API Version 1.0
API Credentials & Endpoints
Use MaxPayU as a hosted payment gateway for game deposits and withdrawals. Your backend creates orders with stable merchant ids, players pay on hosted links, and wallet credit happens only after signed webhooks.
Critical Security NoticeNever expose your live secret key in frontend code, mobile apps, APKs, Unity clients, or public repositories.
Auth Header
x-api-key
Base URL
https://maxpayu.com
Webhook Header
x-maxpay-signature
Authentication
Generate a live key from Developer Portal, store it only on your backend, and send it with every API request using `x-api-key` or `Authorization: Bearer sk_live_...`. If IP whitelisting is configured, requests from unlisted public IPs are rejected.
headers: {
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json"
}SDK STYLE
Multiple Language Integration
Copy-Paste Examples for Common Backends
The REST API is language-neutral. Use these examples from your server only, never from frontend or game client code.
Create Pay-In Order
Every language sends the same JSON body and the same `x-api-key` header. Keep `merchantOrderId` unique for each deposit.
curl -X POST "https://maxpayu.com
/api/v1/payin/create" \
-H "x-api-key: sk_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"amount": 100,
"merchantOrderId": "deposit_player42_1001",
"customerMeta": {
"playerId": "player42",
"username": "rohan"
}
}'Status Check Example
Store your `merchantOrderId` and use it to check status or reconcile if a webhook retry is delayed.
curl -X POST "https://maxpayu.com
/api/v1/payin/status" \
-H "x-api-key: sk_live_xxx" \
-H "Content-Type: application/json" \
-d '{"merchantOrderId":"deposit_player42_1001"}'cURL
curl -X POST "https://maxpayu.com
/api/v1/payin/create" \
-H "x-api-key: sk_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"amount": 100,
"merchantOrderId": "deposit_player42_1001",
"customerMeta": {
"playerId": "player42",
"username": "rohan"
}
}'Node.js
const axios = require("axios");
axios.post(
"https://maxpayu.com
/api/v1/payin/create",
{
amount: 100,
merchantOrderId: "deposit_player42_1001",
customerMeta: {
playerId: "player42",
username: "rohan"
}
},
{
headers: {
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json"
}
}
).then((res) => console.log(res.data));PHP
<?php
$payload = [
"amount" => 100,
"merchantOrderId" => "deposit_player42_1001",
"customerMeta" => [
"playerId" => "player42",
"username" => "rohan"
]
];
$ch = curl_init("https://maxpayu.com
/api/v1/payin/create");
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"x-api-key: sk_live_xxx",
"Content-Type: application/json"
],
CURLOPT_POSTFIELDS => json_encode($payload)
]);
$response = curl_exec($ch);
curl_close($ch);
echo $response;Python
import requests
response = requests.post(
"https://maxpayu.com
/api/v1/payin/create",
headers={
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json",
},
json={
"amount": 100,
"merchantOrderId": "deposit_player42_1001",
"customerMeta": {
"playerId": "player42",
"username": "rohan",
},
},
timeout=15,
)
print(response.json())Java
HttpClient client = HttpClient.newHttpClient();
String json = """
{
"amount": 100,
"merchantOrderId": "deposit_player42_1001",
"customerMeta": {
"playerId": "player42",
"username": "rohan"
}
}
""";
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://maxpayu.com
/api/v1/payin/create"))
.header("x-api-key", "sk_live_xxx")
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(json))
.build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());PHP Webhook Verification
<?php
$rawBody = file_get_contents("php://input");
$signature = $_SERVER["HTTP_X_MAXPAY_SIGNATURE"] ?? "";
$expected = hash_hmac("sha256", $rawBody, "YOUR_WEBHOOK_SECRET");
if (!hash_equals($expected, $signature)) {
http_response_code(401);
echo json_encode(["success" => false]);
exit;
}
$payload = json_decode($rawBody, true);
if (($payload["event"] ?? "") === "payin.success") {
// Credit wallet once using merchantOrderId idempotency.
}
echo json_encode(["success" => true]);Python Webhook Verification
import hashlib
import hmac
from flask import Flask, request, jsonify
app = Flask(__name__)
WEBHOOK_SECRET = b"YOUR_WEBHOOK_SECRET"
@app.post("/maxpay/webhook")
def maxpay_webhook():
raw_body = request.get_data()
signature = request.headers.get("x-maxpay-signature", "")
expected = hmac.new(WEBHOOK_SECRET, raw_body, hashlib.sha256).hexdigest()
if not hmac.compare_digest(expected, signature):
return jsonify(success=False), 401
payload = request.get_json()
if payload.get("event") == "payin.success":
# Credit wallet once using merchantOrderId idempotency.
pass
return jsonify(success=True)POST
Pay-In Collections
Create Pay-In Order
/api/v1/payin/create
Request Body
- amount (Number) - Required
- merchantOrderId (String) - Required unique deposit id
- customerMeta (Object) - Optional player metadata
Success Response
{
"success": true,
"message": "Pay-in order created",
"data": {
"orderId": "ORD_1779185523950_1234",
"merchantOrderId": "deposit_player42_1001",
"paymentUrl": "https://maxpayu.com
/pay/ORD_1779185523950_1234",
"amount": "100",
"status": "processing",
"expiresAt": "2026-05-20T10:30:00.000Z"
}
}Javascript Example
const axios = require("axios");
axios.post(
"https://maxpayu.com
/api/v1/payin/create",
{
amount: 100,
merchantOrderId: "deposit_player42_1001",
customerMeta: {
playerId: "player42",
username: "rohan"
}
},
{
headers: {
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json"
}
}
).then((res) => console.log(res.data));POST
Pay-In Confirmation
Submit Pay-In UTR
/api/v1/payin/submit-utr
Request Body
- orderId (String) - Required
- utr (String) - Required bank or UPI reference
Success Response
{
"success": true,
"message": "UTR submitted",
"data": {
"orderId": "ORD_1779185523950_1234",
"utr": "123456789012",
"status": "processing"
}
}Javascript Example
const axios = require("axios");
axios.post(
"https://maxpayu.com
/api/v1/payin/submit-utr",
{
orderId: "ORD_1779185523950_1234",
utr: "123456789012"
},
{
headers: {
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json"
}
}
).then((res) => console.log(res.data));POST
Pay-In Collections
Check Pay-In Status
/api/v1/payin/status
Request Body
- orderId (String) - Required if merchantOrderId is absent
- merchantOrderId (String) - Required if orderId is absent
Success Response
{
"success": true,
"message": "Status checked",
"data": {
"orderId": "ORD_1779185523950_1234",
"merchantOrderId": "deposit_player42_1001",
"status": "success",
"amount": "100",
"fee": "5",
"netAmount": "95",
"utr": "123456789012"
}
}Javascript Example
const axios = require("axios");
axios.post(
"https://maxpayu.com
/api/v1/payin/status",
{
orderId: "ORD_1779185523950_1234"
},
{
headers: {
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json"
}
}
).then((res) => console.log(res.data));POST
Payout Disbursements
Create Payout Request
/api/v1/payout/create
Request Body
- amount (Number) - Required
- bankAccount (String) - Required
- ifsc (String) - Required
- beneficiaryName (String) - Required
- merchantOrderId (String) - Required unique withdrawal id
Success Response
{
"success": true,
"message": "Payout request created",
"data": {
"payoutId": "PAYOUT_1779185523950_1234",
"merchantOrderId": "withdraw_player42_1001",
"amount": "500",
"fee": "10",
"debitAmount": "510",
"status": "processing"
}
}Javascript Example
const axios = require("axios");
axios.post(
"https://maxpayu.com
/api/v1/payout/create",
{
amount: 500,
bankAccount: "987654321012",
ifsc: "HDFC0001234",
beneficiaryName: "Rohan Sharma",
merchantOrderId: "withdraw_player42_1001"
},
{
headers: {
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json"
}
}
).then((res) => console.log(res.data));POST
Payout Disbursements
Check Payout Status
/api/v1/payout/status
Request Body
- payoutId (String) - Required if merchantOrderId is absent
- merchantOrderId (String) - Required if payoutId is absent
Success Response
{
"success": true,
"message": "Payout status checked",
"data": {
"payoutId": "PAYOUT_1779185523950_1234",
"merchantOrderId": "withdraw_player42_1001",
"status": "success",
"amount": "500",
"fee": "10",
"debitAmount": "510",
"reference": "BANK_REF_123"
}
}Javascript Example
const axios = require("axios");
axios.post(
"https://maxpayu.com
/api/v1/payout/status",
{
payoutId: "PAYOUT_1779185523950_1234"
},
{
headers: {
"x-api-key": "sk_live_xxx",
"Content-Type": "application/json"
}
}
).then((res) => console.log(res.data));CALLBACK
Webhook Integration
Handle Real-Time Updates
POST your configured webhook URL
Payload Fields
- event - payin.success or payout.success
- status - processing or success
- orderId or payoutId - MaxPayU transaction id
- merchantOrderId - Your required game deposit or withdrawal id
- timestamp - ISO date string
Wallet Credit RuleStore processed merchantOrderId values and credit a player wallet only once after a valid payin.success signature.
Create orderCustomer paysStatus updatesWebhook sent
Node.js Listener
const express = require("express");
const crypto = require("crypto");
const app = express();
app.use(express.json({
verify: (req, _res, buf) => {
req.rawBody = buf.toString("utf8");
}
}));
app.post("/maxpay/webhook", (req, res) => {
const signature = req.header("x-maxpay-signature");
const expected = crypto
.createHmac("sha256", "YOUR_WEBHOOK_SECRET")
.update(req.rawBody)
.digest("hex");
const valid =
signature &&
signature.length === expected.length &&
crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
if (!valid) {
return res.status(401).json({ success: false });
}
if (req.body.event === "payin.success") {
// check merchantOrderId was not processed before, then credit wallet once
}
return res.status(200).json({ success: true });
});Merchant Dashboard Status
Every pay-in and payout created through the API appears in the merchant dashboard. Merchants can track processing and success states from Pay-in and Payout ledger pages.