Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Frequently Asked Questions

How can I get HDFC Bank Certificate?

HDFC Bank Developer PKI

An X.509 Public Key Infrastructure (PKI) is implemented by HDFC Bank for issuing and managing certificates to be used in conjunction with HDFC APIs for SSL Handshake, Payload Encryption and Digital Signature Verification (wherever applicable). This PKI consists of a hierarchy of entities called CAs that issue certificates to “Subscribers” (that is, end-entities or other CAs) within the hierarchy. The term PKI is used to refer to all of the Subscribers from the root CA all the way down to the lowest level end-entity.

This page provides the HDFC Bank Developer Platform public certificates used to identify HDFC Bank API endpoints.

Click here to download latest certificate.

Why do I need to provide HDFC Bank with an SSL certificate, while invoking the Bank's APIs?

All HDFC Bank' APIs utilize two-way SSL, also known as mutual authentication, for better security. In two-way SSL authentication, both the client and server side need to authenticate and validate each other's identity. Hence, to achieve two-way SSL, Partner's certificate needs to be added to the Bank platform’s certificate truststore and the Partner needs to do the same. Note: Partner should only send the Public Key of the CA signed SSL certificate to the Bank. 

How to get Test data for accessing APIs?

Please use the sample data provided in try it out feature. To reach this page, navigate to API catalog and click on API Product and then click on TRY NOW of respective API.

What are the certificate formats supported on Portal?

We can upload the leaf or server certificate in .cer, .crt and. pem format.

What type of certificates can be uploaded in portal?

 Users can only upload leaf certificate on portal. They cannot upload root and intermediate certificates. Also, user should not upload self-signed and untrusted certificates.

See below for different types of certificates:

Leaf Certificate : Leaf Certificate will have a full chain of certificates.

Root, Intermediate and Leaf (Main) Certificates

1

Intermediate Certificate : In Intermediate certificate will have a two chain of certificates.

Root and Intermediate

2

Root Certificate:-  In root certificate only one chain of certificate.

Root certificate

3

How do I create an application and subscribe to APIs?

You can subscribe to APIs by creating an application. Think of an application as your API key and secret management. It’s enables you to retrieve access tokens. You can register as many APPS as you like.

Before you can start using HDFC’s APIs, you must first create an application, allowing you to subscribe to services. Your application allows for the generation of a consumer key, consumer secret, and access/authorization token (if needed) to access the APIs. Follow these steps to create an application:

1.  Sign into your account using your registered username and Password.

2. Select the Launchpad menu to navigate to the Apps page to create your first app or view apps that have already been created.

1

a. Create your first app page

2

b. View the list of created Apps

3

3.  To create a new app follow the procedure below:4

a.     APP Name, API Products, IP, Scope and Certificate sections are mandatory for creating any app.

b.     App Name: Enter the App name has the limit of 255 characters (Alphanumeric, space, and the following: _ - . # $ %. Must begin with an alpha character) (This input will contain the organisation/ partner name along with the product required as an identifier eg. HDFC_CRMLead)

c.     Description: Enter the description has the limit of 225 characters (This input will describe the use case of the partner)

d.     Expected Quota: Enter API volumes expected per day.

e.     Call-back URL: Optional field (Can be left Blank).  A callback URL is a URL that will be invoked by the API method you are calling after it's done.

f.       Scope: It is mandatory to mention the scope value as your application would be rejected without it. Kindly enter the    organisation / partner name into this field unless specified by Bank Staff otherwise. **While scope field ensures that spaces are not entered, you can separate 2 words with the use of an underscore ‘_’character for the same. e.g. HDFC_Lead.

g.     Organization specific Unique value which also allows special characters in it can be   passed in scope. Ideally, this value should be a one-word name of your partner organization, without  any spaces. Exceptions to this is within the Corporate Payment APIs in the case of fund transfers, IMPS, NEFT & RTGS, where HDFC Bank assigns a specific value to be set as the Scope value.

h.     Scope can be a max of 30 characters and one can insert multiple Scope values with comma (,) as a separator.

i.       IP: Please enter the public Source IPs that would be used for API Integration in this field. Only IP4 range is allowed.    (Multiple IP addresses can be separated with commas). Users can give both Static as well as Public IPs. Multiple IP’s are  allowed and must be separated by commas “,”.There is a 600 character IP limit and IP ranges are allowed and should follow the following format : 10.10.10.1-10.10.10.100

j.       API Products: Select the API Products (Multiple) that you wish to subscribe to. API Products max field length is about 600 characters. If the sum of the selected API Products exceeds 600 characters, please create another App.

k.     Certificate: Upload the leaf SSL certificate in base64 encoded format (.cer/.pem) in the App and share Root and intermediate certificates with Bank separately over email.

l.      Accept Terms & Conditions and Privacy Policy of HDFC Bank API Banking Program.

m.   Select Add App to add the newly created app in the Apps page.

n.    You can add as many apps as you want based on your testing needs.

What do I need to do to Try out the API’s?

Once you have successfully created an account on the HDFC Bank Developer portal, you can access the Sandbox environment to view sample request responses.

I am not getting the expected response. Who do I contact?

In case of any technical help, please reach out us using contact us at Contact Us

What if my application is rejected?

In case of application rejection, please reach out us using Contact Us

Does HDFC Bank permit Self-Signed certificates for its APIs?

Only SSL certificates signed by a Certifying Authority are accepted by HDFC Bank as the self-signed SSL certificates are not permitted. This is applicable even in a UAT environment.

Can we Add multiple leaf/server Certificates while creating the application?

Multiple certificates are not allowed. Per Developer only one certificate can tie up and this can be changed if required.

For high criticality APIs what values to select for 'OAuth Type' /other fields?

Partners need to select "Confidential" under the ‘OAuth Type’ field if they are using high criticality APIs. HDFC Bank classifies a few APIs as having high criticality, especially APIs that involve financial transactions. Partners are provided with user manuals that indicate whether OAuth is being used or not. However, most APIs have not been classified as high criticality APIs, and do not use OAuth. For such APIs, the value "None" needs to be chosen under OAuth Type.

Does HDFC Bank provide a notification before the Partner’s SSL certificate expires?

Yes, Partners will receive a notification from HDFC Bank for providing a renewed certificate, at least a month prior to certificate expiry.

Can I get multiple client secret Keys?

Yes, multiple secret keys can be generated. To generate new client secret keys, click on ‘ADD KEY’ button in App details page.

What is Client ID and Client Secret? Why are they needed?

Client ID and Client Secret are unique credentials for each customer application that are required to access any subscribed API. As part of the onboarding process on the API Portal, Partners need to create an application. Once HDFC Bank personnel approve a Partner’s application, the Client ID and Client Secret will get generated automatically on the API Portal.
The Client ID needs to be utilized as the value of the API_Key to be sent in the API request header. In cases where the user manual for the API indicates that OAuth is needed for the API, the Client ID is additionally used as the value of user name while Client Secret is used as the value of User Password for the OAuth API call.

Where can I obtain values for Client ID and Client Secret? Are they unique for each partner application on the API portal?

Partners need to create an application as part of the onboarding process on the API Portal. Once HDFC Bank personnel approves your application, the Client Id and Client Secret will be generated automatically on the API Portal. These values can be accessed on the API Portal, within the Partner’s application, in the AUTH tab.

Yes, these values are unique for each application created by you on HDFC Bank’s API Portal.

 

How should I subscribe for APIs in the portal application?

To subscribe for APIs in the application, go to Application > click on Edit > go to API Management > write API name in search bar > click on Add > click the Save button at bottom.

Can I change the Client ID and Secret according to my need on the Bank’s API Portal?

No, these values are generated automatically and partners can not change them according to their need.

What should I do after putting in my request to recover my account password?

Once you put in the request to reset password for your account, you will receive a link in your mail that you can click directly or copy paste to your browser. This link leads you to a page where you can reset your password. Remember, this link expires after one day and nothing will happen if it is unused.

How do I proceed with account cancellation?

Once you have made a request to cancel your account, you will receive a mail with a link that will take you to the account cancellation page. Simply click on the link or copy paste it to your browser to cancel your account. Remember, the cancellation of your account is not reversible and this link expires after one day so nothing will happen if it is unused.

What do I need to write for the 'Scope' field during onboarding? Is this mandatory?

Ideally, this value should be a one-word name of your partner organization, without any spaces. However, there are exceptions for Corporate Payment APIs in the case of fund transfers, IMPS, NEFT & RTGS, where HDFC Bank assigns a specific value to be set as the Scope value. It is mandatory to mention the scope value as your application would be rejected without it.

How do I proceed once my account is activated?

After activation, you can simply log in to your account by clicking on the link you receive in your email or copy pasting it to your browser. This is a one-time login link that will redirect you to a page where you can set your password. Once you have set a password for your account, you can log in by clicking on the other link provided in the same mail, and entering your username and newly set password

What happens once I have registered on the HDFC Bank API portal?

Once you have registered on our portal, your application will be pending for approval. Post approval, you will receive an email containing your password, information on how to log in and other details

What do I select under the 'OAuth Type' field during onboarding if I use high criticality APIs? And what do I select as value for the other APIs?