Getting Started
Welcome
Welcome to the TouchPay API Suite — your gateway to fast, reliable, and secure digital transactions. Our APIs enable effortless integration for both Payin (money collection) and Payout (fund transfer) workflows, designed to simplify financial automation for businesses of any scale.
Make sure to get your Merchant ID and Secret Key from your dashobard. You will find them in the Developer section present in Sidebar.
For Security
- Never share your Secret Key with anyone. It is used to authenticate your API requests and to generate encrypted payload.
- You can create new Secret Key from your TouchPay dashboard if you suspect it has been compromised.
- We do not accept raw payload. All requests must be sent in encrypted format (You will find encryption logic down the documentation).
- For compliance purposes, the dashboard will automatically log you out after 30 minutes of inactivity.
Webhook Notifications
TouchPay supports webhook callbacks to automatically notify your application about transaction status updates in real time:
- Payin Webhook — Triggered whenever a customer payment is successful or failed.
- Payout Webhook — Triggered when a disbursement is processed, completed, or rejected.
These event-driven notifications ensure your backend stays perfectly in sync with TouchPay’s systems, allowing instant status updates and business logic execution without manual intervention.
Encryption
All API requests must be sent in encrypted format. TouchPay APIs enforce AES-256-GCM encryption for every request payload to ensure data confidentiality and integrity during transmission. Plain (unencrypted) request bodies will be rejected by the system. system.
Key Points:
- The output format of encryption is always: Base64( IV + CipherText ).
- All request bodies must be encrypted before sending to the API.
-
Encryption uses:
- AES-256 in GCM mode (AES/GCM/NoPadding)
- PBKDF2WithHmacSHA256 for key derivation
- Random IV (recommended 12 bytes for GCM)
- Random Salt
- 32-byte key
- 256-bit key (if KEY_LENGTH = 256)
- GCM authentication tag (typically 128-bit)
- The encrypted payload should replace the original JSON request body.
- Decryption is handled automatically on the TouchPay server side.
Reference Implementations:
Encryption logic is provided in multiple programming languages. Use these reference implementations to ensure full encryption compatibility with TouchPay services.
1. Java Implementation (Reference Code):
public static String encrypt(String plainText, String merchantId, String merchantSecretKey) {
String password = merchantId + merchantSecretKey;
try {
SecureRandom secureRandom = new SecureRandom();
// Generate IV
byte[] iv = new byte[IV_LENGTH];
secureRandom.nextBytes(iv);
// Generate Salt
byte[] salt = new byte[SALT_LENGTH];
secureRandom.nextBytes(salt);
// Derive Key
SecretKey secretKey = getKeyFromPassword(password, salt);
// Initialize Cipher
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
GCMParameterSpec spec = new GCMParameterSpec(TAG_LENGTH, iv);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, spec);
// Encrypt
byte[] cipherText = cipher.doFinal(plainText.getBytes(StandardCharsets.UTF_8));
// Combine IV + Salt + CipherText
ByteBuffer byteBuffer = ByteBuffer.allocate(iv.length + salt.length + cipherText.length);
byteBuffer.put(iv);
byteBuffer.put(salt);
byteBuffer.put(cipherText);
return Base64.getEncoder().encodeToString(byteBuffer.array());
} catch (Exception e) {
throw new RuntimeException("Encryption failed", e);
}
}
private static SecretKey getKeyFromPassword(String password, byte[] salt) throws Exception {
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
KeySpec spec = new PBEKeySpec(
password.toCharArray(),
salt,
ITERATION_COUNT,
KEY_LENGTH
);
SecretKey tmp = factory.generateSecret(spec);
return new SecretKeySpec(tmp.getEncoded(), "AES");
}
Payin Methods
TouchPay supports multiple payment methods that allow users to complete transactions seamlessly through cards, net banking, or UPI. Each payin method is securely processed and instantly verified through our APIs.
Card Payments
Accept payments via all major debit and credit cards (Visa, Mastercard, RuPay, etc.). Transactions are processed through secure payment gateways with instant authorization.
- Supports debit & credit cards
- Instant confirmation
- PCI DSS compliant processing
Net Banking
Enable customers to pay directly from their bank accounts using Internet banking from over 50+ supported banks.
- Supports major Indian banks
- Secure bank redirection flow
- Instant settlement confirmation
UPI Payments
Accept payments through popular UPI apps like Google Pay, PhonePe, Paytm, and BHIM. Fast, secure, and user-friendly transactions with auto-status updates.
- Supports all UPI handles
- QR-based or intent-based payment
- Real-time status notifications
Payout Methods
TouchPay supports fast and reliable payout options to transfer funds directly to beneficiaries via UPI or Bank Account (Account Number & IFSC). Choose the method that best fits your business workflow for instant or same-day settlements.
Bank Account Payout
Send payouts directly to a beneficiary’s bank account using their Account Number and IFSC Code. This method is secure, widely supported, and suitable for all bank transfers.
- Supports only IMPS mode
- Reliable for large-value transfers
- 24x7 availability for IMPS and instant settlement
Required Parameters:
-
account_number– Beneficiary account number ifsc– Bank IFSC code-
recipient_name– Name of the beneficiary amount– Transfer amount