
string
Expiry year for the card in YY format.
cvv
string
CVV printed on the back of the card.
Handy Tips
- CVV is not required by default for tokenised cards across all networks.
- CVV is optional for tokenised card payments. Do not pass dummy CVV values.
- To implement this change, skip passing the
cvv
parameter entirely, or pass anull
or empty value in the CVV field. - We recommend removing the CVV field from your checkout UI/UX for tokenised cards.
- If CVV is still collected for tokenised cards and the customer enters a CVV, pass the entered CVV value to Razorpay.
notes
optional
object
Key-value object used for passing tracking info. Refer to
callback_url
optional
string
URL endpoint where Razorpay will submit the final payment status.
referrer
optional
string
Referrer header passed by the client's browser.
user-agent
mandatory
string
The User-Agent header of the user's browser. The default value will be passed by Razorpay if not provided by you.
ip
mandatory
string
The customer's IP address.
authentication
optional
object
Details of the authentication channel.
authentication_channel
string
The authentication channel for the payment. Possible values:
browser
(default)app
browser
mandatory
object
Information regarding the customer's browser. This parameter need not be passed when authentication_channel=app
.
java_enabled
boolean
Indicates whether the customer's browser supports Java. Obtained from the navigator
HTML DOM object.
javascript_enabled
boolean
Indicates whether the customer's browser can execute JavaScript.Obtained from the navigator
HTML DOM object.
timezone_offset
integer
Time difference between UTC time and the cardholder's browser local time. Obtained from the getTimezoneOffset()
method applied to the Date
object.
screen_width
integer
Total width of the payer's screen in pixels. Obtained from the screen.width
HTML DOM property.
screen_height
integer
Obtained from the navigator
HTML DOM object.
color_depth
integer
Obtained from the payer's browser using the screen.colorDepth
HTML DOM property.
language
string
Obtained from the payer's browser using the navigator.language
HTML DOM property. Maximum limit of 8 characters.
If the payment request is valid, the response contains the following fields.
razorpay_payment_id
string
Unique identifier of the payment. Present for all responses.
next
array
A list of action objects available to you to continue the payment process. Present when the payment requires further processing.
action
string
An indication of the next step available to you to continue the payment process. Possible values:
otp_generate
: This URL allows the customer to generate OTP and complete the payment on your webpage.redirect
: This URL redirects the customer to submit the OTP on the bank page.
url
string
URL to be used for the action indicated.
If you would like the customer to enter the OTP on your website instead of the bank page, use the otp_generate
URL. When this URL is triggered, you get the following response:
curl -u [YOUR_KEY_ID]-X POST https://api.razorpay.com/v1/payments/pay_FVmAstJWfsD3SO/otp_generate-H "Content-Type: application/json" \
id
mandatory
string
Unique identifier of the payment.
If the payment request is valid, the response contains the following fields.
razorpay_payment_id
string
Unique identifier of the payment. Present for all responses.
next
array
A list of action objects available to you to continue the payment process. Present when the payment requires further processing.
action
string
An indication of the next step available for payment processing. Possible values:
opt_submit
- Use this URL to allow the customer to submit OTP and complete the payment on your webpage.opt_resend
- Use this URL to resend OTP to the customer.
url
string
URL to be used for the action indicated.
If the customer faces any latency issues, you can choose to cancel this request and redirect the customer to the bank page to enter the OTP and complete the payment. Thus, you can avoid payment failure by switching the customer to the bank page payment flow.
Curlec sends the respective success or failure response after the customer submits the OTP on your page.
The following endpoint submits the OTP:
After the payment is completed, the final response is posted to the URL given in callback_url
of the request, and can then be verified.
The rest of the integration steps mentioned in the
remain the same. No changes are required in those.After completing the build integration steps, you can continue with
Is this integration guide useful?