• Each endpoint in the API specifies the HTTP Method used to perform required operation. If it is not explicitly specified, the default HTTP Method is POST.

• The session timeout of UPI API Server is set as 60 seconds.

• Version of the API that the endpoint conforms to should be specified in the URI. 

• Signature is transmitted in HTTP header, and signature verification is required for message interactions.

• All actionable fields shall be provided as part of the request parameters (path, query or body). Sensitive data shall be encrypted and then transmitted in HTTP body.

• All request and response payloads in the message body shall be sent in the JSON (JavaScript Object Notation) data-interchange format defined in [RFC 7159] or JWE object format as defined in [RFC 7516].

In order to be copped with fast evolving of the products, the UPI API is designed to be backward compatible. 

The following changes are considered backwards compatible.

• Adding a new API request/response.

• Adding a new optional request data element to an existing API.

• Adding a new indicator value. The value can be added either in the request or the response.

• Adding a new response parameter to the API response.

For the users' API Server to receiving request or response, it shall: 

• Ignore any unknown or undefined data objects received as part of API responses from UPI API Server. 

• Ignore any unknown or undefined data objects received as part of API requests from UPI API Server.

• Be compatible with new optional parameters