Sbi CMP Rest Realtime Api Specifications V1.9
Sbi CMP Rest Realtime Api Specifications V1.9
Sbi CMP Rest Realtime Api Specifications V1.9
Specifications
CONFIDENTIALITY STATEMENT
No part of this document may be copied, reproduced, stored in any retrieval system, or transmitted in
any form or by any means, either electronically, mechanically, or otherwise without prior written
permission.
Document ID SBI/CMP/RealTimeRestService_1
Classification External
Vipul
1.2 11-03-2020 Added response field description
Shrivastava
Govind
1.3 20-12-2020 Added Error codes for response.
Chaurasia
Govind
1.4 02-08-2021 Added Late Return API details
Chaurasia
1. Corporate client would use CMP’s Payment data services for makingpayments. Transaction details
would be sent through secure Web API.
2. This Integration involves 2 web services (a) Payment Data service (b) Enquiry service, both hosted by
SBI.
3. In both the services communication is encrypted at channel level (using TLS 1.2) as well as at payload
level.
4. Access to both the services is token based, there is a token generation method implemented along
with actual service.
5. Client will first request a random token from SBI’s access token service, and the same token will be
used to authenticate while sending the request to Payment data service or Enquiry service.
6. Payment data service alsorequires authorisation for payments to get processedby means ofDigital
Signature.Signaturecan be sent in the Hash Value tag of Payment data service.
1. Process flow
Success/Failure
API response with Success/Failure
Method: 'POST',HTTP/1.1
URL: 'https://m.fastplusuat.onlinesbi.com:8443/SBITokenService/token/getToken'
Header: {'content-type': 'application/JSON'}
{
"AuthTokenRequest":"em2xEfQIllpAroB9t45VFk9lEkK+PDYpb1iU2oOM4y8Y9VpHLimmI8xbRQ8yxV6HF9NYgV
12gt9z2hSYKnVT0g==",
"SessionKey":"SEuosnLTBib9TNJJcB5yU/3b6F4fRo23YmcoWEzpl77+2uU0d20wfHpSP3r4b95F8UqMj/
SphGaLjMvh0f3m0bnNDXhvC/Jx9WoUwybvWB1uhaSEPAXvKW1UoKYwS475vjbnu4jP0hXUQZ1OFld1xz/
DkhEbJ/rjry7BxVBagwA0olFbwoI+UL/h4ObDWw71NJjpHl8dVt6NxxalvE0VulQCe6ROglSso22zX+YVuTpgOXu4/
AdVZifOmIBNG+0tf6llMzYQzAx+WoNIrxttE0vjfLGNJ8GxigROEIx6weQbzRl/
KUelbsDjfimWi0gbPCYZf1RbbxfalAsYbaAq/g== "
}
Data in AuthTokenRequest Tag: Below sample shows the plain text data in JSON format.
1. When token is requested for payments service “application” will contain the value “PaymentsData”.
2. For Enquiry service value will change to “Enquiry”.
{
"password":"ff0a4f3b85ccb62ac6f60e4a31556b1dbadc4fbcf5f12",
"username":"123456",
"application":"PaymentsData/Enquiry",
“client”:”298989”
}
Authentication Token Service Response Specification: The response contains a Token (in case of success),
status of request, remarks and error code. The token's type is Bearer which should be sent in header of the
PaymentsData or Enquiry service call. The validity of token expires in 5 mins. Following steps are to be
followed for getting the token from Response of the service:
1. Decrypt the randomly generated session key with the client’s private key using RSA algorithm.
2. The decrypted session key will then be used to decrypt the value of AuthTokenResponse tag using
AES 128 algorithm.
1. Decrypted AuthTokenResponse will contain the token value if the request is successful.
2. In case the request is failed token, tag will be blank and code, status & reason will be as per the table
given below.
{
"code":"200",
"remark":"Token successfully generated",
"token":"b8c841e6-ecb9-4b72-9de8-a53034860496:04155",
"status":"OK"
}
3 Invalid User Parameters or Null ERROR 602 Token Generation request cannot be
Values parsed
4 Internal Exception ERROR 603 Error in Token Generation Process
5 JSON Parsing Error ERROR 604 Could not parse web service request
1. The Payment data service is the synchronous service which accepts the actual data for transaction in
the specified JSON format.
2.[1.] It requires the token received from authentication service(1.1 AUTHENTICATION TOKEN
SERVICE), in header part. Requests with Invalid token or expired token will be rejected, and a new
token need to be generated.
3.[2.] The service accepts multiple transactions in one payload using a JSON in payments details tag.
4.[3.] Following is the specification of the service
Data Service Request Specifications: To access the payment service, Client will first prepare the request in text
format which is then encrypted & digitally signed. Below is the specification of the service.
For a particular corporate if “Product Code Auto Derivation” flag is enabled, then the Product Code
will be fetched automatically on the basis of “Beneficiary IFSC” code. (In this case the Product Code
value will be empty string)
If “Product Code Auto Derivation” flag is disabled, then the “Product Code” field will be a
mandatory field to pass value.
Note for Debit Account Number:The FastPlus application will pick the debit account number received in the
service request. All the debits will be executed in this same account number for further processing.
Data Service Response Specifications For all successful requests there will be acknowledgement and standard
HTTP 200 response will be sent. While for requests failed due to network issues and bad requests other
standard HTTP responses will be sent (See Reference).
Response Specification:
1. In response to the request of client, SBI will provide JSON response as mentioned in
sample response.
2.[1.] This response will be in plain text.
Sr
Scenario Status Status Code Remark/Reason Description
No
1 Payment Posted Successfully Success SU0000 Completed Successfully
Request Status = Failed due to request parsing errors
2 Unable to decrypt request Failure TE0001 Unable to decrypt request
3 Signature Mismatch or null Failure TE0002 Invalid Hash Value
value received
4 JSON Parsing Error, Data in Failure TE0003 Invalid Request Format
wrong format
Request Status = Failed due to request data validation errors
5 Wrong or null customer ID Failure TE0004 Invalid Customer ID
6 Duplicate Payment Reference Failure TE0005 Duplicate Payment Request
Number.
Note: Combination of
Corporate Id+ Payment
reference number will be
considered for duplication
check
7 Wrong Debit Account Failure TE0006 Invalid Debit Account
Number i.e. A/C Number
received in Payment Request
Vis-à-Vis debit accounts
mapped in system
8 Null check for all field Failure TE0007 Mandatory field missing
9 Product code missing if not Failure TE0008 Product Code cannot be null
opted for auto derivation
11 Debit Account Number Lock Failure TE0010 Please inquire status after some time
12 Any other failure not Failure TE0020 Technical failure. Please contact
mentioned in list support team
13 Invalid token Failure TE0012 Invalid Token
154 Unable to connect to CBS Pending ENQ001 Please inquire status after some time
10 Response not received from Pending ENQ002TE0009 Please inquire status after some time
CBS
Note: In case of any above technical failure scenarios (Status code starts with “TE”), payment
request has to be reinitiated by the client with a same reference number but in case Business failure
(Status code starts with “BE”), payment request has to be reinitiated by the client with a different
This scenario will be handled @ client end wherein request will have to reposted post connectivity
issue gets resolved.
In this case, client will have to enquire the status using enquiry API. In case client tries to resubmits
the request again, then it will be rejected with failure reason as “Duplicate Payment Request”
Key Management
Both the parties will exchange their PUBLIC KEY in X509 certificate format while private key will
remain with the party itself. However, before expiry of the certificate each party must intimate
the other about expiry.
{
"PaymentDetails":
{
"CustomerId":"28xxxx",
"PaymentReferenceNo":"XXXXX",
"DebitAccountNo":"debitAccountNo",
"BeneficiaryName":"beneficiaryName",
"BeneficiaryAccountNo":"12578945613",
"BeneficiaryIFSC":"ICIC0001234",
"Amount":185596.3,
"mobileNo":"9561234523",
"emailID":"XYZ@MS.com",
"Remarks":"remitterToBeneficiaryInfo",
“AdditionalField”:”additionalfield”
},
"HashValue":"zc0OvwE/
nNRAhl83r+9FIcjljKCTDWDXvSP3K4B1IEsIUDTdlQrhQTxmNk6gD9u02+MG+BBHvtXioxmmug9FJn1oXxHFJ0Cj3D
kljJrCJgtEuo4fX1qLmWeqRsMF+UkXIqfU+siYjmZlZJAKPfXwXMoej99U+LcXHfV6YSnWPb94RoVsE8eb7l+6u7xsy+f
VRkMhcaQ5xKpuNrHyy"
}
{
"CustomerId":"28xxxx",
"PaymentReferenceNo":"XXXXX",
"PaymentRequest":"qx8X9FY93VXmvquaNlE86WMVDciQouMmierQotQl2QqUh2pItlBT/
Na+GnAgMBAAGjITAfMB0GA1UdDgQWBBTSAcEBlxfDqvHGCFfH8s2WoNFMQjANBgkqhkiG9w0BAQUFAAOCAQ
EAZmPh2pRoWmYOWFSqOMozU1XZa3j560ic2wMR7bwMj5IzF+n75vjbABNmgtaZ6bu0OT3g1OHPttX4u85QiAE
{
"PaymentResponse":"qx8X9FY93VXmvquaNlE86WMVDciQouMmierQotQl2QqUh2pItlBT/
Na+GnAgMBAAGjITAfMB0GA1UdDgQWBBTSAcEBlxfDqvHGCFfH8s2WoNFMQjANBgkqhkiG9w0BAQUFAAOCAQ
EAZmPh2pRoWmYOWFSqOMozU1XZa3j560ic2wMR7bwMj5IzF+n75vjbABNmgtaZ6bu0OT3g1OHPttX4u85QiAE
V4i6RFLg3p80OdCCpG/slL6BAB6Olf8Cb6qtWWnDDyOWzr",
"SessionKey":"SEuosnLTBib9TNJJcB5yU/3b6F4fRo23YmcoWEzpl77+2uU0d20wfHpSP3r4b95F8UqMj/
SphGaLjMvh0f3m0bnNDXhvC/Jx9WoUwybvWB1uhaSEPAXvKW1UoKYwS475vjbnu4jP0hXUQZ1OFld1xz/
DkhEbJ/rjry7BxVBagwA0olFbwoI+UL/h4ObDWw71NJjpHl8dVt6NxxalvE0VulQCe6ROglSso22zX+YVuTpgOXu4/
AdVZifOmIBNG+0tf6llMzYQzAx+WoNIrxttE0vjfLGNJ8GxigROEIx6weQbzRl/
KUelbsDjfimWi0gbPCYZf1RbbxfalAsYbaA"
}
{
"PaymentReferenceNo":"1234",
"CMPReferenceNo":“AO4567895”,
"Status":"Success/Failure/Pending",
"Remarks":"xxxxx",
"JournalNo":"123456",
"errorCode":""
}
1. Client can request MIS (again by calling SBI Enquiry API) to get the transaction status using Reference
Number Provided as a response to the Payment Data service.
2.[1.] It also requires the token received from authentication service (1.1 AUTHENTICATION TOKEN
SERVICE), in header part. Requests with Invalid token or expired token will be rejected
3.[2.] SBI would respond to each Web service call to provide current status of the transaction.
4.[3.] Following are the web service specifications (request-response parameters).
Enquiry service Request Specifications: Client will send the request in JSONformat, which is encrypted, below
is the specification of the request and response for MIS Service along with the token provided earlier, in
header part. Requests with Invalid token or expired token will be rejected, and a new token need to be
generated.
1. Client will send the request in JSON format which contains “CustomerCode” (Corporate Id) and
“PaymentReferenceNo”.
2. Complete JSON request will be encrypted with the Public key of SBI using RSA algorithm with cipher
RSA/GCM/OAEPPadding.
3. SBI will decrypt the request by using its own Private Key.
Enquiry service Response specification: For all successful requests there will be JSON response and
standard HTTP 200 response will be sent. The response of web service will be of 2 type one for
successfully validated and other for validation failed requests. While for requests failed due to
network issues and bad requests other standard HTTP responses will be sent (See Reference).
1. Success
2. Failure
3. Pending
Sr.
Scenario Status Status Code Remark/Reason Description
No
1 Payment Posted Successfully Success SU0000 Completed Successfully
Request Status = Failed due to request parsing errors
2 Unable to decrypt request Failure TE0001 Unable to decrypt request
Request Status = Failed due to request data validation errors
3 Null corporate ID Failure TE0004 Invalid Corporate ID
Wrong or Null payment
4 Failure TE0011 Invalid Payment reference number
reference number
Request Status = Failed at the time of posting in CBS
BE+ <4 digit CBS
5 Posting Failure @ CBS Failure Failure message as received from CBS
Error code>
Request Status = Pending
6 Unable to connect to CBS Pending ENQ001 Please inquire status after some time
Response not received from
7 Pending TE0009 Please inquire status after some time
CBS
Key Management:
Both the parties will exchange their PUBLIC KEY in X509 certificate format while private key will
remain with the party itself. However, before expiry of the certificate each party must intimate the
other about expiry.
{
“CustomerCode”:”283467”,
“PaymentReferenceNo”:”123456”
}
{
"EnquiryRequest":”qx8X9FY93VXmvquaNlE86WMVDciQouMmierQotQl2QqUh2pItlBT/
Na+GnAgMBAAGjITAfMB0GA1UdDgQWBBYLF1KEU0pqpQcF9nWiG9wabOrfBvl2QqUh2pItlBT/
Na+GnAgMBAAGjITAfMB0GA1UdDgQWBGnAgMBAAGjITAfMB0GA1UdDgQWAcEBlxfDqvHvukGneVVxgdRzQDS
VDWB7I1KlPbTeAEKeyQInLlXIlkdP1D2TnVBXdrDG4bXK4s7NyVPydJ3NFNVOA2TqPfz87p3U7bWGBj8/
UCRcrguj6jGSflMu4f+hYr83iFL3Txlcg474zms5QqywhWMK3/7yMFVV2avYVLmErQCgRt0JExF5ASh00utcdUm”
}
{
"paymentReferenceNo": "1234",
"cmpReferenceNo": "AO4567895",
"status": "Success/Failure/Pending",
"remarks": " SU0000| Payment Posted Successfully",
ResponseJSON (Encrypted)
{
"paymentResponse":"qx8X9FY93VXmvquaNlE86WMVDciQouMmierQotQl2QqUh2pItlBT/
Na+GnAgMBAAGjITAfMB0GA1UdDgQWBBTSAcEBlxfDqvHGCFfH8s2WoNFMQjANBgkqhkiG9w0BAQUFAAOCAQ
EAZmPh2pRoWmYOWFSqOMozU1XZa3j560ic2wMR7bwMj5IzF+n75vjbABNmgtaZ6bu0OT3g1OHPttX4u85QiAE
V4i6RFLg3p80OdCCpG/slL6BAB6Olf8Cb6qtWWnDDyOWzr",
"sessionKey":"SEuosnLTBib9TNJJcB5yU/3b6F4fRo23YmcoWEzpl77+2uU0d20wfHpSP3r4b95F8UqMj/
SphGaLjMvh0f3m0bnNDXhvC/Jx9WoUwybvWB1uhaSEPAXvKW1UoKYwS475vjbnu4jP0hXUQZ1OFld1xz/
DkhEbJ/rjry7BxVBagwA0olFbwoI+UL/h4ObDWw71NJjpHl8dVt6NxxalvE0VulQCe6ROglSso22zX+YVuTpgOXu4/
AdVZifOmIBNG+0tf6llMzYQzAx+WoNIrxttE0vjfLGNJ8GxigROEIx6weQbzRl/
KUelbsDjfimWi0gbPCYZf1RbbxfalAsYbaA"
}
Response
Payments Late Returnservice Request Specifications: SBI will send the request in JSON format, which is
encrypted, below is the specification of the request and no response will be received.
{
“LateReturnRequest”:“JlzmiUgpvuaw9MS/9G3HtIa5U0jznTYKUAkxuXRXjsHDTyBAiBJCz54saRp/
UbUV82sTkk2Si7MjRub4u/6L2HJn/
lLqBuiKEd5ZogOdlD5heFZwQQa4H0C0BDzemZFMcDGPkQO+Em3b03z90Z3izGedgaSofIl+/wV3cddUc9Ois/
r1yvuFEGwjjakhx0eKTagaQ8OjSST3n+SX5PyhAX/67OPKLUZk/
WbQKo0KDOjDLvo8oVLWAtZRZNwdB71gdGxB0bOr/2PfNHjTk3k7A2pRXmakguk4fMS+zZIn”,
"SessionKey":"E1ab8hxpHK+UQm4GXhvfXGsSp3XI0wnPbGlsbBUrgkXafx4mpJbLYFkwmYH/ec/
SdEnwMd0Zpq1me056xFcr5bWX7UwAnTWMwqdqf6ZNPJmXB+i2ErHq7Gc1XgsnZrPGZNWsGUnMbyE1iSyHfcY
YvisTH+Zt25+TGa7A1ohi+kXEZg3GL0wzhWYzNt08huklOOilRwqn0zhHKh18ghAiwk4nJRamCbwVzfFzvd2BedJXb
kE0LEtpZohRn6zL0cVHJ6DYLuDNMpP+o2VICNs1ljXlfb2W317gOuPPjo7EfrZxSqi5yHDVjFkQHzMYQtZpg+XgnJVR
nD6OEJk+P8kshw=="
}
1. The whole request would be encrypted using a randomly generated AES 128 algorithm key using
cipher AES/GCM/NoPadding
Base64 Decoded
Message Digest – SHA-256
Key Management:
Both the parties will exchange their PUBLIC KEY in X509 certificate format while private key will
remain with the party itself. However, before expiry of the certificate each party must intimate the
other about expiry.