Technical deep dive of UPI

UPI is an architecture and a set of standard APIs to facilitate the next generation online immediate payments, leveraging trends such as increased smartphone adoption, Indian language interfaces, and universal access to Internet and data. It can be visualized as a type of payment protocol

Let’s understand what does it mean.

Application Programming Interface (APIs)

API is a set of rules and protocols that allows one software application to interact with another. It defines the methods and data formats that applications can use to communicate and perform tasks.

In simple words, API is like a waiter who will take an order(request) from a customer(client) and give it to the kitchen(server). Once the order is ready, he will serve(response) it to the customer.

APIs are the heart of UPI. NPCI has defined a set of APIs, each meant to serve a specific purpose. Some of the key features of the UPI APIs are :

Asynchronous communication

Asynchronous communication means that the client makes a request to the server, and the server processes the request without making the client wait for the response. The server will take some time to process the request, and send a callback to the client once the response is ready.

All NPCIs are async in nature which means that whenever client sends a request to NPCI using ReqAPI, it will just validate the request and send an acknowledgement with 200 status code. The server will process the request and send a callback using a corresponding RespAPI.

Stateless APIs

UPI APIs are designed to be stateless. Each API request contains all the necessary information for the server to process that request. Here’s how this works in practice:

1. Self-Contained Requests : Each API request includes all necessary authentication information, transaction details, and any other parameters required to process the request.
2. No Session State : The server does not retain any session information between requests. For example, when initiating a payment, the request includes all details like the payer’s account, the payee’s account, amount, and authentication tokens.
3. Idempotency : Many UPI API requests are idempotent, meaning that making the same request multiple times will have the same effect as making it once.

XML

<?xml version="2.0" encoding="UTF-8" standalone="yes"?>
<upi:ReqHbt xmlns:upi="http://npci.org/upi/schema/">
    <Head ver="2.0" ts="2020-01-10T10:00:00+05:30" orgId="100100" msgId="UPImsgIdOfTotal35AlphanumCharacters"/>
    <Txn id="UPItxnIdOfTotal35AlphanumCharacters" note="heartbeart" refId="UPIrefIdOfTotal35AlphanumCharacters" refUrl="https://api.example.com" ts="2020-01-10T10:00:00+05:30" type="Hbt"/>
    <HbtMsg type="ALIVE" value="NA"/>
</upi:ReqHbt>

UPI APIs use XML (Extensible Markup Language) for several reasons related to the nature of financial transactions, legacy systems, interoperability, and regulatory requirements.

1. Interoperability : XML is a platform-independent data format, meaning it can be used across different operating systems and programming languages. This is crucial for UPI, which needs to operate seamlessly across various banks, financial institutions, and payment service providers, all of which may use different technologies.
2. Self-Descriptive Structure : XML is human-readable and self-descriptive. XML supports the use of schemas (such as XSD — XML Schema Definition) to define the structure and data types of XML documents. This ensures that the data conforms to a predefined format, enhancing data integrity and reducing errors.
3. Legacy System Compatibility : Many financial institutions and banking systems have been using XML for data exchange for years. These legacy systems are already set up to process XML, making it a natural choice for UPI to ensure compatibility and smooth integration with existing infrastructure.

Signature-based authentication

A digital signature is a cryptographic technique that ensures the authenticity and integrity of a message, document, or data. It is the digital equivalent of a handwritten signature or a stamped seal, but it offers far more inherent security.

<upi:ReqHbt xmlns:upi="http://npci.org/upi/schema/">
    .
    .
    .
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>6BgeRrn7/gm00+xjTyQq7hyvXzNGJnBAf3X+AUsgidc=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>jf/jECGCtZesnSK1q7FEcgEWMLMIV+Glkl1/Epjvez87Qvq09H5z56YsdTraDOaf1F2/n7NHRfmu&#xD;\n8fq25jl402M6GHUR8KFF4gx4+3sID8fM0hpBG0pCfA6NWBTQotPIfD/D18fwMF5u14PPX4kDjvV0&#xD;\nOzTIZYizIXS2YmK7ee1haZel8TmDkNfoMHNp5So6rvErytF/YX/ZPOq3Bhlv+fjmXmWgShtJfe/G&#xD;\niXHiCOFcGva1CQyE/3SxHvLqfgOBATrCUdKBxMsz+g662b0naujZsD+PCUZSnbrgu7FIef/3qdEi&#xD;\nmevTYilarr0huJNODvwtUcF2+zHrEImAMfKn1A==</SignatureValue>
    </Signature>
</upi:ReqHbt>

In simple terms,

The client will generate a signature by,

1. Generate request : The client will first create the request payload which contains all the details.
2. Create Hash : Use a hash function (like SHA-256) to generate a hash value from the request payload.
3. Create Signature : Encrypt this hash value using a private key to create a digital signature. This ensures that the signature is unique to both the data and the client.

The server will verify the signature by,

1. Extract the Signature : The server extracts the digital signature from the request.
2. Retrieve the Public Key : The server retrieves the client’s public key, which may be included in the request or fetched from a known registry.
3. Generate the Hash : The server generates a hash value from the received payload using the same hash function.
4. Decrypt the Signature : The server decrypts the digital signature using the client’s public key to obtain the original hash value.
5. Compare Hashes : The server compares the hash value it generated from the payload with the decrypted hash value from the signature. If they match, the integrity and authenticity of the data are confirmed.

APIs determine the performance and scalability of any system. To summarize the benefits of key features discussed above :

1. Scalability : Statelessness allows the server to handle a large number of requests without needing to manage session states, making it easier to scale.
2. Reliability : Asynchronous processing ensures that client applications remain responsive and can handle server responses at their convenience.
3. Efficiency : Stateless APIs reduce the server’s memory and storage overhead since there is no need to maintain client session information.
4. Security and Data Integrity : Signature-based authentication ensures that the data has not been tampered with during transmission and that the request genuinely comes from the claimed client.