API Integration Policy

Shilvora Software Private Limited provides robust B2B APIs to empower businesses to launch their own white-label fintech portals. This API Integration Policy governs the usage of Paybachat APIs (including Recharge, BBPS, DMT, and AEPS APIs). By generating API keys and utilizing our endpoints, B2B Partners ("API Consumers") agree to comply with this policy.

1. API Access and Authentication

To ensure maximum security and trackability across our infrastructure, API access is strictly regulated:

• Authentication Tokens: All API requests must be authenticated using the unique API Key and Secret generated from your B2B dashboard. These keys must be kept confidential and must never be exposed in client-side code (e.g., JavaScript).
• IP Whitelisting: API requests will only be accepted from pre-approved, static IP addresses. Requests originating from non-whitelisted IPs will automatically trigger a 403 Forbidden response.
• SSL Encryption: All data must be transmitted via HTTPS (TLS 1.2 or higher). Unencrypted HTTP requests will be permanently rejected.

2. Usage Limits and Rate Limiting

To protect our infrastructure and upstream banking partners from DDoS attacks and system overloads, Paybachat enforces strict rate limits:

• Standard Tier: Up to 100 requests per minute per IP address.
• Enterprise Tier: Custom rate limits as defined in the B2B Service Level Agreement (SLA).

If an API Consumer exceeds the permitted rate limit, the API will return a 429 Too Many Requests status code. Repeated throttling violations may result in temporary API key suspension.

3. Data Privacy and Compliance

As an API Consumer, you are processing sensitive financial and personal data. You are legally bound to adhere to Indian data protection laws and RBI guidelines:

1. No Storage of Sensitive Data: You must never store biometric data (fingerprints), Aadhaar numbers in plain text, CVV codes, or OTPs on your servers.
2. Customer Consent: You must obtain explicit digital or physical consent from the end-customer before triggering any AEPS, DMT, or BBPS API request on their behalf.
3. Data Breach Notification: In the event of a security breach on your platform, you must notify Paybachat's technical team within 12 hours to instantly revoke your API keys and prevent unauthorized fund routing.

4. Testing and Sandbox Environment

Before moving to production, all API Consumers must successfully complete an integration test in the Paybachat Sandbox environment. Testing production APIs with dummy data, invalid Aadhaar numbers, or fake bank accounts is strictly prohibited and will result in wallet penalties.

5. Uptime and Service Level Agreement (SLA)

Paybachat aims to maintain a 99.9% API uptime. However, our services are dependent on upstream providers (NPCI, UIDAI, Telecom Operators, and Sponsor Banks). We will not be held liable for API timeouts or failed webhooks caused by upstream downtime. Planned maintenance windows will be communicated via email at least 48 hours in advance.

6. Suspension of API Access

Paybachat reserves the right to instantly revoke API keys and suspend services without prior notice if we detect:

• Suspicious, fraudulent, or non-compliant transaction patterns.
• Attempts to bypass rate limits or inject malicious payloads (SQLi, XSS) into our endpoints.
• Failure to maintain a minimum wallet balance required for API routing.
• Failure to comply with KYC / e-KYC norms for your downstream retailers.