Authorize API

PayHere Authorize API allows you to get your customer authorization for Hold on Card payments. It's a simple HTML form based POST API to redirect your customer to PayHere Payment Gateway to securely authorize Hold on Card payments.

Once the payment is authorized, it notifies your given URL (notify_url) about the authorization status & an authorization token for the particular payment by a server callback. You can fetch that authorization token from the notification & store it in your database securely to programmatically capture the authorized or lesser amount later via PayHere Capture API.


You need the following things ready to integrate your website with PayHere Authorize API.

  • Merchant ID
    • You can find your Merchant ID from Side Menu > Integrations of your PayHere Account.
  • Merchant Secret
    • You can generate a Merchant Secret for your domain/app by following below steps.
      1. Go to Side Menu > Integrations section of your PayHere Account
      2. Click 'Add Domain/App' > Enter your top level domain or App package name > Click 'Request to Allow'
      3. Wait for the approval for your domain/app (This will take up to 24 hours)
      4. Copy the Merchant Secret shown in front of your domain/app

Attention: Please note that Merchant ID is unique to your PayHere account, but Merchant Secret is specific to your integrating domain/app. Therefore, you need to add your new domains/apps & get a new Merchant Secret every time you're integrating PayHere on a new domain/app.


You need to complete the following 3 steps in order to fully integrate your website with PayHere Authorize API.

1. Redirecting Customer to PayHere Payment Gateway

Regardless of your scripting language, you can simply use an HTML Form to submit the below POST params to PayHere Payment Gateway. When the form is submitted, your customer will be securely redirected to the PayHere Payment Gateway & the customer can then enter the credentials (Card No / CVV) & securely process the authorization there.

Action URL
Live    -
Sandbox -

Required POST Parameters
  • merchant_id - PayHere Merchant ID
  • return_url - URL to redirect users when success
  • cancel_url - URL to redirect users when cancelled
  • notify_url - URL to callback the status of the authorization (Needs to be a URL accessible on a public IP/domain)
  • first_name - Customer’s First Name
  • last_name - Customer’s Last Name
  • email - Customer’s Email
  • phone - Customer’s Phone No
  • address - Customer’s Address Line1 + Line2
  • city - Customer’s City
  • country - Customer’s Country
  • order_id - Order ID generated by the merchant
  • items - Item title or Order number
  • currency - Currency Code (LKR/USD)
  • amount - Total Payment Amount
  • hash - Generated hash value as mentioned below (*Required from 2023-01-16)

Generating 'hash' Value

You can generate the hash value using the merchant_id, order_id, amount, currency and the merchant_secret.

hash = to_upper_case(md5(merchant_id + order_id + amount + currency + to_upper_case(md5(merchant_secret))))

PHP Code sample for generating hash value:

$hash = strtoupper(
        $merchant_id . 
        $order_id . 
        number_format($amount, 2, '.', '') . 
        $currency .  

Attention: Please note that the hash parameter should not be generated in client-side since it will expose your merchant_secret.

Optional POST Parameters
  • platform - Referring Platform
  • custom_1 - Custom param 1 set by merchant
  • custom_2 - Custom param 2 set by merchant

Code Sample
<form method="post" action="">   
    <input type="hidden" name="merchant_id" value="121XXXX">    <!-- Replace your Merchant ID -->
    <input type="hidden" name="return_url" value="">
    <input type="hidden" name="cancel_url" value="">
    <input type="hidden" name="notify_url" value="">  
    <input type="text" name="order_id" value="Order12345">
    <input type="text" name="items" value="Toy car"><br>
    <input type="text" name="currency" value="LKR">
    <input type="text" name="amount" value="1000">  
    <br><br>Customer Details<br>
    <input type="text" name="first_name" value="Saman">
    <input type="text" name="last_name" value="Perera"><br>
    <input type="text" name="email" value="[email protected]">
    <input type="text" name="phone" value="0771234567"><br>
    <input type="text" name="address" value="No.1, Galle Road">
    <input type="text" name="city" value="Colombo">
    <input type="hidden" name="country" value="Sri Lanka">
    <input type="hidden" name="hash" value="098F6BCD4621D373CADE4E832627B4F6">    <!-- Replace with generated hash -->
    <input type="submit" value="Authorize">   

2. Listening to Authorization Notification

As soon as the authorization is processed, PayHere notifies the authorization status to the notify_url you posted to the Authorize API as a server callback & redirects the customer back to your website to the return_url. Authorization notification will contain the following data as POST params, so you need to host a script on your notify_url to fetch the following POST params & update your database accordingly.

POST params
  • merchant_id - PayHere Merchant ID of the merchant
  • order_id - Order ID sent by Merchant
  • payhere_amount - Total Amount of the payment
  • payhere_currency - Currency code of the payment (LKR/USD)
  • status_code - Payment status code (3, 0, -1, -2)
  • md5sig - Encrypted signature to verify the payment
  • status_message - Message received from payment gateway which the customer tried to pay
  • authorization_token - Authorization token for the order
  • custom_1 - Custom param 1 sent by merchant to Checkout page
  • custom_2 - Custom param 2 sent by merchant to Checkout page
  • method - Payment method selected by the customer. (VISA, MASTER)
  • card_holder_name - Card Holder Name
  • card_no - Masked card number (Ex: ************4564)
  • card_expiry - Card expiry in format MMYY (Ex: 0122)

Authorization Status Codes

  • 3 - authorization success
  • 0 - pending
  • -1 - canceled
  • -2 - failed

Please note that;

  • You cannot test the authorization notification by print/echo methods since notify_url never loads to the browser as it's a server callback. You can only test it by updating your database upon fetching the notification.
  • You cannot test the authorization notification on localhost. You need to submit a publicly accessible IP or domain based URL as your notify_url for PayHere to directly notify your server.
  • No payment status parameters are passed to the return_url when redirecting the customer back to your website. You need to update your database upon fetching payment status by your script on notify_url & then show the authorization status to your customer in the page on return_url by fetching the status from your database.
  • The request parameters are encoded in the 'application/x-www-form-urlencoded' format, not 'application/json'.

3. Verifying the Authorization Notification

It is critical to verify the Authorization Notification before taking any actions on the authorization response. You can do the verification using the md5sig checksum parameter that is generated & sent by PayHere along with the status params according to following logic.

md5sig = strtoupper(
    md5 (
        merchant_id + 
        order_id + 
        payhere_amount + 
        payhere_currency + 
        status_code + 

Once you receive the authorization status parameters from PayHere, you can locally generate this checksum using the merchant_id, order_id, payhere_amount, payhere_currency & status_code sent by the authorization notification and the merchant_secret you have locally. Your locally generated checksum should be equal to the md5sig sent by PayHere if the authorization notification is valid.

Code Sample (PHP)

You can host this script at your notify_url.


$merchant_id           = $_POST['merchant_id'];
$order_id              = $_POST['order_id'];
$payhere_amount        = $_POST['payhere_amount'];
$payhere_currency      = $_POST['payhere_currency'];
$status_code           = $_POST['status_code'];
$md5sig                = $_POST['md5sig'];
$status_message        = $_POST['status_message'];
$authorization_token   = $_POST['authorization_token'];

$merchant_secret = 'XXXXXXXXXXXXX'; // Replace with your Merchant Secret

$local_md5sig = strtoupper(
        $merchant_id . 
        $order_id . 
        $payhere_amount . 
        $payhere_currency . 
        $status_code . 
if (($local_md5sig === $md5sig) AND ($status_code == 2) ){
    //TODO: Store the encrypted token ($authorization_token) securely in your database against your customer



  • Please make sure to consider the payment as successful only after the verfification, as it ensures that the authorization notification received to your notify_url was genuinely initiated by PayHere, not by any other party.
  • If you do not implement this verification properly, there's a security risk of a third party sending a manipulated authorization notification to your notify_url, falsly notifing that the authorization is successful.
Payment Authorize API - PayHere Knowledge Base
Still need help? Get in touch!
Last updated on 21st Jan 2023