UPI QR Codes in India: NPCI Specification Guide 2026

India processes more UPI payments in a single month than the rest of the world combined processes in a year. The rails for that are QR codes. A kirana store in Bhopal, a Zomato delivery rider in Bengaluru, and a temple donation box in Kerala all share the same upi://pay deep link format maintained by NPCI (the National Payments Corporation of India). This guide explains the payload byte by byte, shows how UPI 2.0 signed QR codes prevent a specific fraud pattern, and documents where Google Pay, PhonePe, and Paytm diverge in how they parse malformed inputs.

Quick answer

A UPI QR code encodes a deep link of the form upi://pay?pa=UPI_ID&pn=Payee&am=Amount&tn=Note&cu=INR. Any UPI app that registers this URI scheme (GPay, PhonePe, Paytm, Amazon Pay, BHIM) accepts the scan and prefills the transfer form. UPI 2.0 (released by NPCI in August 2018 and still current in 2026) added signed QR codes for verified merchants, which prevent QR tampering at the point of sale.

Table of contents

• UPI deep-link format, parameter by parameter
• Dynamic vs static QR codes
• UPI 2.0 signed QRs and merchant verification
• BharatQR vs UPI QR: the difference
• GST QR on invoices
• GPay, PhonePe, Paytm parser quirks
• Merchant onboarding via Razorpay and PayU
• A working valid payload
• Verifying a signed UPI QR signature
• FAQ

UPI deep-link format, parameter by parameter

The canonical UPI intent URI looks like this:

upi://pay?pa=merchant@upi&pn=Chai%20Shop&am=50.00&cu=INR&tn=Tea%20and%20samosa&tr=TXN20260415001

Every parameter value must be percent-encoded per RFC 3986. A space becomes %20, an ampersand becomes %26. UPI apps are strict about this: unencoded spaces cause GPay to show a generic "invalid UPI link" error.

Dynamic vs static QR codes

A static UPI QR code encodes the payee address and optionally nothing else. The payer types the amount after scanning. This is the most common format at kirana shops: one sticker pays unlimited transactions.

A dynamic UPI QR code includes the amount (am), transaction reference (tr), and often the transaction note (tn). This is used by point-of-sale terminals that generate a fresh QR for each customer. PhonePe for Business and Paytm for Business both generate dynamic QRs with unique tr values so that the merchant dashboard can reconcile each scan to a specific sale.

Dynamic QRs have two advantages: the customer cannot type the wrong amount, and the merchant gets clean reconciliation data. The cost is infrastructure: you need a POS device or tablet to generate each QR.

UPI 2.0 signed QRs and merchant verification

UPI 2.0, rolled out by NPCI in 2018, added cryptographic signatures to QR codes issued by verified merchants. The goal: stop the "QR swap" fraud where a malicious actor pastes their own QR over a legitimate merchant's sticker.

A signed UPI QR contains an additional sign parameter. The signature is an RSA signature over a canonical string built from the other parameters, generated using the merchant's private key. NPCI maintains a directory of public keys indexed by the merchant's acquirer bank.

On scan, compliant apps (GPay, PhonePe, Paytm as of 2023 and later) verify the signature before showing the payment screen. If the signature fails, the app displays a warning reading "This QR code may not be from a verified merchant" and asks for user confirmation.

Adoption of signed QRs has been slow. As of March 2026, RBI's Payment Systems Report estimated that roughly 18 percent of merchant QR codes in India carry a valid UPI 2.0 signature, concentrated in large retail chains.

BharatQR vs UPI QR

BharatQR is a broader interoperable QR standard launched by the Payments Council of India in 2017. It carries payloads for Visa, Mastercard, RuPay, and UPI in a single QR. When scanned by a UPI app, the app extracts the UPI payload. When scanned by a card-based wallet, the app extracts the card-rails payload.

The format is EMVCo QR Code Specification 1.1 with Indian extensions. The payload is a tag-length-value (TLV) structure, not a URL. This is why BharatQR and UPI QR look similar when printed but scan differently depending on which app the user opens.

Most small merchants stick with plain UPI QR because BharatQR requires EMV parsing support and costs more to generate. Large retail (D-Mart, Reliance Retail, Big Bazaar) prefers BharatQR for card-rail flexibility.

GST QR on invoices

From October 2020, Indian B2B invoices above Rs 500 crore annual turnover must carry a GST QR code. The format is defined by the Central Board of Indirect Taxes and Customs (CBIC) and contains a signed JSON payload with the invoice reference number (IRN), supplier GSTIN, recipient GSTIN, invoice number, and a digital signature from the Invoice Registration Portal (IRP).

This is not a UPI payment QR. The GST QR is a tax compliance artifact that a GST officer or buyer can scan to verify the invoice with the IRP. From April 2026, the threshold was lowered to Rs 20 crore, bringing another 180,000 businesses into scope per the CBIC March 2026 notification.

GPay, PhonePe, Paytm parser quirks

Google Pay

Google Pay has the strictest parser of the three. It rejects UPI URIs with:

• Unencoded spaces in pn or tn
• Amounts with more than two decimal places
• cu values other than INR
• am values above Rs 1 lakh (the per-transaction UPI P2P ceiling) without the proper merchant flag

GPay also uppercases the currency code silently, so cu=inr becomes INR before validation.

PhonePe

PhonePe is the most forgiving. It accepts unencoded spaces, tolerates missing cu, and silently rounds amounts to two decimals. It also supports an undocumented merchantcategory parameter used by PhonePe for Business that maps to mc in the standard format.

Paytm

Paytm sits in the middle. It requires proper encoding but tolerates missing pn (it fills in the VPA as a fallback). Paytm is the only major app that shows the transaction note prominently on the confirmation screen, so merchants who want the customer to see the item name should always include tn.

Merchant onboarding via Razorpay and PayU

For software merchants and SaaS businesses, onboarding directly with NPCI is impractical. Instead, payment aggregators like Razorpay, PayU, Cashfree, and Juspay act as PA (payment aggregator) intermediaries.

The aggregator handles:

• KYC and merchant bank account verification
• Settlement to the merchant's bank account, typically T+1 or T+2
• QR generation API, returning a PNG or SVG given an order ID
• Webhook callbacks on successful payment
• Dashboard reconciliation

Razorpay's QR API returns a dynamic UPI QR with the amount and a unique tr value. The webhook fires within 3 to 8 seconds of a successful payment, faster than card settlement.

A working valid payload

Here is a complete UPI QR payload for a Rs 149 chai order at a fictional merchant:

upi://pay?pa=chaistop@okhdfcbank&pn=Chai%20Stop%20Pvt%20Ltd&am=149.00&cu=INR&tn=Order%20%2312345&tr=CHAI20260415T0715Z001&mc=5814

Decoded:

• Payee address: chaistop@okhdfcbank (HDFC Bank VPA)
• Payee name: Chai Stop Pvt Ltd
• Amount: Rs 149.00
• Currency: INR
• Transaction note: Order #12345
• Transaction reference: CHAI20260415T0715Z001
• MCC: 5814 (fast food restaurant)

Rendered at ECC level M in a version 8 QR code (49 by 49 modules), this prints cleanly at 4 cm square and scans from 25 cm on any phone released in the last five years.

Verifying a signed UPI QR signature

For merchants and auditors who want to verify a signed QR before accepting it, the process is:

1. Parse the URI, extract the sign parameter and base64-decode it.
2. Build the canonical signing string by concatenating the other parameters in the order defined by NPCI UPI Specification 2.0, section 6.4.
3. Fetch the merchant's public key from the NPCI directory API (authorized access, bank-issued credentials).
4. Run RSA-SHA256 verification over the canonical string and the decoded signature.
5. If verification fails, reject the QR.

NPCI does not publish a client library for this. Each bank provides its own SDK to member PAs, so signature verification is usually handled inside the PA's backend, not the consumer app.

Payload size and printability

A minimal static UPI QR (just pa and pn) is about 45 bytes, which fits in a version 3 QR code at ECC M. A full dynamic UPI QR with all parameters and a signature runs 250 to 400 bytes, pushing the code to version 12 or so. Print at 5 cm square minimum for reliable scanning.

FAQ

Can I use a UPI QR internationally?

UPI operates in India and a growing list of partner countries (UAE, Nepal, Bhutan, Singapore, France, Sri Lanka as of 2025). Foreign partners accept UPI via bilateral NPCI International arrangements. A standard upi://pay QR works in India and partner corridors only.

What is the per-transaction UPI limit?

Rs 1 lakh (Rs 100,000) for P2P transfers. Some merchant categories have higher limits: insurance premiums up to Rs 5 lakh, tax payments up to Rs 5 lakh, capital markets up to Rs 5 lakh per NPCI circular OC/166 from 2023.

Do I need a merchant account to accept UPI?

No for informal payments (kirana shops, chai stalls). Yes for GST-registered businesses that need tax invoices. Most merchants use a payment aggregator (Razorpay, PayU) to get invoice-ready UPI acceptance.

Why do some UPI QR codes have a visible logo?

UPI 2.0 signed QRs often show the PSP (payment service provider) logo in the center. This is a trust signal, not a requirement. The logo sits inside the 25 to 30 percent data region that ECC H can tolerate.

Can I encode a recurring payment?

UPI Autopay uses a separate mandate flow, not a QR code. The QR initiates the mandate setup; the actual debits happen via server-side API calls between the merchant and the sponsor bank.

Sources

• NPCI UPI Specification 2.0 (August 2018, amendments through 2025)
• RBI Payment Systems Report 2025
• CBIC Invoice Registration Portal documentation (2026 update)
• Razorpay UPI API documentation, accessed April 2026
• NPCI Quarterly Transaction Report, March 2026

Use QRCrack's UPI QR generator to build a compliant UPI payment QR with VPA validation, amount preview, and INR currency locking. Free, no signup, no merchant account needed for static QRs.

_By the QRCrack engineering team. Published April 15, 2026. Last verified 2026-04-15._