Getting Started

Welcome

Welcome to the TouchPay API Suite — your gateway to fast, reliable, and secure digital transactions. Our APIs enable effortless integration for both Payin (money collection) and Payout (fund transfer) workflows, designed to simplify financial automation for businesses of any scale.

Make sure to get your App ID and Secret Key from your dashobard. You will find them in the Developer section present in Sidebar.

For Security

Never share your Secret Key with anyone. It is used to authenticate your API requests and to generate encrypted payload.
You can create new Secret Key from your TouchPay dashboard if you suspect it has been compromised.
We do not accept raw payload. All requests must be sent in encrypted format (You will find encryption logic down the documentation).
The dashboard will log you out in every fifteen minutes for compliance purpose.

Webhook Notifications

TouchPay supports webhook callbacks to automatically notify your application about transaction status updates in real time:

Payin Webhook — Triggered whenever a customer payment is successful or failed.
Payout Webhook — Triggered when a disbursement is processed, completed, or rejected.

These event-driven notifications ensure your backend stays perfectly in sync with TouchPay’s systems, allowing instant status updates and business logic execution without manual intervention.

Encryption

All API requests must be sent in encrypted format. TouchPay APIs enforce AES-256-CBC encryption for every request payload to ensure data confidentiality and integrity during transmission. Plain (unencrypted) request bodies will be rejected by the system.

Key Points:

The output format of encryption is always: Base64( IV + CipherText ).
All request bodies must be encrypted before sending to the API.
Encryption uses:
- AES-256 in CBC mode
- PBKDF2WithHmacSHA256 for key derivation
- 16-byte IV
- 65536 iterations
- 32-byte key
The encrypted payload should replace the original JSON request body.
Decryption is handled automatically on the TouchPay server side.

Reference Implementations:

Encryption logic is provided in multiple programming languages. Use these reference implementations to ensure full encryption compatibility with TouchPay services.

1. Java Implementation (Reference Code):


public class Encryptor {

private static final int KEY_LENGTH = 256;
private static final int ITERATION_COUNT = 65536
public static String encrypt(String strToEncrypt, String appId, String secretKey) {
    try {
        // Generate random IV
        SecureRandom secureRandom = new SecureRandom();
        byte[] iv = new byte[16];
        secureRandom.nextBytes(iv);
        IvParameterSpec ivSpec = new IvParameterSpec(iv)
        // Generate AES key using PBKDF2
        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
        KeySpec spec = new PBEKeySpec(
                appId.toCharArray(),
                secretKey.getBytes(),
                ITERATION_COUNT,
                KEY_LENGTH
        )
        SecretKey tmp = factory.generateSecret(spec);
        SecretKeySpec secretKeySpec = new SecretKeySpec(tmp.getEncoded(), "AES")
        // Initialize cipher
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivSpec)
        // Encrypt data
        byte[] cipherText = cipher.doFinal(strToEncrypt.getBytes("UTF-8"))
        // Combine IV and ciphertext
        byte[] encryptedData = new byte[iv.length + cipherText.length];
        System.arraycopy(iv, 0, encryptedData, 0, iv.length);
        System.arraycopy(cipherText, 0, encryptedData, iv.length, cipherText.length)
        // Return Base64 encoded string
        return Base64.getEncoder().encodeToString(encryptedData)
    } catch (Exception e) {
        log.error("Encryptor encrypt error -> {}", e.getMessage());
        return null;
    }
}
}

2. PHP Implementation (Reference Code):


function deriveKey(string $appId, string $secretKey): string
{
    return hash_pbkdf2(
        'sha256',
        $appId,
        $secretKey,
        65536,
        32,
        true
    );
}

function encryptData(string $plaintext, string $appId, string $secretKey): string
{
    // Derive AES-256 key using PBKDF2
    $key = deriveKey($appId, $secretKey);

    // Generate random IV
    $iv = random_bytes(16);

    // Encrypt data using AES-256-CBC
    $ciphertext = openssl_encrypt(
        $plaintext,
        'AES-256-CBC',
        $key,
        OPENSSL_RAW_DATA,
        $iv
    );

    // Return Base64 encoded IV + ciphertext
    return base64_encode($iv . $ciphertext);
}

3. NodeJs. Implementation (Reference Code):


const crypto = require('crypto');

function deriveKey(appId, secretKey) {
    return crypto.pbkdf2Sync(
        appId,
        secretKey,
        65536,
        32,
        'sha256'
    );
}

function encrypt(text, appId, secretKey) {
    // Derive AES-256 key using PBKDF2
    const key = deriveKey(appId, secretKey);

    // Generate random IV
    const iv = crypto.randomBytes(16);

    // Create AES-256-CBC cipher
    const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);

    // Encrypt data
    const encrypted = Buffer.concat([
        iv,
        cipher.update(text, 'utf8'),
        cipher.final()
    ]);

    // Return Base64 encoded IV + ciphertext
    return encrypted.toString('base64');
}

4. C#(.NET) Implementation (Reference Code):


using System;
using System.Security.Cryptography;
using System.Text;

public class Encryptor
{
    private const int Iterations = 65536;
    private const int KeyLength = 32; // 256 bits

    private static byte[] DeriveKey(string appId, string secretKey)
    {
        using var deriveBytes = new Rfc2898DeriveBytes(
            appId,
            Encoding.UTF8.GetBytes(secretKey),
            Iterations,
            HashAlgorithmName.SHA256
        );

        return deriveBytes.GetBytes(KeyLength);
    }

    public static string Encrypt(string plainText, string appId, string secretKey)
    {
        // Derive AES-256 key using PBKDF2
        var key = DeriveKey(appId, secretKey);

        // Generate random IV
        var iv = RandomNumberGenerator.GetBytes(16);

        using var aes = Aes.Create();
        aes.Key = key;
        aes.IV = iv;
        aes.Mode = CipherMode.CBC;
        aes.Padding = PaddingMode.PKCS7;

        using var encryptor = aes.CreateEncryptor();
        byte[] cipherText = encryptor.TransformFinalBlock(
            Encoding.UTF8.GetBytes(plainText),
            0,
            plainText.Length
        );

        // Combine IV and ciphertext
        byte[] result = new byte[iv.Length + cipherText.Length];
        Buffer.BlockCopy(iv, 0, result, 0, iv.Length);
        Buffer.BlockCopy(cipherText, 0, result, iv.Length, cipherText.Length);

        // Return Base64 encoded IV + ciphertext
        return Convert.ToBase64String(result);
    }
}

5. Python Implementation (Reference Code):


import base64
import os
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

ITERATIONS = 65536
KEY_LENGTH = 32  # 256 bits


def derive_key(app_id: str, secret_key: str) -> bytes:
    return hashlib.pbkdf2_hmac(
        'sha256',
        app_id.encode(),
        secret_key.encode(),
        ITERATIONS,
        KEY_LENGTH
    )


def encrypt(plaintext: str, app_id: str, secret_key: str) -> str:
    # Derive AES-256 key using PBKDF2
    key = derive_key(app_id, secret_key)

    # Generate random IV
    iv = os.urandom(16)

    # Encrypt using AES-256-CBC
    cipher = AES.new(key, AES.MODE_CBC, iv)
    ciphertext = cipher.encrypt(
        pad(plaintext.encode(), AES.block_size)
    )

    # Combine IV and ciphertext
    encrypted_data = iv + ciphertext

    # Return Base64 encoded IV + ciphertext
    return base64.b64encode(encrypted_data).decode()

Payin Methods

TouchPay supports multiple payment methods that allow users to complete transactions seamlessly through cards, net banking, or UPI. Each payin method is securely processed and instantly verified through our APIs.

Card Payments

Accept payments via all major debit and credit cards (Visa, Mastercard, RuPay, etc.). Transactions are processed through secure payment gateways with instant authorization.

Supports debit & credit cards
Instant confirmation
PCI DSS compliant processing

Net Banking

Enable customers to pay directly from their bank accounts using Internet banking from over 50+ supported banks.

Supports major Indian banks
Secure bank redirection flow
Instant settlement confirmation

UPI Payments

Accept payments through popular UPI apps like Google Pay, PhonePe, Paytm, and BHIM. Fast, secure, and user-friendly transactions with auto-status updates.

Supports all UPI handles
QR-based or intent-based payment
Real-time status notifications

Payout Methods

TouchPay supports fast and reliable payout options to transfer funds directly to beneficiaries via UPI or Bank Account (Account Number & IFSC). Choose the method that best fits your business workflow for instant or same-day settlements.

Bank Account Payout

Send payouts directly to a beneficiary’s bank account using their Account Number and IFSC Code. This method is secure, widely supported, and suitable for all bank transfers.

Supports only IMPS mode
Reliable for large-value transfers
24x7 availability for IMPS and instant settlement

Required Parameters:

account_number – Beneficiary account number
ifsc – Bank IFSC code
recipient_name – Name of the beneficiary
amount – Transfer amount

APIs

Introduction

The Payin and Payout APIs offer complete control and transparency over your transactions, enabling seamless automation, enhanced efficiency, and reduced manual effort. With real-time tracking and secure integrations, you can easily manage payments at scale. These APIs are designed to simplify financial operations and ensure a smooth, reliable payment experience for your business.

Every request to the Payin & Payout REST APIs must include specific HTTP headers to ensure secure and valid communication.

API Status Codes:

Status Code	Description
`401`	Unauthorized.
`422`	Unprocessable content or Validation errors.
`201`	Transaction has been created or initiated.
`200`	Transaction Fetched.
`404`	Transaction not found.
`400`	Bad Request.
`500`	Internal Server Error.

Fetch Wallet Balance

The Fetch Wallet Balance API allows you to securely retrieve the current wallet balance associated with your account in real time. It provides accurate and up-to-date balance details, enabling your application to display or validate available funds before initiating transactions, while maintaining data integrity and system security.

Request Requirements:

Domain Url : crm.touchpay.cloud

Method	`POST`
Endpoint	`{{domain}}/getBalance`
Headers	`Content-Type: 'application-json'`
IP Address	`IP Address must be whitelisted with us.`

Request Body:

Name	Description	Example Value
`appId`	Required Application ID provided by the panel.	`APP245260921847`
`data`	Required Encrypted transaction payload in Base64 format.	`SGVsbG8sIFdvcmxkIQ==`

Decrypted `data` Payload Structure:

When decrypted, the `data` field contains the actual transaction details:

Name	Description	Example Value
`appId`	Required Application ID provided by the panel..	`APP245260921847`
`date`	Required Current date/time when the request is generated.	`SGVsbG8sIFdvcmxkIQ==`
`referenceNumber`	Required Unique identifier for this request.	`TXN12893353`

Request Body Structure:

{
  "appId": "APP245260921847",
  "data": "SGVsbG8sIFdvcmxkIQ== "
}

Response Structure:


{
  "statusCode": 200,
  "error": null,
  "data": {
      "appId": "APP245260921847",
      "requestedDate": "24 Sep 2025 05:37:00 PM",
      "accountBalance": "564.0"
  }
}

Initiate Payout

Payout is a service that allows businesses to send payments directly to the accounts of their customers, vendors, or service providers and handles outgoing transactions. They are essential for businesses that need to disburse funds regularly, such as payroll for employees, commissions for affiliates, or payments to freelancers.

Request Requirements:

Domain Url : crm.touchpay.cloud

Method	`POST`
Endpoint	`{{domain}}/payoutTransferApi`
Headers	`Content-Type: 'application-json'`
IP Address	`IP Address must be whitelist with us.`

Request Body:

Name	Description	Example Value
`appId`	Required Application ID provided by the panel.	`APP245260921847`
`data`	Required Encrypted transaction payload in Base64 format.	`SGVsbG8sIFdvcmxkIQ==`

Decrypted `data` Payload Structure::

When decrypted, the `data` field contains the actual transaction details:

Name	Description	Example Value
`orderId`	Required Unique transfer identifier.	`TXN123456789`
`transactionBankTransferMode`	Required Transfer mode (e.g., NEFT, IMPS, RTGS).	`IMPS`
`transactionAmmount`	Required Beneficiary transfer amount.	`100`
`accountNo`	Required Beneficiary Account Number.	`102759398573`
`ifscCode`	Required Beneficiary's Account IFSC.	`AQC023433`
`name`	Required Beneficiary Name.	`John Doe`
`nickname`	Required Beneficiary Nick Name.	`John`
`mobile`	Required Beneficiary's Mobile Number (10 digits)	`92840*****`
`email`	Required Beneficiary's Email Address	`john@gmail.com`

Request Body Structure:

{
  "appId": "APP245260921847",
  "data": "SGVsbG8sIFdvcmxkIQ== "
}

Response Structure:

{
  "statusCode": 201,
  "error": null,
  "data": {
      "orderId": "TXN123456789",
      "transactionStatus": "PENDING",
      "statusCode": "001",
      "createDate": "24 Sep 2025 04:59:02 PM"
  }
}

Payin Link

Easily collect payments by generating unique, one-time payment links that can be instantly shared with your customers. These links direct users to a secure hosted page where they can complete their payments seamlessly.

Request Requirements:

Domain Url : crm.touchpay.cloud

Method	`POST`
Path	`{{domain}}/payment/paymentInit`
Headers	`Content-Type: 'application-json'`
IP Address	`IP Address must be whitelist with us.`

Request Body:

Name	Description	Example Value
`appId`	Required Application ID provided by the panel.	`APP245260921847`
`data`	Required Encrypted transaction payload in Base64 format.	`SGVsbG8sIFdvcmxkIQ==`

Decrypted `data` Payload Structure:

When decrypted, the `data` field contains the actual transaction details.

Name	Description	Example Value
`orderId`	Unique & Required Your unique transaction id.	`TXN12893353`
`amount`	Required Amount for the payment collection.	`100`
`appId`	Required Application ID provided by the panel.	`APP245260921847`
`returnUrl`	Required To redirect user after payment completion.	`http://{{redirect_url}}`
`custPhone`	Required User's mobile number	`9748271230`
`custEmail`	Required User's email address	`johndoe@gmail.com`
`custFirstName`	Required User's first name	`John`
`currencyCode`	Required Numeric ISO currency code	`356 for INR`
`transactionType`	Required Type of transaction	`SALE`
`productDesc`	Required Short description of the product/service.	`Product purchase`

Request Body Structure:

{
  "appId": "APP245260921847",
  "data": "SGVsbG8sIFdvcmxkIQ== "
}

Response Structure:

{
  "statusCode": 200,
  "error": null,
  "data": {
      "appId": "APP6041769037343",
      "paymentLink": "{{domain}}/pay/dCYHIwJ1gfKbmLKN8YYr20pRsIcRmDkTerjtwognqxEUlus=PAYINAPP60017668"
  }
}

Note: You will be notify as well using webhook for the Payin Approved or Rejected.

What after Pay Link Generation:

Once the user is redirected to the Pay Link, the Payment Page will appear. After completing the payment, the user will be redirected back to your specified redirect_url.

The redirection URL will include a query parameter named signature, for example:

https://redirect_url.com?signature=base64_encoded_string

You can Base64 decode this signature to verify the payment status. Additionally, the same payment status will also be sent via webhook notifications for confirmation.

Decoded Base64 Response Structure:

{
'success' : true,
'statusCode' : 200,
'message' : "Transaction successful",
'event_type' : 'payment_success',
'data' : [
     'client_id' : 'TXN12893353',
     'reference_number' : "o_G1LvGrE5BlMpyOg5-oJ6X7",
     'transaction_amount' : 100,
     'status' : 1,
     'transaction_type' : 'payment'
 ]                
}

Payout Status

The Payout Status API lets you verify the current state of a payout request. Using the unique transaction reference (such as transaction_id), you can check whether a payout is Pending, Approved, Rejected.

Request Requirements:

Domain Url : crm.touchpay.cloud

Method	`POST`
Path	`{{domain}}/payoutStatusApi`
Headers	`Content-Type: 'application-json'`
IP Address	`IP Address must be whitelist with us.`

Request Body:

Name	Description	Example Value
`appId`	Required Application ID provided by the panel.	`APP245260921847`
`data`	Required Encrypted transaction payload in Base64 format.	`SGVsbG8sIFdvcmxkIQ==`

Decrypted `data` Payload Structure:

When decrypted, the `data` field contains the actual transaction details.

Name	Description	Example Value
`orderId`	Unique & Required Your unique transaction id.	`TXN12893353`

Request Body Structure:


{
  "appId": "APP245260921847",
  "data": "SGVsbG8sIFdvcmxkIQ== "
}

Response Structure:


{
  "statusCode": 200,
  "error": null,
  "data": {
      "orderId": "TXN12893353",
      "transactionId": "POTAX164112",
      "transactionReceiptId": "01240925073",
      "utr": null,
      "transactionAmmount": "1.0",
      "transactionType": "IMPS",
      "transactionStatus": "FAILED",
      "name": "Shashi dhar",
      "accountNo": "abcd502839",
      "ifscCode": "ICIC0007391",
      "transactionBankTransferMode": null,
      "txnDate": "2025-09-24 16:59:02.0",
      "netAmount": "1.0",
      "txnMessage": "99"
  }
}

Note: You will be notify as well using webhook for the Payout Approved or Rejected.

Payin Status

The Payin Status API lets you verify the current state of a payment request. Using the unique transaction reference (such as orderId), you can check whether a payment is Pending, Approved, Rejected.

Request Requirements:

Domain Url : crm.touchpay.cloud

Method	`POST`
Path	`{{domain}}/payment/payin-status`
Headers	`Content-Type: 'application-json'`
IP Address	`IP Address must be whitelist with us.`

Request Body:

Name	Description	Example Value
`appId`	Required Application ID provided by the panel.	`APP245260921847`
`data`	Required Encrypted transaction payload in Base64 format.	`SGVsbG8sIFdvcmxkIQ==`

Decrypted `data` Payload Structure

When decrypted, the `data` field contains the actual transaction details:

Name	Description	Example Value
`appId`	Required Application ID provided by the panel.	`APP245260921847`
`orderId`	Required Unique order identifier to fetch status.	`TXN12893353`

Request Body Structure:


{
  "appId": "APP245260921847",
  "data": "SGVsbG8sIFdvcmxkIQ"
}

Response Structure:


{
  "statusCode": 200,
  "error": null,
  "data": {
      "txnId": "TXN795222440",
      "orderId": "TXN12893353",
      "appId": "APP60417668645343",
      "status": "PENDING",
      "statusCode": "001",
      "responseMessage": "Payment request pending at PG",
      "merchantTdr": null,
      "gst": null,
      "netAmount": null,
      "amount": "5.0",
      "currencyCode": null,
      "paymentTypeCode": "UP",
      "mopCode": "INTENT",
      "transactionType": "SALE",
      "productDesc": "Test Transaction",
      "custEmail": "test@gmail.com",
      "custPhone": "9058440246",
      "cardNumber": null,
      "custVpa": null,
      "utr": null
  }
}

Note: You will be notify as well using webhook for the Payin Approved or Rejected.

Webhooks

Webhooks allow your application to receive real-time updates from our system whenever specific events occur — such as payment success, failure, or refund. Instead of continuously polling our APIs, you can configure a webhook endpoint to automatically get notified with structured event data, ensuring instant synchronization between our platform and your system.

Payin Webhook

The Payin Webhook allows you to receive real-time notifications whenever the status of a payin transaction is updated. Once a payin is processed, the system will send a request to your configured webhook URL containing details such as Transaction ID, amount, status. Use this to automatically update your system without polling the status API.

Payin Webhook Response:

{
  "amount": "1000.00",
  "appId": "APP123456",
  "cardNumber": "4567XXXXXXXX1234",
  "currencyCode": "INR",
  "custEmail": "customer@example.com",
  "custVpa": "customer@paytm",
  "custPhone": "9876543210",
  "merchantTdr": "20.00",
  "gst": "3.60",
  "netAmount": "976.40",
  "paymentTypeCode": "UPI",
  "mopCode": "UPI",
  "orderId": "ORD20250101123456",
  "txnId": "TXN20250101123456789",
  "transactionType": "SALE",
  "productDesc": "Product Purchase",
  "status": "SUCCESS",
  "statusCode": "000",
  "responseMessage": "Transaction successful",
  "utr": "UTR123456789012"
}

Payout Webhook

The Payout Webhook allows you to receive real-time notifications whenever the status of a payout transaction is updated. Once a payout is processed, the system will send a request to your configured webhook URL containing details such as order ID, transaction ID, amount, status, and timestamp. Use this to automatically update your system without polling the status API.

Payout Webhook Response:

{
  "transactionStatus": "SUCCESS",
  "statusCode": "000",
  "txnMessage": "Transaction completed successfully",
  "orderId": "ORD20250101234567",
  "transactionId": "TXN20250101234567890",
  "utr": "UTR234567890123",
  "transactionAmmount": "5000.00",
  "netAmount": "4950.00",
  "name": "John Doe",
  "accountNo": "1234567890",
  "ifscCode": "SBIN0001234",
  "transactionBankTransferMode": "IMPS"
}