NPCI has instructed all banks and Payment Service Providers (PSPs) to regulate the use of 10 key APIs on the UPI network by July 31, 2025.
These APIs include those for balance inquiry, autopay mandate execution, and transaction status checks, among others.
NPCI Directs Banks and PSPs to Regulate Use of 10 Key UPI APIs by July 31, 2025
Users will be allowed to perform these API-based transactions only a limited number of times per day.
The circular (dated May 21, 2025) mandates that “PSP banks and/or acquiring banks shall ensure all the API requests (in terms of velocity and TPS — transactions per second limitations) sent to UPI are monitored and moderated in terms of appropriate usage (customer-initiated and PSP system-initiated)”.
Non-compliance may lead to API restrictions, penalties, suspension of onboarding new customers, or other disciplinary actions from NPCI.
All PSPs must submit a declaration to NPCI by August 31, 2025, confirming that all system-initiated APIs are “queued and rate-limited.”
APIs that are not customer-initiated must be restricted during peak hours, defined as 10 AM to 1 PM and 5 PM to 9:30 PM.
The balance enquiry API will be capped at 50 requests per app per customer per day starting July 31. For example, a user can check balances up to 50 times on Paytm and 50 on PhonePe daily.
Frequent users like traders may face inconvenience due to rate limits and mandatory waiting periods, according to Musharraf Hussain, COO of Ezeepay.
This is intended to ensure UPI infrastructure remains stable and available for all users.
Hussain mentioned past outages due to overload, including a 90-second delay in transaction status checks.
UPI Apps Required to Build Infrastructure to Restrict Balance Enquiries During Peak Hours
UPI apps must develop infrastructure to limit or stop balance enquiries during peak hours.
Banks are required to send the available account balance along with each successful transaction notification to reduce repeated balance check queries.
As per Pavan Kumar (Chief Product Officer, NPST), customers may not receive real-time balance updates on PSP apps, but NPCI clarified that real-time bank balances will still be available after implementation.
Autopay mandates (for SIPs, subscriptions, etc.) can only be executed during non-peak hours.
Customers may create autopay mandates anytime, but execution will be limited to non-peak times.
Only 1 attempt with 3 retries per mandate is allowed, and it must occur at moderated TPS during non-peak hours.
For the check transaction status API, the first status check must be delayed by at least 90 seconds post-transaction authentication.
Banks and PSPs may only make a maximum of three status check calls per two-hour window.
Transactions should be treated as failed for specific error codes, and repeated status checks should be avoided in such cases.
Each acquiring bank must undergo an annual system audit by CERT-In empanelled auditors, with the first audit report due by August 31, 2025.
Of the 10 APIs with new usage restrictions, only one (autopay mandate) involves financial transactions, while the remaining nine are non-financial.
Financial transactions will therefore not be significantly affected during peak hours, says Kumar.
The list account request API, which retrieves all accounts linked to a mobile number, will be limited to 25 times per app per customer per day.
This request can only be made after the customer selects their issuer bank in the app and must be retried only with customer consent.
