> ## Documentation Index
> Fetch the complete documentation index at: https://docs.payglocal.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Authorize Payment (Auth Only)

> Authorize a hosted PayCollect payment without capturing funds — captureTxn false, then capture or reverse later. No card data in your request.

<span className="payments-v2-page hidden" aria-hidden="true" />

## Authorize payment (auth only)

Authorize a PayCollect payment **without capturing funds immediately**. This flow places a **hold** on the customer's funds so you can **capture** or **reverse** the authorization later.

The customer completes authentication on PayGlocal's **hosted checkout** (`redirectUrl`). You do **not** send card or token data in the API request.

The same PayCollect initiate API as [GPI](/api-reference/payments-v2/paycollect/gpi) is used for authorization. Set **`captureTxn`** to **`false`** in **Request body**.

***

## When to Use

Use this flow when you need to **verify and reserve funds** before completing the transaction, such as:

* Hotel and hospitality bookings
* Vehicle rentals
* Delayed order fulfillment
* Inventory confirmation workflows
* Any scenario requiring payment approval before final settlement

After authorization, you can:

* **Capture** the authorized amount to complete the payment — [standalone capture](/api-reference/payment/standalone-capture)
* **Reverse** the authorization to release the held funds — [auth reversal](/api-reference/payment/standalone-reversal)

***

## Supported payment methods

Authorize (auth only) on hosted checkout supports **cards** and **international Apple Pay** only. **UPI and net banking are not supported** for auth transactions (they are available on [GPI](/api-reference/payments-v2/paycollect/gpi) sale flows).

| Method    | Domestic | International |
| --------- | :------: | :-----------: |
| Cards     |     ✓    |       ✓       |
| Apple Pay |     —    |       ✓       |

***

## Notes

* Do **not** send **`cardData`** or **`tokenData`** — payment details are collected on the hosted page.
* Set **`captureTxn`** to **`false`** in **Request body**, with `paymentData` (amount, currency, `billingData`) as for [GPI](/api-reference/payments-v2/paycollect/gpi).

***

## API

|                |                                                                   |
| -------------- | ----------------------------------------------------------------- |
| **Method**     | `POST`                                                            |
| **Path**       | `/gl/v1/payments/initiate/paycollect`                             |
| **Production** | `https://api.payglocal.in/gl/v1/payments/initiate/paycollect`     |
| **Sandbox**    | `https://api.uat.payglocal.in/gl/v1/payments/initiate/paycollect` |

<Info>
  GPI, on-demand SI, auto-debit, and authorize all call this path. Only the JSON request body differs.
</Info>

***

## Headers

| Header                | Mandatory | Description                                                                             |
| --------------------- | --------- | --------------------------------------------------------------------------------------- |
| `Content-Type`        | Yes       | `application/json`                                                                      |
| `x-gl-token-external` | Yes       | RSA-signed **JWS** of the request body (see [Key Management](/key-management/overview)) |
| `x-gl-merchantid`     | Yes       | Your PayGlocal merchant ID (MID)                                                        |
| `x-gl-kid`            | Yes       | Key ID of the private key used to sign the JWS                                          |

Sign the JSON from **Request body** below as the JWS in `x-gl-token-external`, then POST to the URL above.

<Warning>
  Only **one** successful capture is allowed per authorisation.
</Warning>

<div id="next-actions" className="payments-v2-after-api">
  ## Next steps

  | Action       | API                                                                                                                    |
  | ------------ | ---------------------------------------------------------------------------------------------------------------------- |
  | Capture      | [POST /payments/{gid}/capture](/api-reference/payment/standalone-capture)                                              |
  | Reverse hold | [POST /payments/{gid}/auth-reversal](/api-reference/payment/standalone-reversal)                                       |
  | Status       | [Get transaction status](/api-reference/payments-v2/common/get-transaction-status) — expect `AUTHORIZED` until capture |
  | Refund       | After `SENT_FOR_CAPTURE` — [Refund](/api-reference/payment/refund)                                                     |
</div>


## OpenAPI

````yaml openapi-v2-paycollect-auth.yaml POST /gl/v1/payments/initiate/paycollect
openapi: 3.0.3
info:
  title: PayCollect initiate — authorize (Payments V2)
  version: 1.0.0
  description: >-
    Payments V2 documentation slice. Production calls use `POST
    /gl/v1/payments/initiate/paycollect`.
servers:
  - url: https://api.payglocal.in
    description: Production
  - url: https://api.uat.payglocal.in
    description: Sandbox
security: []
paths:
  /gl/v1/payments/initiate/paycollect:
    post:
      tags:
        - Payment
      summary: PayCollect authorize payment — auth only (request body)
      description: >
        **Endpoint:** `POST /gl/v1/payments/initiate/paycollect` — same URL for
        GPI, on-demand SI, auto-debit, and authorize; only the request body
        differs.


        Hosted checkout — authorize without capture. Set `captureTxn: false`. No
        `cardData`, `tokenData`, or `standingInstruction`.

        **Cards and international Apple Pay only** — UPI and net banking are not
        supported for auth.
      operationId: paycollectInitiateAuth
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TransactionRequestPayCollectAuth'
            examples:
              auth_only:
                summary: Auth-only
                value:
                  merchantTxnId: 23AEE8CB6B62EE2AF07
                  merchantUniqueId: IFNN939494NJFJ
                  captureTxn: false
                  paymentData:
                    totalAmount: '10.00'
                    txnCurrency: INR
                    billingData:
                      firstName: John
                      lastName: Doe
                      addressStreet1: 221B Baker Street
                      addressCity: Bengaluru
                      addressCountry: IND
                      emailId: john.doe@example.com
                      callingCode: '+91'
                      phoneNumber: '9999999999'
                  merchantCallbackURL: >-
                    https://api.prod.payglocal.in/gl/v1/payments/merchantCallback
      responses:
        '200':
          description: >
            Returned immediately from initiate. Redirect the customer to
            `data.redirectUrl`, then poll `data.statusUrl` or [Get Transaction
            Status](/api-reference/payments-v2/common/get-transaction-status).
            Expect `AUTHORIZED` until you capture. **No `mandateId`** in `data`.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponsePayCollectInitiate'
              example:
                gid: gl_o-a057c4d6b6c620741apzp0ZX2
                status: INPROGRESS
                message: Transaction Created Successfully
                timestamp: 02/06/2026 21:47:33
                reasonCode: '200'
                data:
                  redirectUrl: >-
                    https://api.uat.payglocal.in/gl/payflow-ui/?x-gl-token=example
                  statusUrl: >-
                    https://api.uat.payglocal.in/gl/v1/payments/gl_o-a057c4d6b6c620741apzp0ZX2/status?x-gl-token=example
                  merchantTxnId: 23AEE8CB6B62EE2AF07
                errors: null
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
      security:
        - JwsTokenAuth: []
components:
  schemas:
    TransactionRequestPayCollectAuth:
      allOf:
        - $ref: '#/components/schemas/PayCollectInitiateFieldsSI'
        - type: object
          description: >
            PayCollect auth-only initiate (`captureTxn` must be `false`).

            Do **not** send `cardData`, `tokenData`, or `standingInstruction` in
            the request body.

            Hosted checkout for auth supports **cards** and **international
            Apple Pay** only — **not** UPI or net banking.
          required:
            - merchantTxnId
            - paymentData
            - merchantCallbackURL
            - captureTxn
          properties:
            paymentData:
              $ref: '#/components/schemas/PaymentPayCollectInitiateHostedSI'
            captureTxn:
              type: boolean
              description: Must be `false` for authorise-only.
              enum:
                - false
    ApiResponsePayCollectInitiate:
      type: object
      description: Response envelope for PayCollect initiate (`200`).
      properties:
        gid:
          type: string
          description: PayGlocal transaction ID. Use for status, capture, and refund APIs.
          example: gl_9c2645ed09edb22e
        status:
          type: string
          description: >-
            High-level status. Typically `INPROGRESS` immediately after
            initiate.
          example: INPROGRESS
        message:
          type: string
          description: Human-readable status message.
          example: Transaction Created Successfully
        timestamp:
          type: string
          description: Response timestamp (`DD/MM/YYYY HH:MM:SS`).
          example: 02/06/2026 21:47:33
        reasonCode:
          type: string
          description: >-
            Success code on initiate (e.g. `200`). See `4xx` responses for error
            codes.
          example: '200'
        data:
          $ref: '#/components/schemas/InitiateResponseDataPayCollect'
        errors:
          type: object
          nullable: true
          description: '`null` on success.'
          additionalProperties:
            type: string
    PayCollectInitiateFieldsSI:
      type: object
      properties:
        merchantTxnId:
          type: string
          description: Merchant's unique transaction identifier. Alphanumeric only.
          minLength: 4
          maxLength: 50
          example: 23AEE8CB6B62EE2AF07
        merchantUniqueId:
          type: string
          description: >-
            Optional stable merchant-side ID for idempotency and reconciliation.
            Alphanumeric only.
          minLength: 15
          maxLength: 40
          example: IFNN939494NJFJ
        riskData:
          allOf:
            - $ref: '#/components/schemas/Risk'
          description: Recommended for fraud checks and processor compliance.
        merchantCallbackURL:
          type: string
          format: uri
          description: Customers are redirected here post payment completion.
          example: https://api.prod.payglocal.in/gl/v1/payments/merchantCallback
    PaymentPayCollectInitiateHostedSI:
      type: object
      description: >
        Hosted checkout payment details for PayCollect standing instruction
        registration.

        Do **not** send `cardData`, `tokenData`, or `authenticationData` — the
        customer registers the mandate on `redirectUrl`.
      required:
        - totalAmount
        - txnCurrency
      properties:
        totalAmount:
          type: string
          description: >-
            Transaction amount as a decimal string. Supports up to 4 decimal
            places.
          example: '10.00'
        txnCurrency:
          type: string
          description: >-
            ISO 4217 currency code. Must be uppercase (e.g. `INR`, `USD`,
            `EUR`).
          example: INR
        billingData:
          allOf:
            - $ref: '#/components/schemas/Billing'
          description: >
            Cardholder billing address. Required for digital product / service
            transactions

            and flight bookings. Preferred for all other transaction types.
    InitiateResponseDataPayCollect:
      type: object
      properties:
        redirectUrl:
          type: string
          format: uri
          description: >-
            Hosted checkout URL — redirect the customer's browser here via
            **HTTP GET** to complete payment.
          example: https://api.uat.payglocal.in/gl/payflow-ui/?x-gl-token=example
        statusUrl:
          type: string
          format: uri
          description: >-
            Pre-authenticated URL to poll status after the customer completes
            payment.
          example: >-
            https://api.uat.payglocal.in/gl/v1/payments/gl_9c2645ed09edb22e/status?x-gl-token=example
        merchantTxnId:
          type: string
          description: Echo of `merchantTxnId` from the initiate request body.
          example: order_1712345678
    CommonErrorResponse:
      type: object
      properties:
        gid:
          type: string
          example: gl_9c2645ed09edb22e
        timestamp:
          type: string
          example: 10/01/2026 15:00:00
        reasonCode:
          type: string
          example: VALIDATION_ERROR
        data:
          type: object
        errors:
          type: object
        errorDetails:
          type: array
          items:
            $ref: '#/components/schemas/ErrorDetail'
    Risk:
      type: object
      description: Risk & analytics payload forwarded to fraud engines.
      properties:
        customerData:
          $ref: '#/components/schemas/Customer'
        shippingData:
          $ref: '#/components/schemas/Shipping'
        orderData:
          type: array
          items:
            $ref: '#/components/schemas/RiskItem'
    Billing:
      type: object
      description: Billing address + contact details of the payer.
      properties:
        firstName:
          type: string
          example: John
        lastName:
          type: string
          example: Doe
        emailId:
          type: string
          format: email
          example: john.doe@example.com
        callingCode:
          type: string
          example: '+91'
        phoneNumber:
          type: string
          example: '9999999999'
        addressStreet1:
          type: string
          example: 221B Baker Street
        addressStreet2:
          type: string
        addressCity:
          type: string
          example: Bengaluru
        addressState:
          type: string
          example: Karnataka
        addressStateCode:
          type: string
          example: KA
        addressPostalCode:
          type: string
          example: '560001'
        addressCountry:
          type: string
          description: ISO 3166-1 alpha-3 country code.
          example: IND
    ErrorDetail:
      type: object
      properties:
        field:
          type: string
          description: Name of the field that failed validation.
          example: panNumber
        message:
          type: string
          description: Human-readable error message.
          example: Required field is missing
    Customer:
      type: object
      description: Payer identity for risk evaluation.
      properties:
        merchantAssignedCustomerId:
          type: string
          example: cust_12345
        firstName:
          type: string
        lastName:
          type: string
        emailId:
          type: string
          format: email
        callingCode:
          type: string
        mobileNumber:
          type: string
    Shipping:
      type: object
      description: Shipping address for physical-goods orders.
      properties:
        firstName:
          type: string
        lastName:
          type: string
        emailId:
          type: string
          format: email
        addressStreet1:
          type: string
        addressStreet2:
          type: string
        addressCity:
          type: string
        addressState:
          type: string
        addressPostalCode:
          type: string
        addressCountry:
          type: string
          example: IND
    RiskItem:
      type: object
      description: Single line-item in the cart for risk analytics.
      properties:
        itemId:
          type: string
        itemName:
          type: string
        itemQuantity:
          type: integer
        itemPrice:
          type: string
        itemCategory:
          type: string
  responses:
    BadRequest:
      description: Validation error — missing or invalid fields.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CommonErrorResponse'
          examples:
            validationError:
              summary: Validation error example
              value:
                gid: gl_9c2645ed09edb22e
                timestamp: 10/01/2026 15:00:00
                reasonCode: VALIDATION_ERROR
                data: {}
                errors: null
                errorDetails:
                  - fieldName: paymentData.totalAmount
                    message: This field is required
    Unauthorized:
      description: Authentication failed — invalid API key or digest.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CommonErrorResponse'
          examples:
            unauthorizedError:
              summary: Unauthorized error example
              value:
                gid: gl_9c2645ed09edb22e
                timestamp: 10/01/2026 15:00:00
                reasonCode: UNAUTHORIZED
                data: {}
                errors: null
                errorDetails:
                  - fieldName: authorization
                    message: Invalid x-gl-token-external
  securitySchemes:
    JwsTokenAuth:
      type: apiKey
      in: header
      name: x-gl-token-external
      description: >
        RSA-signed JWS (JSON Web Signature) token carrying the request payload.

        - Header: `{ "alg": "RS256", "kid": "<merchant-key-id>", "iss":
        "<merchant-id>", "x-gl-enc": "false", "is-digested": "true" }`

        - Payload: the exact JSON body sent in the request (or its SHA-256
        digest when `is-digested=true`).

        - Signed with the merchant's RSA private key; PayGlocal verifies with
        the matching public key.

        Used by all `/gl/v1/payments/*` endpoints.

````