Banking

NPCI Tightens UPI API Rules From August 1 After Repeated Outages

In May 2025, over 18 billion transactions were processed through UPI, India's dominant digital payment system, with transaction values exceeding Rs 25.14 lakh crore. Despite its popularity, the technology has become increasingly vulnerable due to its scale

NPCI Tightens UPI API Rules From August 1 After Repeated Outages
info_icon

Following a spate of outages, which brought to light the stress on the digital payment network, the National Payments Corporation of India (NPCI) has issued stringent norms for the usage of critical UPI APIs. This is not something users will see right away, but it will take the pressure off the back end by constraining ways of having to do high-frequency things like checking balances and verifying transaction status, as per media reports.

In May 2025, UPI, India's most popular digital payment system, accounted for more than 18 billion transactions with a transaction value of over as many as Rs 25.14 lakh crore. In recent years, the technology has grown more fragile, despite its ubiquity. Four service interruptions occurred in just 18 days, from March 26 to April 12, a supersized hiccup rate for a site with more than 400 million users. The final straw came with the longest of the outages, five hours on April 12, the report added.

Advertisement

"The system was being overwhelmed by excessive API calls, particularly for balance inquiries and transaction status checks," NPCI noted in an internal report. Some banks, it found, were repeatedly pinging the system for transaction updates, even for older payments, violating the protocol that restricts such requests to three attempts with a 90-second gap between each.

Starting on August 1, NPCI will enforce usage caps on ten of the most-used APIs. Daily balance checks will be limited to 50 per app. The number of times users can check which bank accounts are linked to their mobile number will be capped at 25 per app per day. Autopay mandates for subscriptions or investments like SIPs will only be executed during off-peak hours: before 10 a.m., between 1–5 p.m., or after 9:30 p.m.

Advertisement

Another major change is the staggered handling of "check transaction status" API calls. Banks and payment service providers (PSPs) must now ensure that no more than three such requests are made within two hours, each spaced at least 90 seconds apart after authentication.

To cut down on unnecessary balance queries, banks will be required to include real-time account balance details in every transaction confirmation message. Additionally, non-customer-initiated API calls will be throttled during peak usage hours.

These updates are a direct response to what NPCI sees as "system abuse" and unsustainable backend traffic. "PSP banks and/or acquiring banks shall ensure all the API requests... are monitored and moderated in terms of appropriate usage," the NPCI said in its advisory.

Advertisement

For most users, the shift will be subtle. But those who frequently check balances or rely on auto-debit features might start noticing limits. Apps that automatically perform internal balance checks could hit the cap more quickly, although real-time balance notifications aim to reduce the need for manual inquiries.

There's also a compliance deadline: by August 31, all PSPs must submit a signed undertaking confirming their APIs are rate-limited and queued correctly. Those who fail to comply risk facing penalties, a freeze on onboarding new users, or even restricted access to the UPI network.

The changes mark a significant shift in how UPI will operate behind the scenes, prioritising long-term system stability over unchecked convenience.

Advertisement

Advertisement

Advertisement

Advertisement

Advertisement

CLOSE