Response URL
The Response URL serves as a bridge to return the payer to your platform after they have completed (or attempted) a payment. While the integration redirects the customer via a browser-level GET request, the data sent allows you to display personalized transaction summaries or statuses, such as Approved, Rejected, Under validation, or Pending payment (for cash transactions). Keep in mind, however, that the payer may close the checkout before reaching the result page.
Integration Methods
The parameter name and location for the Response URL vary depending on the integration type you are using.
| Integration Type | Parameter Name / Path | Implementation Example |
|---|---|---|
| WebCheckout | responseUrl |
<input name="responseUrl" type="hidden" value="http://www.myshop.com/response.php"> |
| API Integration | transaction.extraParameters.RESPONSE_URL |
"extraParameters": { "RESPONSE_URL": "http://www.payu.com/response" } |
Considerations
-
Not for Backend Logic: Avoid relying on the Response URL to update your database or trigger orders. Users may close the browser before the redirect occurs. Always use the Confirmation URL (Webhook) for backend processes.
-
Hosting Restrictions: Ensure your hosting provider does not block URLs sent as parameter values (e.g.,
&merchant_url=...). -
Display Recommendations: We recommend showing the customer at least the: status, reference, value, currency, and date.
-
Default Behavior: If you don’t provide a Response URL (either in the request or the PayU Management Panel), the process ends at the PayU web checkout page.
Important
If you leave the Response URL blank, PayU will display the transaction information on its own page, but the buyer will not have an option to return to your website.Parameters Sent to the Response URL
Regardless of the integration method, PayU sends the following parameters to your URL via an HTTP GET request.
Parameters
| Field | Type | Size | Description |
|---|---|---|---|
merchantId |
Numeric | 12 | Merchant’s unique identification number in the PayU system, provided in the account creation email. |
transactionState |
Numeric | 2 | Status of the transaction. See Transaction States. |
risk |
Decimal | — | Risk score associated with the transaction (values between 0 and 1). A higher value indicates a greater risk. Format: ###.00. |
polResponseCode |
Alphanumeric | 64 | Internal PayU response code. See Response Codes. |
polTransactionState |
Numeric | 2 | Internal PayU transaction state. See Response Codes. |
referenceCode |
Alphanumeric | 255 | Unique reference code for the sale or order. It must be unique for every transaction sent to the system. |
reference_pol |
Alphanumeric | 255 | Unique transaction number generated by PayU. |
signature |
Alphanumeric | 255 | Digital signature used to validate data integrity for each transaction. |
polPaymentMethod |
Alphanumeric | 255 | Internal identifier for the payment method used. |
polPaymentMethodType |
Numeric | 2 | Type of payment method used. See Payment Method Codes. |
installmentsNumber |
Numeric | 2 | Number of installments requested for credit card payments. |
TX_VALUE |
Numeric | 14.2 | The total transaction amount. Supports up to two decimal places (e.g., 100.00 or 100). |
TX_TAX |
Numeric | 14.2 | VAT amount. Supports up to two decimal places. If no VAT applies, send 0. Note: For Colombia, if this field is omitted, a 19% VAT is applied automatically. |
buyerEmail |
Alphanumeric | 255 | Buyer’s email address used for transaction notifications. We recommend validating this field at the point of data entry. |
processingDate |
Date | — | Date and time the transaction was processed. Format: YYYY-MM-DD HH:mm:ss. |
currency |
Alphanumeric | 3 | ISO currency code for the payment. Transactions in Colombia are reconciled in COP at the daily representative market rate. |
cus |
Alphanumeric | 255 | Unique Tracking Code (Código Único de Seguimiento). The specific payment reference used by banks for PSE transactions in Colombia. |
pseBank |
Alphanumeric | 255 | Name of the bank used for PSE payments (Colombia only). |
lng |
Alphanumeric | 2 | Language code used to display the payment gateway. |
description |
Alphanumeric | 255 | Brief description of the sale. |
lapResponseCode |
Alphanumeric | 64 | Response code delivered by PayU. See Response Codes. |
lapPaymentMethod |
Alphanumeric | 255 | Specific payment method used (e.g., VISA). |
lapPaymentMethodType |
Alphanumeric | 255 | Category of the payment method (e.g., CREDIT_CARD). |
lapTransactionState |
Alphanumeric | 32 | High-level transaction status. See Transaction Status. |
message |
Alphanumeric | 255 | Descriptive message explaining the transaction status. |
extra1 |
Alphanumeric | 255 | Custom field for additional purchase information. |
extra2 |
Alphanumeric | 255 | Custom field for additional purchase information. |
extra3 |
Alphanumeric | 255 | Custom field for additional purchase information. |
authorizationCode |
Alphanumeric | 12 | Authorization code provided by the financial institution for the sale. |
merchant_address |
Alphanumeric | 255 | Registered address of the merchant. |
merchant_name |
Alphanumeric | 255 | Registered name of the merchant. |
merchant_url |
Alphanumeric | 255 | URL of the merchant’s website. |
orderLanguage |
Alphanumeric | 2 | Language of the order. Format: ISO-639-1. |
pseCycle |
Numeric | — | Transaction cycle identifier generated by PSE (Colombia only). |
pseReference1 |
Alphanumeric | 255 | Custom reference field 1 for PSE payments (Colombia only). |
pseReference2 |
Alphanumeric | 255 | Custom reference field 2 for PSE payments (Colombia only). |
pseReference3 |
Alphanumeric | 255 | Custom reference field 3 for PSE payments (Colombia only). |
telephone |
Alphanumeric | 20 | Merchant’s contact phone number. |
transactionId |
Alphanumeric | 36 | Unique internal identifier for the transaction. |
trazabilityCode |
Alphanumeric | 64 | Traceability code of the sale as recorded on the merchant’s site. |
TX_ADMINISTRATIVE_FEE |
Decimal | — | Value of the administrative fee applied. |
TX_TAX_ADMINISTRATIVE_FEE |
Decimal | — | Tax amount applied to the administrative fee. |
TX_TAX_ADMINISTRATIVE_FEE_RETURN_BASE |
Decimal | — | Base value of the administrative fee used for tax refunds. |
action_code_description |
Alphanumeric | 255 | Description of the response action code (Specific to certain acquirers like VISANET Peru). |
cc_holder |
Alphanumeric | 150 | Name of the cardholder as it appears on the credit card. |
cc_number |
Alphanumeric | — | Masked credit card number used for the transaction (e.g., ************0004). |
processing_date_time |
Date | — | Processing date of the sale. Format: YYYY-MM-DD. |
request_number |
Alphanumeric | 9 | Combination of the Order Number and the transaction identifier. |
Implementation Example (PHP)
The logic is essentially the same for both integrations once the system redirects the user to your script:
<?php
$apiKey = "4Vj8eK4rloUd272L48hsrarnUA";
$merchant_id = $_GET['merchantId'];
$referenceCode = $_GET['referenceCode'];
$TX_VALUE = (float) $_GET['TX_VALUE'];
$currency = $_GET['currency'];
$transactionState = $_GET['transactionState'];
// Apply rounding for signature validation
$new_value = round($TX_VALUE, 1, PHP_ROUND_HALF_EVEN);
$signature_string = "$apiKey~$merchant_id~$referenceCode~$new_value~$currency~$transactionState";
$calculated_signature = md5($signature_string);
$received_signature = $_GET['signature'];
if (hash_equals(strtolower($received_signature), strtolower($calculated_signature))) {
echo "<h2>Transaction Verified Successfully</h2>";
// Display summary to user
} else {
echo "<h2>Invalid Signature - Data Integrity Compromised</h2>";
}
?>
Sample GET Request:
The following is an example of the query string PayU appends to your Response URL. You can use this to test your script’s ability to capture variables and validate the signature.
http://mytestsite.com/response.php?merchantId=508029&transactionState=6&referenceCode=2015-05-27+13%3A04%3A37&reference_pol=7069375&transactionId=f5e668f1-7ecc-4b83-a4d1-0aaa68260862&signature=e1b0939bbdc99ea84387bee9b90e4f5c&TX_VALUE=100.00¤cy=USD&buyerEmail=test%40payulatam.com&lapPaymentMethod=VISA&lapTransactionState=DECLINED&message=Declined
Signature Validation
To ensure the data received at the Response URL hasn’t been tampered with, you must regenerate the signature and compare it to the signature parameter.
Rounding Rule for Response URL
- To calculate the
new_valuefor the signature, roundTX_VALUEto one decimal place using the round half to even method:- If the first decimal is even and the second is
5→ round down (e.g.,150.25becomes150.2). - If the first decimal is odd and the second is
5→ round up (e.g.,150.35becomes150.4). - Otherwise, round normally to the nearest decimal.
- If the first decimal is even and the second is
Signature Format
Always use the values from the Response URL (merchantId, referenceCode, TX_VALUE, currency, and transactionState) to generate the signature. Do not use the values from your database.
The string to hash is:
apiKey~merchantId~referenceCode~new_value~currency~transactionState
Signature Examples
The following examples illustrate how to generate a signature, in this case, using HMAC-SHA256.
First Decimal is an Even Number and the Second is 5
| Item | Value |
|---|---|
| String Parameters | apiKey: 4Vj8eK4rloUd272L48hsrarnUA merchantId: 508029 referenceCode: PayUTest01 TX_VALUE: 150.25 currency: USD transactionState: 6 |
| Input String (formatted) | 4Vj8eK4rloUd272L48hsrarnUA~508029~PayUTest01~150.2~USD~6 |
| Secret Key (only applicable to HMAC-SHA256) | test123 |
Generated signature |
5ac639cc57ea3ceccef66243f7a20412ea4ae0c86b5121ca6aa67597266057d1 |
First Decimal is an Odd Number and the Second is 5
| Item | Value |
|---|---|
| String Parameters | apiKey: 4Vj8eK4rloUd272L48hsrarnUA merchantId: 508029 referenceCode: PayUTest01 TX_VALUE: 150.35 currency: USD transactionState: 6 |
| Input String (formatted) | 4Vj8eK4rloUd272L48hsrarnUA~508029~PayUTest01~150.4~USD~6 |
| Secret Key (only applicable to HMAC-SHA256) | test123 |
Generated signature |
7bbb5dd21b3c668bbfec8455c4f4fd3887dff1caa9c5da3895ddd914065b4905 |
Other Cases
| Item | Value |
|---|---|
| String Parameters | apiKey: 4Vj8eK4rloUd272L48hsrarnUA merchantId: 508029 referenceCode: PayUTest01 TX_VALUE: 150.34 currency: USD transactionState: 6 |
| Input String (formatted) | 4Vj8eK4rloUd272L48hsrarnUA~508029~PayUTest01~150.3~USD~6 |
| Secret Key (only applicable to HMAC-SHA256) | test123 |
Generated signature |
50c8aae35caf923fbdbd791d7842b916ab7d6597b7c4032dd92ab67b7bb43e8a |
Validate Your Signature
Use this generator to create a signature with any of the available encryption methods. This functionality assists you in verifying the signature value that PayU sends to your Response URL.