It is recommended to check every field in the message body according to the specification. Please delete the entire field from the message instead of using NULL or'' values, If you do not need to send the fields that require O:Optional or C:Conditional. 

If you use Card Enrollment to apply for a new virtual card, only send accountNo in cvmInfo. SCIS will return a new virtual card.

The high probability is that there are some errors in the JWS Protected Header. It is recommended to check whether the JWS Protected Header complies with the specification. For example: UPI-TIMESTAMP format is unix timestamp +/-300 seconds.

"UPI- REQPATH" is the same as service URL suffix. For example, the service URL suffix of SaaS Card Issuing Service Platform for App Gateway Exchange rate inquiry is "/scis/switch/exchangerateinquiry".

By verifying the signature, the message receiver needs to verify the full message except for the field 'signature' itself, so 'signature' in the to-be-signed string needs to be replaced by a fixed value '00000000'.

Must strictly follow the Security Requirements described in UPI Server-based API General Requirements.

The problem with Base64 is that it contains the characters +, /, and =, which have a reserved meaning in some filesystem names and URLs. So base64url solves this by replacing + with - and / with _. The trailing padding character = can be eliminated when not needed, but in a URL it would instead most likely be % URL encoded. Then the encoded data can be included in a URL without problems.

You should use Base64url to encode, otherwise we cannot successfully parse your request.