Troubleshooting

Common issues and step-by-step fixes. Click any issue to expand.

Symptoms

API returns 400 with INVALID_SIGNATURE error code.

Diagnosis

Are you using the correct Secret Key (not API Key)?
Is the field order correct? Must be: merchantId|merchantTxnId|amount|currency|timestamp
Is the amount in paise (integer, not rupees)?
Is the timestamp a Unix timestamp in seconds (not milliseconds)?
Is the output lowercase hex?

Wrong

1// WRONG: amount in rupees, ms timestamp
2const input = `${mid}|${txn}|999|INR|${Date.now()}`;
3crypto.createHmac('sha256', API_KEY) // wrong key!
4  .update(input).digest('base64'); // wrong format!

Correct

1// CORRECT: paise, seconds, SECRET key, hex
2const input = `${mid}|${txn}|99900|INR|${ts}`;
3crypto.createHmac('sha256', SECRET_KEY)
4  .update(input).digest('hex');

Symptoms

API returns 400 with REQUEST_EXPIRED or INVALID_TIMESTAMP.

Causes

REQUEST_EXPIRED — Timestamp is older than 5 minutes. Your server clock may be out of sync.
INVALID_TIMESTAMP — Timestamp is missing or more than 1 minute in the future.
Using milliseconds instead of seconds (e.g., Date.now() instead of Math.floor(Date.now() / 1000)).

Solution

Use Math.floor(Date.now() / 1000) in JavaScript (seconds, not milliseconds)
Use int(time.time()) in Python
Use time() in PHP
Sync your server clock with NTP: sudo ntpdate pool.ntp.org

Staging relaxes timestamp validation, but production enforces it strictly. Always test with correct timestamps.

Symptoms

API returns 400 with a customer field validation error.

Validation Rules

Field	Rule
`customerPhone`	10-digit Indian mobile starting with 6, 7, 8, or 9
`customerEmail`	Valid email format. Disposable email providers are not allowed
`customerName`	2–100 characters, letters and spaces only

Solution

Validate these fields on your frontend before calling the API
All three fields are required — they cannot be empty
For phone: strip any country code prefix (+91) and spaces before sending

Diagnosis

Is your webhook URL registered in Dashboard → Settings → Webhooks?
Is the URL publicly accessible (not localhost)?
Is it HTTPS? (required for production, TLS 1.2+)
Does your server return 200 within 10 seconds?
Is your firewall blocking incoming requests from SabPaisa IPs?
Has the circuit breaker been triggered? (>50% failure rate pauses delivery for 5 min)
Does your URL return a 301/302 redirect? Redirects are not followed and count as failures.

Testing Locally

Use ngrok to expose your local server:

Terminal$_

1ngrok http 3000
2# Copy the HTTPS URL and register it in Dashboard

Always return 200 quickly, even if processing fails. Process webhook events asynchronously. SabPaisa retries up to 10 times over ~8.5 minutes with exponential backoff. After that, webhooks go to the Dead Letter Queue.

Symptoms

Transaction shows PENDING or PROCESSING but never reaches a terminal state.

Auto-Expiry Rules

Status	Timeout	Result
`PENDING`	30 minutes	Auto → `EXPIRED`
`PROCESSING`	24 hours	Auto → `TIMEOUT`

Solution

Use the Transaction Enquiry API or webhooks to monitor status:

JavaScriptJS

1async function pollStatus(txnId) {
2  const res = await fetch(`/api/v2/payments/${txnId}/status`);
3  const data = await res.json();
4
5  const terminal = ['SUCCESS','FAILED','EXPIRED','TIMEOUT','CANCELLED'];
6  if (terminal.includes(data.status)) return data;
7
8  await new Promise(r => setTimeout(r, 3000));
9  return pollStatus(txnId);
10}

Common Mistakes

Using JSON.stringify(req.body) instead of the raw request body (exact bytes)
Using hex digest instead of base64
Using the wrong secret (API Key vs Webhook Secret)
Not checking timestamp freshness (5 min window)
Not using constant-time comparison (crypto.timingSafeEqual)
Reading the header as X-Webhook-Signature instead of X-SabPaisa-Signature

Wrong

1// WRONG: parsed body + hex + wrong header
2const sig = req.headers['x-webhook-signature'];
3const body = JSON.stringify(req.body);
4crypto.createHmac('sha256', secret)
5  .update(`${ts}.${body}`)
6  .digest('hex');

Correct

1// CORRECT: raw body + base64 + right header
2const sig = req.headers['x-sabpaisa-signature'];
3const body = req.body.toString('utf8');
4crypto.createHmac('sha256', secret)
5  .update(`${ts}.${body}`)
6  .digest('base64');

In Express, use express.raw({ type: 'application/json' }) for the webhook route. The default JSON parser destroys the raw body needed for verification. See the complete Webhook Code Examples for all languages.

Cause

SabPaisa guarantees at-least-once delivery. In rare cases (network issues, race conditions), you may receive the same webhook more than once. This is normal behavior, not a bug.

Solution

Use the idempotency_key field from the payload (format: {txn_id}_{status})
Before processing, check if this key has already been handled (database or Redis lookup)
If already processed, return 200 OK without re-processing
Store processed keys for at least 24 hours

Always return 200 OK for duplicate webhooks. Do NOT return an error status — this would trigger unnecessary retries.

Rate Limits

Scope	Limit
Merchant API	100,000 req/min
Checkout per IP	30 req/min
Per payment (status checks)	100 total

Solution

Implement exponential backoff with jitter:

JavaScriptJS

1async function retryWithBackoff(fn, retries = 3) {
2  for (let i = 0; i <= retries; i++) {
3    try { return await fn(); }
4    catch (e) {
5      if (i === retries || e.status !== 429) throw e;
6      const delay = Math.min(
7        1000 * 2 ** i + Math.random() * 1000,
8        30000
9      );
10      await new Promise(r => setTimeout(r, delay));
11    }
12  }
13}

Causes

Total refunds exceed original transaction amount
Refund amount not in paise
Transaction older than 180 days

Solution

Check remaining refundable amount before issuing:

JavaScriptJS

1// Check remaining refundable amount first
2const refunds = await fetch(
3  `/api/v2/refunds/transaction/${txnId}`,
4  { headers: { 'X-Api-Key': API_KEY } }
5).then(r => r.json());
6
7const remaining = refunds.originalAmount - refunds.totalRefunded;
8if (refundAmount > remaining) {
9  throw new Error(`Max: ${remaining} paise`);
10}

Cause

merchantTxnId must be unique per payment attempt. You are reusing an existing ID.

Solution

Append timestamp to make IDs unique per attempt:

JavaScriptJS

1// Unique per attempt, linked to your order
2const merchantTxnId = `ORD_${orderId}_${Date.now()}`;

Symptoms

API returns 401 UNAUTHORIZED despite keys looking correct
Payments work in staging but fail in production
Checksum passes in staging but fails in production

Diagnosis

Staging URL: staging-sb-merchant-api.sabpaisa.in — Production URL: merchant-api.sabpaisa.in
Staging keys only work on staging URLs, and vice versa
Staging relaxes checksum and timestamp validation — production enforces strictly

Solution

Use environment variables to switch between environments:

.env$_

1# Switch between staging and production
2SABPAISA_ENV=staging       # or "production"
3SABPAISA_API_KEY=your_staging_key
4SABPAISA_SECRET_KEY=your_staging_secret
5
6# Your code picks the right base URL:
7# staging    → https://staging-sb-merchant-api.sabpaisa.in
8# production → https://merchant-api.sabpaisa.in

Symptoms

Requests hang for 30+ seconds before failing
Intermittent ECONNRESET or ETIMEDOUT errors
504 GATEWAY_TIMEOUT from the API

Solution

Set a 30-second timeout on all API requests
Retry on 5xx errors with exponential backoff (max 3 retries)
For payment status checks, use webhooks or the Transaction Enquiry API instead of repeated requests
If the issue persists, check your server's DNS resolution and outbound firewall rules

Node.jsJS

1const response = await fetch(url, {
2  signal: AbortSignal.timeout(30000), // 30s timeout
3  headers: { 'X-Api-Key': API_KEY }
4});

Symptoms

Customer enters UPI ID but gets "VPA not found" on the checkout page
UPI collect request fails immediately

Common Causes

Customer typo in UPI ID (e.g., rahul@ppaytm instead of rahul@paytm)
UPI handle does not exist or is deactivated
Customer's bank UPI service is down

Solution

Show clear validation message: "Please check your UPI ID and try again"
Offer alternative methods (QR code, intent) as fallback
For sandbox testing, use success@upi, failure@upi, or timeout@upi

Symptoms

Card details accepted but OTP page fails to load
Customer sees blank iframe or "page cannot be displayed"
RuPay card gets OTP page instead of redirect

Causes & Solutions

Issue	Fix
Blank OTP iframe	Check if your site has restrictive `Content-Security-Policy` headers blocking bank domains
RuPay not working	RuPay uses REDIRECT mode (not OTP iframe). Ensure your integration handles both flows
3DS popup blocked	Inform customers to disable popup blockers for the checkout domain
OTP timeout	Customer has 5 minutes to enter OTP. Show a countdown timer and retry option

Symptoms

UNABLE_TO_VERIFY_LEAF_SIGNATURE or CERT_HAS_EXPIRED
cURL error: "SSL certificate problem"

Solution

Never disable SSL verification in production (verify=False, rejectUnauthorized: false)
Ensure your server has up-to-date CA certificates: sudo update-ca-certificates
Check that your server's clock is accurate (TLS certificates validate against current time)
If using a proxy or CDN, ensure it is not stripping the certificate chain

Never set NODE_TLS_REJECT_UNAUTHORIZED=0 in production. This disables all certificate verification and exposes you to man-in-the-middle attacks.

Still stuck?

When contacting support, include:

traceId from the error response
merchantTxnId or sabpaisaTxnId
Timestamp of the failed request
Error code and HTTP status

Support: [email protected]

API Reference

Complete endpoint documentation

Webhooks

Real-time payment notifications

Production Checklist

56 items before going live

Was this page helpful?

1// WRONG: amount in rupees, ms timestamp 2const input = `${mid}|${txn}|999|INR|${Date.now()}`; 3crypto.createHmac('sha256', API_KEY) // wrong key! 4 .update(input).digest('base64'); // wrong format!

Field

Rule

customerPhone

10-digit Indian mobile starting with 6, 7, 8, or 9

customerEmail

Valid email format. Disposable email providers are not allowed

customerName

2–100 characters, letters and spaces only

Status

Timeout

Result

PENDING

30 minutes

Auto → EXPIRED

PROCESSING

24 hours

Auto → TIMEOUT

1async function pollStatus(txnId) { 2 const res = await fetch(`/api/v2/payments/${txnId}/status`); 3 const data = await res.json(); 4 5 const terminal = ['SUCCESS','FAILED','EXPIRED','TIMEOUT','CANCELLED']; 6 if (terminal.includes(data.status)) return data; 7 8 await new Promise(r => setTimeout(r, 3000)); 9 return pollStatus(txnId); 10}

1// WRONG: parsed body + hex + wrong header 2const sig = req.headers['x-webhook-signature']; 3const body = JSON.stringify(req.body); 4crypto.createHmac('sha256', secret) 5 .update(`${ts}.${body}`) 6 .digest('hex');

1// CORRECT: raw body + base64 + right header 2const sig = req.headers['x-sabpaisa-signature']; 3const body = req.body.toString('utf8'); 4crypto.createHmac('sha256', secret) 5 .update(`${ts}.${body}`) 6 .digest('base64');

Scope

Limit

Merchant API

100,000 req/min

Checkout per IP

30 req/min

Per payment (status checks)

100 total

1async function retryWithBackoff(fn, retries = 3) { 2 for (let i = 0; i <= retries; i++) { 3 try { return await fn(); } 4 catch (e) { 5 if (i === retries || e.status !== 429) throw e; 6 const delay = Math.min( 7 1000 * 2 ** i + Math.random() * 1000, 8 30000 9 ); 10 await new Promise(r => setTimeout(r, delay)); 11 } 12 } 13}

1// Check remaining refundable amount first 2const refunds = await fetch( 3 `/api/v2/refunds/transaction/${txnId}`, 4 { headers: { 'X-Api-Key': API_KEY } } 5).then(r => r.json()); 6 7const remaining = refunds.originalAmount - refunds.totalRefunded; 8if (refundAmount > remaining) { 9 throw new Error(`Max: ${remaining} paise`); 10}

1# Switch between staging and production 2SABPAISA_ENV=staging # or "production" 3SABPAISA_API_KEY=your_staging_key 4SABPAISA_SECRET_KEY=your_staging_secret 5 6# Your code picks the right base URL: 7# staging → https://staging-sb-merchant-api.sabpaisa.in 8# production → https://merchant-api.sabpaisa.in

Issue

Fix

Blank OTP iframe

Check if your site has restrictive Content-Security-Policy headers blocking bank domains

RuPay not working

RuPay uses REDIRECT mode (not OTP iframe). Ensure your integration handles both flows

3DS popup blocked

Inform customers to disable popup blockers for the checkout domain

OTP timeout

Customer has 5 minutes to enter OTP. Show a countdown timer and retry option

Symptoms

Diagnosis

Symptoms

Causes

Solution

Symptoms

Validation Rules

Solution

Diagnosis

Testing Locally

Symptoms

Auto-Expiry Rules

Solution

Common Mistakes

Cause

Solution

Rate Limits

Solution

Causes

Solution

Cause

Solution

Symptoms

Diagnosis

Solution

Symptoms

Solution

Symptoms

Common Causes

Solution

Symptoms

Causes & Solutions

Symptoms

Solution

Still stuck?

Related Pages

Symptoms

Diagnosis

Symptoms

Causes

Solution

Symptoms

Validation Rules

Solution

Diagnosis

Testing Locally

Symptoms

Auto-Expiry Rules

Solution

Common Mistakes

Cause

Solution

Rate Limits

Solution

Causes

Solution

Cause

Solution

Symptoms

Diagnosis

Solution

Symptoms

Solution

Symptoms

Common Causes

Solution

Symptoms

Causes & Solutions

Symptoms

Solution

Still stuck?

Related Pages