ONDC Buyer App Utility APIsVersion 1.0.0

These APIs are intended for ONDC Buyer Applications to discover gift card catalogues, retrieve product details, generate quotes, place orders, and track order status throughout the purchase lifecycle.

Sample Code

Reference implementations to help you integrate ONDC Buyer App APIs, including relay server setup and encryption/decryption utilities.

Relay Server Setup (Node.js + Express)

This sample demonstrates a lightweight relay server that forwards requests to ONDC BAP endpoints with the required authentication headers.

import express from "express"

const app = express()
const port = 3000

// Base URL of the ONDC BAP catalogue APIs
const bapRelayBase = "{{base_url}}/catalogue"

// API Key provided for ONDC authentication
const API_KEY = "API_KEY"

app.use(express.json())

/**
 * Generic relay handler
 * Example:
 *   GET  /search  ->  /catalogue/search
 *   POST  /search     ->  /catalogue/search
 */
app.use("/:action", async (req, res) => {
  try {
    const relayResponse = await fetch(
      `${bapRelayBase}/${req.params.action}`,
      {
        method: req.method,
        headers: {
          "Content-Type": "application/json",
          "X-API-KEY": API_KEY,
        },
        body:
          req.method !== "GET"
            ? JSON.stringify(req.body)
            : undefined,
      }
    )

    const contentType = relayResponse.headers.get("content-type")

    if (contentType && contentType.includes("application/json")) {
      const json = await relayResponse.json()
      res.status(relayResponse.status).json(json)
    } else {
      const text = await relayResponse.text()
      res.status(relayResponse.status).send(text)
    }
  } catch (error) {
    res.status(500).json({
      error: true,
      message: "Relay server error",
    })
  }
})

app.listen(port, () => {
  console.log(`ONDC relay server running on port ${port}`)
})

Relay Implementation Notes

Replace API_KEY with the key provided by the integration team.
Update bapRelayBase to match the ONDC endpoint you are relaying to.
Supports POST-based BAP callbacks such as search, select, init, and confirm.
You may extend this logic to support query parameters, additional HTTP methods, and custom routing.

Encryption & Decryption (TypeScript)

ONDC responses are encrypted using AES-256-CBC. Use the following utility functions to encrypt outgoing data and decrypt API responses.

import crypto from "crypto"

interface TransactionData {
  transactionId: string
  companyOrderId: string
}

/**
 * Decrypt encrypted ONDC responses
 */
export function decryptResponse(
  encryptedData: string,
  iv: string,
  key: Buffer
) {
  const decipher = crypto.createDecipheriv(
    "aes-256-cbc",
    key,
    Buffer.from(iv, "hex")
  )

  let decrypted = decipher.update(encryptedData, "base64", "utf8")
  decrypted += decipher.final("utf8")

  return JSON.parse(decrypted)
}

/**
 * Encrypt request payload before sending to ONDC
 */
export function encryptRequest(
  data: TransactionData,
  key: Buffer,
  iv: Buffer
) {
  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv)

  const jsonData = JSON.stringify(data)
  let encrypted = cipher.update(jsonData, "utf8", "base64")
  encrypted += cipher.final("base64")

  return encrypted
}

Encryption Requirements

Encryption Algorithm: AES-256-CBC
Key: 32-byte hexadecimal string
IV: 16-byte hexadecimal value provided with the response
Use decryptResponse to process encrypted API payloads.
Use encryptResponse to encrypt transaction data before placing orders.

Security Best Practices

Ensure API keys and encryption keys are securely stored and never exposed in client-side applications. Always encrypt sensitive payloads and validate incoming data to prevent unauthorized access.

Integration Support

For assistance during integration, contact at help@meribachat.in.

Loading dashboard…