API Documentation

All write/verify APIs use HMAC SHA256 authentication.

Signature

signature_payload = x-timestamp + "." + raw_json_body
x-signature = hash_hmac("sha256", signature_payload, API_SECRET)

Reject requests where x-timestamp is older than 5 minutes.

Create Order

POST https://mama567matka.com/api/create-order.phpHeaders:
x-key-id: YOUR_KEY_ID
x-timestamp: 1710000000
x-signature: HEX_HMAC_SHA256

{
  "order_id": "MERCHANT_ORDER_123",
  "amount": 100,
  "customer_name": "Demo User",
  "customer_mobile": "9999999999",
  "return_url": "https://merchant.com/return",
  "webhook_url": "https://merchant.com/webhook"
}

Verify Order

POST https://mama567matka.com/api/verify-order.php{
  "gateway_order_id": "ORD202606..."
}

Webhook Payload

{
  "event": "payment.success",
  "gateway_order_id": "ORD...",
  "merchant_order_id": "MERCHANT_ORDER_123",
  "amount": 100,
  "status": "success",
  "utr": "123456789012",
  "paid_at": "2026-06-02 14:10:00",
  "source": "gmail_paytm_notification"
}

PHP Sample

$keyId = 'YOUR_KEY_ID';
$secret = 'YOUR_SECRET';
$body = json_encode(['order_id'=>'ORDER123','amount'=>100]);
$timestamp = time();
$signature = hash_hmac('sha256', $timestamp . '.' . $body, $secret);
$ch = curl_init('https://mama567matka.com/api/create-order.php');
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST => true,
  CURLOPT_POSTFIELDS => $body,
  CURLOPT_HTTPHEADER => [
    'Content-Type: application/json',
    'x-key-id: ' . $keyId,
    'x-timestamp: ' . $timestamp,
    'x-signature: ' . $signature,
  ],
]);
$response = curl_exec($ch);