Calculate X-Verify

Step 1: Check if your JSON format is correct at https://jsonlint.com/.

{
	"merchantId": "DemoMerchant",
	"transactionId": "TX123456789",
	"merchantOrderId": "M123456789",
	"amount": 100,
	"instrumentType": "MOBILE",
	"instrumentReference": "9xxxxxxxxxx",
	"message": "collect for XXX order",
	"email": "[email protected]",
	"expiresIn": 180,
	"shortName": "DemoCustomer",
	"subMerchant": "DemoMerchant",
	"storeId": "store1",
	"terminalId": "terminal1"
}

Step 2: Encode above request to base64. You can check the correct encoding at
https://www.base64encode.org/

Example of the above encoding:
ewoJIm1lcmNoYW50SWQiOiAiRGVtb01lcmNoYW50IiwKCSJ0cmFuc2FjdGlvbklkIjogIlRYMTIzNDU2Nzg5IiwKCSJtZXJjaGFudE9yZGVySWQiOiAiTTEyMzQ1Njc4OSIsCgkiYW1vdW50IjogMTAwLAoJImluc3RydW1lbnRUeXBlIjogIk1PQklMRSIsCgkiaW5zdHJ1bWVudFJlZmVyZW5jZSI6ICI5eHh4eHh4eHh4eCIsCgkibWVzc2FnZSI6ICJjb2xsZWN0IGZvciBYWFggb3JkZXIiLAoJImVtYWlsIjogImFtaXR4eHg3NUBnbWFpbC5jb20iLAoJImV4cGlyZXNJbiI6IDE4MCwKCSJzaG9ydE5hbWUiOiAiRGVtb0N1c3RvbWVyIiwKCSJzdWJNZXJjaGFudCI6ICJEZW1vTWVyY2hhbnQiLAoJInN0b3JlSWQiOiAic3RvcmUxIiwKCSJ0ZXJtaW5hbElkIjogInRlcm1pbmFsMSIKfQ==

Step 3: Calculate X-VERIFY

SHA256(only base64 encoded str+ “/v3/service/access” + salt key) + ### + salt index

SHA256 OF (ewoJIm1lcmNoYW50SWQiOiAiRGVtb01lcmNoYW50IiwKCSJ0cmFuc2FjdGlvbklkIjogIlRYMTIzNDU2Nzg5IiwKCSJtZXJjaGFudE9yZGVySWQiOiAiTTEyMzQ1Njc4OSIsCgkiYW1vdW50IjogMTAwLAoJImluc3RydW1lbnRUeXBlIjogIk1PQklMRSIsCgkiaW5zdHJ1bWVudFJlZmVyZW5jZSI6ICI5eHh4eHh4eHh4eCIsCgkibWVzc2FnZSI6ICJjb2xsZWN0IGZvciBYWFggb3JkZXIiLAoJImVtYWlsIjogImFtaXR4eHg3NUBnbWFpbC5jb20iLAoJImV4cGlyZXNJbiI6IDE4MCwKCSJzaG9ydE5hbWUiOiAiRGVtb0N1c3RvbWVyIiwKCSJzdWJNZXJjaGFudCI6ICJEZW1vTWVyY2hhbnQiLAoJInN0b3JlSWQiOiAic3RvcmUxIiwKCSJ0ZXJtaW5hbElkIjogInRlcm1pbmFsMSIKfQ==/v3/charge+”SALTKEY”).

SALT KEY will be shared by the PhonePe team corresponding to your Merchant ID.

Example: 

"keyIndex":1,"key":"6b451f58-d565-4890-836f-6fb1gjt84d97",
"keyIndex":2,"key":"487667h6e9-91d3-4dfa-930a-8d3813745441"

Use one of the keys to generate SHA256.

SHA256 OF
(ewoJIm1lcmNoYW50SWQiOiAiRGVtb01lcmNoYW50IiwKCSJ0cmFuc2FjdGlvbklkIjogIlRYMTIzNDU2Nzg5IiwKCSJtZXJjaGFudE9yZGVySWQiOiAiTTEyMzQ1Njc4OSIsCgkiYW1vdW50IjogMTAwLAoJImluc3RydW1lbnRUeXBlIjogIk1PQklMRSIsCgkiaW5zdHJ1bWVudFJlZmVyZW5jZSI6ICI5eHh4eHh4eHh4eCIsCgkibWVzc2FnZSI6ICJjb2xsZWN0IGZvciBYWFggb3JkZXIiLAoJImVtYWlsIjogImFtaXR4eHg3NUBnbWFpbC5jb20iLAoJImV4cGlyZXNJbiI6IDE4MCwKCSJzaG9ydE5hbWUiOiAiRGVtb0N1c3RvbWVyIiwKCSJzdWJNZXJjaGFudCI6ICJEZW1vTWVyY2hhbnQiLAoJInN0b3JlSWQiOiAic3RvcmUxIiwKCSJ0ZXJtaW5hbElkIjogInRlcm1pbmFsMSIKfQ==/v3/charge6b451f58-d565-4890-836f-6fb1gjt84d97)

Which will be: 

83A41A36020D6FD2F0E0F02528ADB8784D7800BD56C6C743A28FC49319A4FFDAF8B40A2F3F475BD40968E4644690F874AE63AE744BCE602EC577E1BEBE2364B1

You can validate the value at https://passwordsgenerator.net/sha256-hash-generator/

Once SHA256 is calculated, you should calculate the X-VERIFY header value.

SHA256(only base64 encoded str+ “/v3/charge” + salt key) + ### + salt index

X-VERIFY : 83A41A36020D6FD2F0E0F02528ADB8784D7800BD56C6C743A28FC49319A4FFDAF8B40A2F3F475BD40968E4644690F874AE63AE744BCE602EC577E1BEBE2364B1###1

Where 1 is keyIndex as shared above.

So the request should be:

curl -X POST \
  https://mercury-uat.phonepe.com/v3/charge \
   -H 'content-type: application/json' \
  -H 'x-verify: 5BB903E40D045733B3D10B2E0CC62FE4D7BC401FF98F014824DFB33B09E620AB###1' \
  -d '{
  "request": "ewoJIm1lcmNoYW50SWQiOiAiRGVtb01lcmNoYW50IiwKCSJ0cmFuc2FjdGlvbklkIjogIlRYMTIzNDU2Nzg5IiwKCSJtZXJjaGFudE9yZGVySWQiOiAiTTEyMzQ1Njc4OSIsCgkiYW1vdW50IjogMTAwLAoJImluc3RydW1lbnRUeXBlIjogIk1PQklMRSIsCgkiaW5zdHJ1bWVudFJlZmVyZW5jZSI6ICI5eHh4eHh4eHh4eCIsCgkibWVzc2FnZSI6ICJjb2xsZWN0IGZvciBYWFggb3JkZXIiLAoJImVtYWlsIjogImFtaXR4eHg3NUBnbWFpbC5jb20iLAoJImV4cGlyZXNJbiI6IDE4MCwKCSJzaG9ydE5hbWUiOiAiRGVtb0N1c3RvbWVyIiwKCSJzdWJNZXJjaGFudCI6ICJEZW1vTWVyY2hhbnQiLAoJInN0b3JlSWQiOiAic3RvcmUxIiwKCSJ0ZXJtaW5hbElkIjogInRlcm1pbmFsMSIKfQ=="
}'