Skip to main content
POST
/
pg
/
orders
Create Order
curl --request POST \
  --url https://api-pacb-uat.eximpe.com/pg/orders/ \
  --header 'Content-Type: application/json' \
  --header 'X-Client-ID: <api-key>' \
  --header 'X-Client-Secret: <api-key>' \
  --header 'X-Merchant-ID: <api-key>' \
  --data '
{
  "amount": "<string>",
  "currency": "<string>",
  "reference_id": "<string>",
  "buyer": {
    "name": "<string>",
    "email": "[email protected]",
    "phone": "<string>",
    "address": {
      "line_1": "<string>",
      "city": "<string>",
      "state": "<string>",
      "postal_code": "<string>",
      "line_2": "<string>"
    },
    "ip_address": "<string>",
    "user_agent": "<string>"
  },
  "product": {
    "name": "<string>",
    "type_of_goods": "goods",
    "description": "<string>",
    "hs_code": "<string>",
    "hs_code_description": "<string>"
  },
  "return_url": "<string>",
  "collection_mode": "hosted_payment",
  "mop_type": "upi",
  "upi_flow_type": "intent",
  "vpa": "<string>",
  "upi_app_name": "bhim",
  "invoice": {
    "number": "<string>",
    "date": "2023-12-25"
  },
  "card_details": {
    "number": "<string>",
    "cardholder_name": "<string>",
    "expiry_month": "<string>",
    "expiry_year": "<string>",
    "cvv": "<string>",
    "network": "visa",
    "identifier": "<string>",
    "nickname": "<string>"
  }
}
'
{
  "success": true,
  "message": "<string>",
  "data": {
    "order_id": "<string>",
    "session_id": "<string>",
    "intent_uri": "<string>",
    "message": "<string>",
    "acs_template": "<string>"
  }
}

Overview

The Create Order endpoint is the first step in the payment flow across all collection modes. It creates a new order with buyer details, product information, and your preferred payment collection settings (Hosted Payment, Server-to-Server, Payment Link, etc.). After creating an order, the response depends on the selected mode:
  • Hosted Payment: returns a session_id and order_id for redirecting customers to the checkout page
  • S2S UPI Intent: returns an order_id and intent_uri
  • S2S UPI Collection: returns an order_id and a confirmation message
  • S2S Card: returns an order_id and an acs_template (Base64) for 3D Secure

Payment Collection Modes

EximPe supports multiple payment collection modes:

1. Hosted Payment (Default)

The standard hosted payment flow where customers are redirected to EximPe’s secure payment page.

2. S2S UPI Intent

Server-to-server UPI intent flow that generates a UPI intent link for direct app-to-app payments.

3. S2S UPI Collection

Server-to-server UPI collection flow that sends a payment request directly to the customer’s UPI App.

4. S2S Card Payment

Server-to-server card payment flow with 3D Secure authentication. For new cards, the system initiates 3D Secure verification and returns an ACS template that must be rendered on the client side to complete authentication. Card details are securely processed and can be tokenized using the Create Token API after successful payment.

Request Parameters

Required Parameters

  • reference_id: Unique identifier for the order
  • amount: Payment amount in decimal format
  • currency: 3-letter ISO currency code (e.g., INR)
  • return_url: URL to redirect after payment completion
  • buyer: Buyer details object
  • product: Product details object

Optional Parameters

  • collection_mode: Payment collection mode (hosted_payment or s2s)
  • mop_type: Method of payment (upi, credit_card, debit_card, net_banking, qr)
  • upi_flow_type: UPI flow type (intent or collection) - required when using S2S with UPI
  • vpa: Virtual Payment Address - required when upi_flow_type is collection
  • upi_app_name: Preferred UPI app - optional, defaults to others
  • invoice: Invoice details object
  • card_details: Card information object - required when mop_type is credit_card or debit_card

Card Payment Specific Parameters

When using card payments (mop_type is credit_card or debit_card), additional buyer information is required:
  • buyer.ip_address: Customer’s IP address (used for fraud prevention)
  • buyer.user_agent: Customer’s browser user agent (used for fraud prevention)

Card Details Options

You can provide card information in two ways:
  1. New Card Details (for first-time payments):
    • Include full card information: number, cardholder_name, expiry_month, expiry_year, cvv, network
    • Required for new cards not previously saved
    • Use the Create Token API after successful payment to tokenize for future use
  2. Saved Card Token (for repeat payments):
    • Use token: Previously saved card token from the Create Token API
    • Include identifier: Customer identifier used when saving the card
    • Include network: Card network (visa, mastercard, etc.)
    • No sensitive card data required - token handles authentication

Parameter Definitions

The following tables define all request parameters, including nested objects, types, requirements, and constraints.

Top-level

NameTypeRequiredDescriptionConstraints
amountstringYesAmount to charge, decimal string.Format: ^[0-9]+(\.[0-9]{1,2})?$; amount must be > 0 and ≤ 10,000,000.00
currencystringYes3-letter ISO currency code.Supported: INR
reference_idstringYesMerchant-side unique reference for the order.1–50 chars; use letters, numbers, and dashes; unique per merchant while order is active
collection_modestringNoMode of payment collection.Enum: hosted_payment, s2s; default hosted_payment
mop_typestringNoMethod of payment.Enum: upi, credit_card, debit_card, net_banking, wallet, qr
upi_flow_typestringConditionallyUPI flow when mop_type is UPI and collection_mode is s2s.Required if mop_type=UPI and collection_mode=s2s; Enum: intent, collection
vpastringConditionallyCustomer VPA for UPI collection.Required if upi_flow_type=collection; Format: username@bank
upi_app_namestringNoPreferred UPI app for intent optimization.Enum (examples): google_pay, phonepe, paytm, bhim, amazon_pay, others; default others
return_urlstringYesURL to redirect after payment/auth completion.HTTPS URL recommended
buyerobjectYesBuyer/customer details.See Buyer object
productobjectYesProduct or service being purchased.See Product object
invoiceobjectNoInvoice metadata.See Invoice object
card_detailsobjectConditionallyCard details or token for card payments.Required if mop_type is credit_card or debit_card; See Card Details
Notes:
  • “Conditionally” required means the field is required only when the stated condition is met.

Buyer

NameTypeRequiredDescriptionConstraints
namestringYesFull name of the buyer.Max 255 chars; letters, spaces, and common name punctuation (.,-’ )
emailstringYesEmail of the buyer.RFC 5322 email format
phonestringYesPhone number with country code.Valid phone number; E.164 preferred (e.g., +9198xxxxxxxx)
addressobjectYesBuyer address.See Address object
ip_addressstringOptionalCustomer IP address for card fraud checks.IPv4/IPv6
user_agentstringOptionalBrowser/device user agent for card fraud checks.typical browser user agent string

Address (Buyer.address)

NameTypeRequiredDescriptionConstraints
line_1stringYesAddress line 1.Text up to ~255 chars; use standard address characters (letters, numbers, spaces, , . - / #)
line_2stringNoAddress line 2.Text up to ~255 chars; use standard address characters (letters, numbers, spaces, , . - / #)
citystringYesCity.Alphabetic only; Max 255 chars
statestringYesState/Province.Alphabetic only; Max 255 chars
postal_codestringYesPostal/ZIP code.6 chars

Product

NameTypeRequiredDescriptionConstraints
namestringYesProduct or service name.Max 255 chars; letters, numbers, spaces, and common punctuation
descriptionstringNoDescription of the product/service.Max 1024 chars; letters, numbers, spaces, and common punctuation
type_of_goodsstringYesNature of goods/services.Enum: goods, service

Invoice

NameTypeRequiredDescriptionConstraints
numberstringNoInvoice number.Max 255 chars; letters, numbers, dashes/slashes
datestringNoInvoice date (ISO 8601).Format: YYYY-MM-DD

Card Details

Provide one of the following variants when mop_type is credit_card or debit_card:
  • New card (full PAN):
    • number (string, required): PAN; numeric 12-19 digits
    • cardholder_name (string, required): Name on card; max 128 chars
    • expiry_month (string, required): MM format; 01-12
    • expiry_year (string, required): YYYY; current year or later
    • cvv (string, required): 3-4 digits
    • network (string, required): Enum: visa, mastercard, rupay, amex, diners, discover
    • nickname (string, required): Friendly label; max 64 chars
    • identifier (string, required): Customer identifier used for future reference
  • Saved card (tokenized):
    • token (string, required): Token from Create Token API
    • identifier (string, required): Customer identifier used when saving the card
    • network (string, required): Card network; same enum as above
Security:
  • Do not log or store raw PAN/CVV. Use HTTPS and comply with applicable PCI requirements.

Response

Hosted Payment Response

For hosted payment mode, the response includes:
  • session_id: Use this to redirect customers to the payment page
  • order_id: Unique order identifier

S2S UPI Intent Response

For S2S UPI Intent mode, the response includes:
  • order_id: Unique order identifier
  • intent_uri: UPI intent link that can be used to open UPI apps directly

S2S UPI Collection Response

For S2S UPI Collection mode, the response includes:
  • order_id: Unique order identifier
  • message: Confirmation message about the collection request sent to the VPA

S2S Card Payment Response

For S2S Card Payment mode, the response includes:
  • order_id: Unique order identifier
  • acs_template: Base64-encoded HTML template for 3D Secure authentication
Important: The acs_template must be decoded from Base64 and rendered in the customer’s browser to complete the 3D Secure authentication process.

Examples

{
  "amount": "1000.00",
  "currency": "INR", 
  "reference_id": "ORDER_123456",
  "collection_mode": "hosted_payment",
  "return_url": "https://yourdomain.com/payment/callback",
  "mop_type": "upi",
  "buyer": {
    "name": "Alice Smith",
    "email": "[email protected]",
    "phone": "+919812345678",
    "address": {
      "line_1": "221B Baker Street",
      "city": "Mumbai",
      "state": "Maharashtra", 
      "postal_code": "400001"
    }
  },
  "product": {
    "name": "Wireless Headphones",
    "type_of_goods": "goods"
  }
}

Response Examples

{
  "success": true,
  "message": "Checkout session created successfully",
  "data": {
    "session_id": "session_abc123def456",
    "order_id": "OD2000992103"
  }
}

Implementation Notes

UPI Payments

  • S2S UPI Intent: The response includes a UPI intent link that can be used to open UPI apps directly
  • S2S UPI Collection: A payment request is sent to the provided VPA, and the customer receives a notification
  • UPI App Optimization: The upi_app_name parameter helps optimize the intent link for specific UPI applications
  • VPA Format: Must follow the pattern username@bank (e.g., user@paytm, 9876543210@ybl)

Card Payments

  • 3D Secure Flow: For new cards, the system initiates 3D Secure verification
  • ACS Template Processing:
    1. Decode the Base64 acs_template from the response
    2. Render the decoded HTML in the customer’s browser
    3. The form will auto-submit to complete 3D Secure authentication
    4. Customer will be redirected back to your return_url after authentication
  • Card Tokenization: Use the Create Token API after successful payment to securely tokenize cards for future use
  • Saved Card Usage: Use previously saved card tokens for faster, more secure repeat payments
  • Fraud Prevention: ip_address and user_agent are required for fraud detection and prevention

New vs Saved Cards

  • New Cards: Require full card details and may trigger 3D Secure authentication
  • Saved Cards: Use tokens for faster processing, reduced 3D Secure requirements, and enhanced security
  • Token Benefits: No sensitive data exposure, faster checkout, improved conversion rates

Security Considerations

  • Card Data: Never log or store card details in your application
  • 3D Secure: Always implement proper 3D Secure handling for card payments
  • Token Management: Use the Card Token APIs for managing saved cards

Authorizations

X-Client-ID
string
header
required

Client app ID. You can find your app id in the merchant dashboard's developer settings.

X-Client-Secret
string
header
required

Client secret key. You can find your secret in the merchant dashboard's developer settings.

X-Merchant-ID
string
header
required

Merchant ID. You can find your merchant ID in the merchant section of the merchant dashboard. Only applicable for PSP merchants.

Body

application/json

Order creation request

amount
string
required

Amount in decimal format (e.g., "100.00")

currency
string
required

3-letter ISO currency code (e.g., INR, USD)

reference_id
string
required

Unique identifier for the order

buyer
object
required
product
object
required
return_url
string<uri>

URL to redirect after payment

collection_mode
enum<string>

Payment collection mode

Available options:
hosted_payment,
s2s
mop_type
enum<string>

Method of payment type (e.g., UPI)

Available options:
upi,
credit_card,
net_banking,
debit_card,
qr
upi_flow_type
enum<string>

UPI flow type (required when collection_mode is s2s and mop_type is UPI)

Available options:
intent,
collection
vpa
string

Virtual Payment Address (required when upi_flow_type is collection)

upi_app_name
enum<string>

UPI app name (optional, defaults to 'others')

Available options:
bhim,
paytm,
google_pay,
phonepe,
cred,
amazon_pay,
whatsapp,
others
invoice
object
card_details
object

Response

Order created successfully

success
boolean
required

Indicates if the request was successful

message
string
required

Response message

data
object
required