NPCI’s UPI API Security Guidelines: What You Must Know and How to Comply Faster with AppTrana
In a landmark move to safeguard the integrity and scalability of India’s real-time payment infrastructure, the National Payments Corporation of India (NPCI) released the UPI API Security Guidelines (OC-215/2025-26). It is a transformative mandate that goes beyond regulatory compliance. These guidelines redefine how Payment Service Providers (PSPs), acquiring banks, and UPI app providers design, deploy, monitor, and govern their API interactions.
Unlike earlier approaches that treated security as a one-time checkbox, this guideline represents a fundamental shift. Security and compliance are now dynamic, continuous functions integrated deeply into the software development lifecycle, operations, and monitoring frameworks.
The Driving Force Behind NPCI Guidelines
The rationale behind NPCI’s push is clear. As UPI usage explodes across India, the payment rails are under unprecedented strain. Traffic congestion, server overload, and a rising volume of automated API calls, many not initiated by users have become critical bottlenecks. To ensure scalability without compromising speed or security, NPCI now demands that all ecosystem players move from reactive to proactive API governance.
The guidelines were officially notified on May 21, 2025, with the implementation deadline set for July 31, 2025, and enforcement from August 1, 2025. In essence, every API call, every automation trigger, and every background task now needs to be justified, tracked, and governed.
Key Technical Provisions Defined in the Guidelines
The NPCI guidelines are rooted in controlling API behavior, especially to differentiate between customer-initiated and system-initiated calls.
1. Transactions Per Second (TPS) and Rate Limiting
Banks and UPI apps are now required to cap the number of API transactions per second. This control ensures that the system is not flooded with high-frequency calls from bots, automated scripts, or poorly configured applications.
Rate limits must be enforced across all core APIs:
- Throttle bursts of calls
- Introduce exponential backoff on retries
- Drop excessive or redundant requests
2. Daily Usage Limits for Key API Functions
To ease server congestion, NPCI has set hard daily limits for high-volume API operations:
Balance Checks
- Each app (e.g., PhonePe, Paytm, Google Pay) can now request a maximum of 50 balance checks per user per day.
- If a user has multiple apps, each app operates independently under this cap.
Linked Account Views
- These are capped at 25 times per day per app.
- This function fetches a list of bank accounts or debit cards linked to a user’s UPI ID and is often called multiple times in the background. Such calls will now be strictly controlled.
Transaction Status Checks
- To prevent unnecessary retries during transaction delays, NPCI permits only 3 status checks per transaction, each spaced by at least 90 seconds.
- This forces apps to rely on appropriate failover logic and prevents brute-force polling of the system.
Scheduled Execution for AutoPay Transactions
To reduce system load during high-demand periods, NPCI now enforces designated time slots for AutoPay transaction executions.
Allowed Time Windows:
- Before 10:00 AM
- Between 1:00 PM to 5:00 PM
- After 9:30 PM
Prohibited Windows:
- 10:00 AM to 1:00 PM
- 5:00 PM to 9:30 PM
Apps must ensure AutoPay triggers are not initiated during blackout windows, and background services must queue or delay execution accordingly.
4. Restricting Non-Customer Initiated API Calls
One of the most significant changes is the restriction on automated API calls that are not directly triggered by user actions.
These include:
- Fetching account lists
- Validating payment addresses
- Fetching encryption keys
- Auto-updating merchant lists
The guideline mandates strict throttling or complete blocking of these calls during peak load hours to ensure system stability.
5. List Verified Merchants API
To avoid repeated, bandwidth-heavy calls, NPCI now allows:
- Only one call per day to the List Verified Merchants API
- The API call must return at least 1,000 merchants in one batch
- The call should only occur during non-peak hours
6. Penny Drop API and Consent Enforcement
The Penny Drop API, used to validate bank account ownership, is now regulated under both NPCI rules and the Digital Personal Data Protection Act, 2023.
Banks must:
- Obtain explicit customer consent before triggering the call
- Use a dedicated UPI ID tagged with Merchant Category Code (MCC) 7413
- Ensure no personal data is stored or transmitted outside approved boundaries
This move reflects India’s broader push toward data privacy by design in all financial transactions.
7. ValCust API (Validation for IPOs, PAN, Remittances)
NPCI has flagged this API as high-risk and subjected it to:
- Moderated invocation speed
- Limited retry attempts
- Usage only within approved flows (such as IPO PAN validation or foreign remittance onboarding)
All calls must be auditable, rate-limited, and transparent to avoid overuse.
The Continuous Compliance Journey: Key Processes You Must Follow
The NPCI’s 2025 guidelines are not simply a list of checks to complete. They are a framework that demands ongoing validation, proactive enforcement, and proof of security maturity. To align with NPCI’s directives, here is a structured operational process banks and payment providers need to implement:
1. API Inventory & Discovery
All UPI APIs (existing and new) must be discovered, cataloged, and governed. Deprecated endpoints must be decommissioned and undocumented flows must not exist.
Process to Follow:
- Identify and classify every API(legacy, or undocumented).
- Tag APIs based on usage (transactional, informational, etc.).
- Decommission unused or sunset endpoints.
- Maintain visibility into partner or third-party usage.
How AppTrana Helps:
AppTrana automatically discovers all APIs including undocumented, shadow, and deprecated endpoints by analyzing live traffic, even if they are not defined in Swagger files. It builds a real-time inventory, classifies APIs by usage and generalizes dynamic paths for easier management. With rich metadata like authentication status, sensitive data exposure, and usage patterns, AppTrana helps identify risks, decommission outdated APIs, and enforce governance. This ensures continuous compliance with NPCI’s mandates on deprecated endpoint retirement, unintended API use prevention, and third-party access visibility.
Mapped NPCI Requirements (Addressed via AppTrana Capabilities):
- Deprecated Endpoint Retirement – AppTrana’s Real-time API discovery and classification to identify and remove outdated endpoints.
- Unintended API Use Prevention – Live traffic monitoring to detect and block undocumented or shadow APIs.
- Third-Party Partner Governance – Usage insights to track and control partner or third-party API access.
2. API Specification & Documentation
All APIs must have accurate, published specifications before deployment. These specs must define schema, status codes, error handling, authentication, and rate limits.
Process to Follow:
- Define OpenAPI/Swagger specs early in development.
- Validate request/response models.
- Maintain a central repository for auditors.
- Block APIs from going live without specs.
How AppTrana Helps:
AppTrana accepts and validates Swagger/OpenAPI specifications during deployment. It inspects live traffic to detect new or changed APIs and compares runtime behavior against documented specs, highlighting any deviations. This ensures only approved request/response schemas, status codes, and authentication models are allowed.
Combined with its real-time inventory, AppTrana enforces positive security policies that block out-of-spec requests. This prevents undocumented APIs from going live and fulfills NPCI’s expectations for pre-go-live documentation, compliance checkpoints in QA, and strict adherence to approved invocation flows.
Mapped NPCI Requirements (Addressed via AppTrana Capabilities)
- API Documentation (Pre-Go Live) – AppTrana validates Swagger/OpenAPI specs before deployment.
- Safe-by-Design API Specs – Enforces approved schemas, status codes, and authentication models.
- Compliance Checkpoints in QA – Detects deviations during testing to block out-of-spec APIs.
3. Enforce Positive Security Controls
APIs must only allow valid customer-triggered flows. Unauthorized, out-of-sequence, or excessive system-triggered requests must be blocked.
Process to Follow:
- Enforce “allow-listed” invocation paths.
- Differentiate human vs. automated requests.
- Block background refreshes during peak hours.
How AppTrana Helps:
Implements positive security enforcement, only documented methods and flows are allowed.
Analyzes traffic behavior to distinguish user-initiated vs. automated API calls.
Enforces behavior based rate-limiting, access control, and IP-based throttling.
Mapped NPCI Requirements (Addressed via AppTrana Capabilities)
- TPS / Rate Limit Enforcement – Prevents abuse by capping requests per second.
- Prioritize Customer-Initiated API Calls – Gives precedence to genuine user flows over automated/bot traffic.
- Threshold Enforcement & Queuing – Controls high-volume bursts and queues excess requests without service disruption.
4. Continuous API Scanning & Testing
All APIs must be secure, tested for input/output validation, and must reject malformed payloads or unauthorized access attempts.
Process to Follow:
- Conduct frequent API vulnerability scans.
- Ensure input schema is enforced.
- Test authentication and authorization paths.
- Validate rate limits and error handling.
How AppTrana Helps:
AppTrana combines AI-driven automation with expert human testing to deliver continuous, accurate API security validation. Its built-in scanner detects OWASP Top 10 API vulnerabilities, while the AI-powered crawler explores complex API paths, validates input/output schemas, and simulates out-of-flow or unauthorized requests. To ensure zero false positives, findings are manually verified by security experts. AppTrana also tests authentication, authorization, and rate-limit controls, providing a comprehensive, real-world view of API security and helping organizations meet NPCI’s ongoing testing and validation requirements.
Mapped NPCI Requirements (Addressed via AppTrana Capabilities)
- Input & Output Validation → AppTrana’s API scanner validates request/response structures against defined schemas, ensuring malformed or unexpected payloads are detected and blocked.
- Authentication & Authorization Enforcement → AppTrana tests token-based authentication, role-based access controls, and session handling to identify bypass attempts and misconfigurations.
- Rate Limit & Quota Validation → AppTrana simulates high-volume and burst traffic to verify rate-limit policies, preventing abuse and ensuring compliance with transaction quotas.
5. Sensitive Data Handling & Encryption
Sensitive user data must be encrypted in transit and protected from being stored or accessed by unauthorized third parties.
Process to Follow:
- Enforce HTTPS/TLS across all APIs.
- Mask or classify sensitive fields (PAN, mobile, account number).
- Ensure data is only visible to authorized systems or users.
- Comply with DPDP Act, especially for Penny Drop APIs.
How AppTrana Helps:
AppTrana enforces TLS encryption by default, ensuring end-to-end protection of API data in transit. It supports data masking for sensitive fields such as personal identifiers and financial information in both logs and API responses, reducing the risk of accidental exposure. Additionally, AppTrana provides role-based access controls within its observability and reporting tools, ensuring that only authorized users can view or handle sensitive data, aligning with NPCI’s requirements for secure data handling and compliance with the Digital Personal Data Protection Act, 2023.
Mapped NPCI Requirements (Addressed via AppTrana Capabilities)
- Stronger Data Privacy Enforcement → AppTrana applies role-based access controls to restrict sensitive data visibility and uses data masking in logs and API responses to prevent accidental exposure.
- Encrypted Communication & Masking → TLS encryption is enforced by default for all API traffic, and sensitive fields like PAN, account numbers, and mobile numbers are masked to align with NPCI’s secure data handling standards.
6. Real-Time Monitoring & Audit Reporting
Maintain accurate audit trails of API activity. Submit reports via CERT-In assessors. Detect abnormal traffic patterns early.
Process to Follow:
- Enable logging for every API request/response.
- Track timestamps, parameters, outcomes.
- Analyze trends and flag outliers (e.g., repeated status checks).
- Share logs and reports during audits.
How AppTrana Helps:
AppTrana provides detailed, real-time visibility into API activity through a unified dashboard that tracks all discovered APIs, highlights those handling sensitive data, and flags unapproved or misconfigured endpoints. It logs every API request and response with timestamps, parameters, and outcomes, ensuring complete audit trails for compliance. The dashboard also offers analytics on traffic behavior, attack trends, and anomalies like repeated status checks, helping teams detect issues early. With built-in reporting aligned to CERT-In audit requirements, AppTrana simplifies compliance and empowers teams to make fast, data-driven security decisions.
Mapped NPCI Requirements (Addressed via AppTrana Capabilities)
- Comprehensive Audit Trails → AppTrana logs every API request and response with precise timestamps, parameters, and outcomes, ensuring end-to-end traceability for all transactions.
- Transaction Pattern Analysis → Advanced analytics monitor API traffic patterns in real time, flagging anomalies such as repeated status checks, abnormal frequency of requests, or unexpected data access, enabling faster incident detection and response.
7. Remediation & Continuous Improvement
Any vulnerability or violation found during monitoring or audit must be resolved immediately and recurrence prevented.
Process to Follow:
- Establish incident response workflows.
- Automate blocking of repeated offenders.
- Feed findings into development sprints.
How AppTrana Helps:
AppTrana’s inbuilt DAST scanner integrates into CI/CD pipelines, allowing security findings to be automatically fed into development sprints, enabling early detection and resolution. Combined with automated blocking of repeated offenders and actionable insights from real-time monitoring, AppTrana supports a continuous improvement cycle aligned with NPCI’s mandates for rapid incident response and sustained API security hygiene.
AppTrana further accelerates remediation through SwyftComply, which delivers instant virtual patching for open vulnerabilities, buying time for development teams to implement permanent fixes without exposing applications to risk. This ensures immediate protection even before code changes are deployed. This ensures zero vulnerability exposure and generates a zero-vulnerability report for seamless audits.
Mapped NPCI Requirements (Addressed via AppTrana Capabilities)
- Prompt Remediation – CI/CD-integrated DAST + SwyftComplyfor instant virtual patching and zero-vulnerability audits.
- Continuous Improvement – Automated blocking, real-time monitoring, and sprint-fed findings for sustained API security.
Scale Securely, Comply Automatically
With UPI becoming a vital part of India’s financial infrastructure, NPCI’s API usage framework is a necessary evolution. But without automation, compliance can stifle agility.
AppTrana bridges this gap, enabling your teams to:
- Maintain velocity
- Enforce policy
- Secure sensitive data
- Demonstrate proof of compliance in real-time
You do not have to choose between security and innovation anymore. With AppTrana, you get both by design.
Ready to simplify compliance and secure your APIs? Start a free trial to see how AppTrana can help you meet NPCI guidelines with zero disruptions and zero vulnerabilities.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.