Authentication Type for Cards - Native OTP
Use Razorpay Native OTP to address customer payment issues such as payment failures due to low internet speeds and bank page redirects. Authenticate card payments using OTPs.
Use Razorpay's Native OTP feature to provide an efficient and simple OTP flow to your customers, reduce payment failures due to low internet speeds and avoid payment failure due to redirects to bank pages.
Before implementing the Native OTP feature, check if the following requirements are in place:
- Verify that you are PCI-compliant to accept and process the customer's card details. Know more about . The compliance certificate should be updated as per the yearly renewal cycle.
- Raise a request with to enable this feature on your Checkout page.
- Understand the .
API Authentication
Razorpay APIs are authenticated using Basic Auth method, where your_key_id is the Username and your_key_secret is the Password. You can access your API keys from the Razorpay Dashboard.
A Razorpay Order creates an Order ID corresponding to the unique order (transaction ID or checkout ID) created at your end. The Order ID is tied to all the payments made against that particular order.
Order is an important step in the payment process.
- An order should be created for every payment.
- You can create an order using the . It is a server-side API call. Know how to Orders API.
- The order_id received in the response should be passed to the checkout. This ties the Order with the payment and secures the request from being tampered.
The following is a sample API request and response for creating an order:
curl -X POST https://api.razorpay.com/v1/orders-u [YOUR_KEY_ID]:[YOUR_KEY_SECRET]-H 'content-type:application/json'-d '{"amount": 50000,"currency": "MYR","receipt": "rcptid_11"}'
Here is the list of parameters and their description for creating an order:
amount
mandatory
integer Payment amount in the smallest currency sub-unit. For example, if the amount to be charged is MYR 299.00, then pass 29900 in this field. In the case of three decimal currencies, such as KWD, BHD and OMR, to accept a payment of 295.991, pass the value as 295990. And in the case of zero decimal currencies such as JPY, to accept a payment of 295, pass the value as 295.
Watch Out!
As per payment guidelines, you should pass the last decimal number as 0 for three decimal currency payments. For example, if you want to charge a customer 99.991 KD for a transaction, you should pass the value for the amount parameter as 99990 and not 99991.
currency
mandatory
string The currency in which the transaction should be made. The length must be 3 characters.
Handy Tips
Razorpay has added support for zero decimal currencies, such as JPY, and three decimal currencies, such as KWD, BHD, and OMR, allowing businesses to accept international payments in these currencies. Know more about
(May 2024).receipt
optional
string Your receipt id for this order should be passed here. Maximum length is 40 characters.
notes
optional
json object Key-value pair that can be used to store additional information about the entity. Maximum 15 key-value pairs, 256 characters (maximum) each. For example, "note_key": "Beam me up Scotty”.
partial_payment
optional
boolean Indicates whether the customer can make a partial payment. Possible values:
true: The customer can make partial payments.false(default): The customer cannot make partial payments.
id
mandatory
string Unique identifier of the customer. For example, cust_1Aa00000000004.
Know more about
.Descriptions for the response parameters are present in the
table.The error response parameters are available in the
.Validate the authentication type to set the value of auth_type in
auth_type is sent as otp for a BIN, which is not validated successfully.
The following API endpoint allows Razorpay to verify the OTP-based authentication flow for a specific card:
curl -X POST https://api.razorpay.com/v1/payment/flows \-u <YOUR_KEY_ID>:<YOUR_SECRET> \-H 'content-type: application/json'-d '{"card_number": "4242424242424242"}'
Use the following API to create a payment using the Order ID.
currency
mandatory
string The currency of the payment amount. Pass INR for Indian rupees as currently, we do not support foreign currencies.
amount
mandatory
integer The payment amount in paise. For example, if the payment amount is ₹195.55, pass 19555.
order_id
mandatory
string The unique identifier of the order created in
mandatory
string The customer's email address. For example, gaurav.kumar@example.com.
contact
mandatory
string The customer's contact number. For example, +919123456780.
method
mandatory
string The payment method selected by the customer. The only allowed value is card.
card[number]
mandatory
integer Unformatted card number. This field is required if value of method is card. Use one of our
card[name]
mandatory
string The name of the cardholder.
card[expiry_month]
mandatory
integer The expiry month of the card in MM format. For example, 01 for January and 12 for December.
card[expiry_year]
mandatory
integer Expiry year for card in YY format. For example, 22 for 2022.
card[cvv]
mandatory
integer 3-digit code on the back of Master or Visa card or 4-digit code on the front of the AMEX card.
notes
optional
object A set of key-value pairs that you can attach to an entity. Maximum 15 pairs. Maximum 256 characters for each pair. This can be useful for storing additional information about the entity.
ip
mandatory
string The client's IP address.
referer
mandatory
string The client's referer URL.
user_agent
mandatory
string The client's User-Agent.
auth_type
mandatory
string Indicates the authentication type for this integration method.
Defaults to 3ds. Upon
auth_type=otp.
@// Passing auth_type=otp when the has failed, will result in payment failure.razorpay_payment_id
string Specifies the unique identifier of a payment. A sample payment ID: pay_29QQoUBi66xm2f
next
array Lists the subsequent payment actions available: otp_submit and otp_resend
The following example request creates a payment of ₹50:
Handy Tips
The payment data is passed in form-urlencoded format, which ensures that nested keys are correctly passed.
curl -X POST \'https://api.razorpay.com/v1/payments/create/redirect' \-u <YOUR_KEY>:<YOUR_SECRET> \-H "Content-Type: application/x-www-form-urlencoded" \-d 'amount=5000¤cy=INR&contact=9123456780&email=gaurav.kumar@example.com&method=card&card[number]=4111111111111111&card[name]=Gaurav%20Kumar&card[expiry_month]=01&card[expiry_year]=17&card[cvv]=111&user_agent=Razorpay%20SDK&ip=1.160.10.240&referer=https://www.example.com&auth_type=otp'
{"error": {"code": "BAD_REQUEST_ERROR","description": "Your payment was not successful as you have an invalid expiry date.To pay successfully try adding the right details","source": "customer","step": "payment_authentication","reason": "incorrect_card_expiry_date","metadata": {}}}
Know More: Know more about
.After entering the OTP, the customer can perform either of the two actions, as described in the next parameter:
next
array This array specifies the available actions as a comma-separated list. It can have the following predefined values:
otp_submitotp_resend
In cases where two-factor authentication is not required or not available, thenextobject will not be returned in the response.
[next]otp_submit
string This value is consumed to display OTP submit option.
[next]otp_resend
string This value is consumed as a retry option for OTP submission. If the parameter is not present, the OTP resend option cannot be shown to the customers. The resend option may be unavailable after a certain number of retries. The bank determines the number of retries and not Razorpay.
The customer needs to submit the OTP using your application frontend as part of the payment authentication process.
For card payments, the customer receives the OTP using their preferred notification medium - SMS or email.
Handy Tips
Do not perform any validation on the length of the OTP since this can vary across banks. The OTP should not be blank.
The OTP received must be submitted to the following endpoint:
curl -X POST \'https://api.razorpay.com/v1/payments/pay_29QQoUBi66xm2f/otp/submit' \-u <YOUR_KEY_ID>:<YOUR_SECRET> \-H "Content-Type: application/x-www-form-urlencoded" \-d 'otp=123456'
Know more about
.For certain situations, the customers may need to re-enter the OTP sent to them. The card issuing bank sets the number of retries the customer is allowed to re-enter the OTP.
curl -X POST \'https://api.razorpay.com/v1/payments/pay_29QQoUBi66xm2f/otp/resend' \-u <YOUR_KEY_ID>:<YOUR_SECRET>-H "Content-Type: application/x-www-form-urlencoded"
After the payment process is complete, Razorpay makes a POST request to the callback_url about whether the payment was a success or a failure.
You can easily verify the payment signature using our SDKs:
RazorpayClient razorpay = new RazorpayClient("[YOUR_KEY_ID]", "[YOUR_KEY_SECRET]");String secret = "EnLs21M47BllR3X8PSFtjtbd";JSONObject options = new JSONObject();options.put("razorpay_order_id", "order_9A33XWu170gUtm");options.put("razorpay_payment_id", "pay_29QQoUBi66xm2f");options.put("razorpay_signature", "9ef4dffbfd84f1318f6739a3ce19f9d85851857ae648f114332d8401e0949a3d");boolean status = Utils.verifyPaymentSignature(options, secret);
If razorpay_payment_id is returned, the payment is successfully created and verified.
Post-processing
A successful transaction results in the creation of the razorpay_order_id in your database. You can mark the corresponding transaction at your end as paid and notify the customer.
An exception is thrown in the event of unsuccessful signature verification. If the razorpay_payment_id field is missing in the API request, the following error is displayed in the corresponding response body:
error%5Bcode%5D=BAD_REQUEST_ERROR&error%5Bdescription%5D=Payment+failed
Was this page helpful?