Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Frequently Asked Questions

How can I register?

1.  To register, visit the registration page here.

2.  On the home page select Sign Up.

1

3.  You will be redirected to the Sign Up page. Please fill in the details and have a valid and active phone number to 
      receive an OTP for verification.

2

4.  Please enter your OTP for verification. You have upto 3 tries to receive an OTP.

3

5. Once you have successfully registered on our portal you and your manager will receive an email notification with a link redirecting you to a page where you can login and set your password.

4

6.  Keep in mind that the link expires in 24 hours and you will have to repeat the registration process again.

5

7.  On a successful password reset you can login and Try Out our API’s using our static sandbox environment.

6

8. Your registration application is still in pending status until we approve it. Once approved you will receive an email stating you can login to create applications and subscribe to API’s as described in the section here Accessing APIs

What if I do not get activation mail or I accidentally let my activation link expire?

In case of activation email not received or if activation link expires, Partner can raise forgot password request providing the email given while registration.

Is it possible to have multiple developer accounts for a single organization?

Yes, multiple developers of a single organization can have accounts as their emails are unique.

Is there any reference website available to validate XML or JSON payload?

You can refer to this link- https://codebeautify.org/

Is there any reference website available for digital signature generation?

You can refer to this link- https://www.xml.com/pub/a/2001/08/08/xmldsig.html

If the signed payload value and original payload value have minor differences, will I get any error from your API Banking Platform?

Yes, the platform will show the "Signature verification failed" error if the signed payload value and original payload value have minor differences.

Is there any reference website available for Base64 encoding/decoding of the data?

You can refer to this link-https://www.base64encode.org

. Is there any reference website available for Encryption/Decryption of the data?

You can refer to this link- https://8gwifi.org/RSAFunctionality?keysize=2048

Can I use NoPadding for both encryption and decryption algorithms?

No, you can not use No Padding for both encryption and decryption algorithms as that would result in a "Decryption failed" error.

Do I need to use the exact algorithm as specified in HDFC Bank's user manual for Payload Encryption/Request Digital Signature implementation?

Yes, algorithms mentioned in HDFC Bank's user manual are as per HDFC Bank API security guidelines and have to be used in that exact manner. To put it simply, symmetric encryption uses the AES/CBC/PKCS5Padding algorithm, while asymmetric encryption uses RSA/ECB/PKCS1Padding.

Is it mandatory to generate a fresh 32-byte symmetric key for every API call?

Yes, it is mandatory for Partners to utilize a 32-byte random (alpha-numeric) key to symmetrically encrypt the complete API request payload. A new value of this 32-byte random key needs to be generated for each API requested by the Partner.

Is it mandatory to set a unique transaction ID every time to identify a JSON wrapper request?

Yes, it is mandatory to set a unique transaction ID every time to identify a JSON wrapper request.

Which public key is required during RSA encryption? Will it show an error if any other public key is being used?

HDFC Bank's SSL certificate public key is required. Any other public key will result in a "Decryption failed" error.

 

What is IV value and how can we pass this value in our payload?

IV stands for Initialization Vector, which needs to be passed by appending the same at the beginning of the original request payload, before performing the encryption. If the IV is not being used for AES encryption, then 16-byte random characters need to be specified at the beginning of the original request payload before performing the encryption.

Which special characters are restricted by HDFC Bank's APIs?

The following special characters are restricted as API requests with these characters trigger Code Injection or SQL Injection validations on the API Platform. It is recommended that the Partners replace these special characters with a space.

& (ampersand)
' (apostrophe)
, (comma)
. (full stop)
- (hyphen)
/ \ (forward and backward slash)
! (exclamation)

What should be set as username and password while generating OAuth Token?

You can use the Client ID as Username and the Client Secret as Password.

Can I re-use the same OAuth token for multiple API requests ?

No, Partners need to generate a new OAuth token for every request.

Do all your APIs utilize OAuth? What does OAuth involve?

No, all HDFC Bank APIs do not utilize OAuth. HDFC Bank has classified a few APIs under the high criticality section, especially APIs that involve financial transactions and only those APIs utilize OAuth. A separate API has been published for generating a one-time-use OAuth token, which requires valid values for Client ID and Client Secret to generate a token. The token needs to be sent as part of the request of the main API.

What will happen if the API Key is incorrect or blank in the header or if the API header is missing altogether?

If the Partner does not provide an API Key or mistakenly provides an incorrect one, then they receive an error stating "Invalid API Key".

Which content type should be specified in the request for accessing REST APIs, except OAUTH?

You can specify "application/json" under the content type field.

Which content type should be selected while generating OAuth Token?

You can refer to this link- application/www-form-url encoded

While implementing a digital signature for an API request, which key (public or private) of which certificate should I use to sign the original request payload?
Do I need to use Base64 Encoding if I use programming languages such as JAVA, DOT NET, PHP for encryption?
If I always need to generate a new value of the 32-byte random key for each and every API request, how does HDFC Bank get to know the value of this key?
What will happen if I do not provide a client certificate or have provided an incorrect one while making a request to an API that utilizes two-way SSL?
Does the scope value on the JSON wrapper of the API request payload need to be the same as the scope value that has been set on the Bank’s API portal?