NPCI’s UPI API Cap from August 2025

The National Payments Corporation of India (NPCI) has announced a pivotal change in its Unified Payments Interface (UPI) architecture: from August 1, 2025, several key UPI APIs will be subject to usage limits. The objective is clear—enhance efficiency, preserve infrastructure integrity, and protect user trust as UPI continues to scale at breakneck speed. It is a strategic shift towards efficiency and security.

UPI, India’s flagship digital payment system, processed over 18 billion transactions worth ₹23.90 trillion in April 2025 alone. With services expanding into credit on UPI, international remittances, and recurring payments, the demand on backend systems has never been higher. This growth has brought not only opportunities but also new challenges around system overload and API misuse.

    Key API Usage Caps Introduced

1. Balance Enquiry: Capped at 50 requests per app per customer per day, preventing unnecessary app-triggered refreshes.

2. Linked Account List: Limited to 25 calls per app per user per 24 hours, streamlining account fetches.

3. Transaction Status API: First allowed 90 seconds post-authentication, with a maximum of 3 status checks in a 2-hour window, reducing backend stress from repeated queries.

1. Autopay Execution Timing: While mandate creation remains open, execution windows are restricted (10 AM–1 PM and 5 PM–9:30 PM) to smoothen peak load cycles.

2. Device Binding: Hard-capped at 3 attempts per day per user, aiming to limit excessive retries often caused by poor connectivity or unauthorized device usage.

These restrictions are a result of extensive backend data analysis. Many third-party apps were found triggering APIs in excess—for instance, balance enquiries were being initiated passively and frequently without user action, just to show “live” balances. Similarly, device binding APIs were frequently abused during repeated failed login attempts, adding stress to already strained systems.

Such overuse doesn't only reduce performance during high-volume periods (like festivals or salary disbursements), it also opens the door to potential misuse via bots or brute-force attempts. NPCI's move is both a performance safeguard and a risk-mitigation strategy.

1. System Reliability: By filtering out non-critical API noise, backend systems will perform better under pressure—minimizing downtime during critical transaction windows.

2. Security Hardening: Capping sensitive endpoints like Device Binding and Status Check reduces exposure to automated attacks, helping protect user credentials and linked bank accounts.

3. Encouraging Responsible Development: App developers will now need to be more strategic in API use, embedding smarter triggers rather than redundant or automated polling.

4. Improved User Trust: While some users might initially notice small inconveniences (e.g., delay in balance updates), the long-term payoff is smoother, more secure UPI operations.

NPCI has laid down clear expectations:

• All stakeholders—banks, PSPs, and TPAPs—must submit compliance undertakings by August 31, 2025.

• An annual audit from a CERT-In empanelled cybersecurity firm is mandatory, to validate implementation and adherence.

This move is not a reactive measure—it’s a forward-looking strategy designed to future-proof the UPI ecosystem. With new launches like UPI credit rails, global interoperability pilots, and enhanced merchant services underway, maintaining infrastructure resilience is essential.

The real merit of these caps lies in their granularity and intent—they avoid blanket restrictions while nudging developers and service providers towards optimization, efficiency, and safety.

NPCI’s decision to regulate UPI API usage is a prudent and necessary step for the maturity of India's digital payments ecosystem. By prioritizing backend integrity, user security, and operational efficiency, the move ensures that UPI will not only scale, but scale sustainably—balancing innovation with accountability.