TL;DR
To build a UPI app like Google Pay, you must:
- Become a TPAP (Third‑Party App Provider) under NPCI guidelines.
- Partner with a PSP (Payment Service Provider) bank.
- Comply with NPCI’s 2026 UPI rule changes, including API rate limits, stricter KYC, faster API response times, inactive ID cleanup, and new two‑factor authentication norms. [news.abplive.com], [oxigenwallet.com]
- Build a secure app architecture that protects user data stored only in India as mandated. [npifund.com]
- Ensure your app respects the 30% UPI market‑share cap applicable to TPAPs until December 31, 2026. [cnbctv18.com]
If you’re planning to create a GPay‑like UPI payment app, this guide explains the NPCI rules, technical requirements, compliance checks, and development roadmap.
⭐ Understanding the UPI Ecosystem Before You Build
To enter UPI, you must understand the mandatory roles:
▶ NPCI
NPCI owns and operates UPI and sets technical guidelines, security rules, and audit requirements. [npifund.com]
▶ PSP Bank (Your Sponsor Bank)
A UPI app cannot operate independently—you need a PSP bank to:
- Authenticate users
- Enable UPI ID creation
- Handle settlement and routing
- Store user transaction data (within India) [npifund.com]
▶ TPAP (You — the App Developer)
As a TPAP, you:
- Provide the UPI app interface
- Must follow all NPCI security, traffic, and compliance rules
- Are responsible for user safety, fraud monitoring, and timely dispute handling [npifund.com]
⚡ NPCI Rules You MUST Follow When Building a UPI App (Updated 2026)
1. Daily API Rate Limits (Effective Feb 2026)
NPCI has enforced strict limits on background API requests to reduce server strain:
- Balance check limit: Max 50 checks/day per app per user
- Linked account list fetch: Max 25 per day
- Autopay requests: Only during non‑peak hours; max 4 attempts [news.abplive.com]
These limits must be coded into your app logic.
2. Faster API Response Requirements
Critical UPI APIs must respond in 10 seconds instead of 30 seconds—a major shift that affects backend architecture. [news.abplive.com]
Your app must support:
- Optimized routing
- Reduced retries
- Efficient timeout handling
3. Automatic Deactivation of Inactive UPI IDs
If a user does not transact for 12 months, the system must disable their UPI ID to prevent risks with recycled mobile numbers. [news.abplive.com]
Your app must alert users via:
- In‑app banners
- Push notifications
4. Stricter Bank Account Linking Verification
NPCI mandates additional authentication layers when users:
- Add a new bank account
- Change devices
- Change SIM or mobile number [english.ma…ubhumi.com]
This includes deeper KYC checks and multi‑factor validation.
5. Mandatory Two‑Factor Authentication (From April 2026)
All digital payments—including UPI—require two authentication factors, with at least one dynamic factor (not static PIN alone). [oxigenwallet.com]
Apps must support:
- Biometric authentication
- Secure device binding
- Dynamic approvals
- PIN + biometric or PIN + secure token
6. 30% Market‑Share Cap for TPAPs (Until Dec 31, 2026)
NPCI limits any non‑bank UPI app to a 30% transaction share, based on 3‑month rolling averages. [cnbctv18.com]
This means:
- If your app exceeds 30%, onboarding new users may be restricted.
- Banks’ own UPI apps are exempt.
7. Compliance Audits Are Mandatory
NPCI conducts periodic audits that review:
- Security posture
- Fraud detection systems
- Transaction routing
- User data storage (must remain in India only) [npifund.com]
🏗 How to Build a UPI App Like GPay — Step‑By‑Step
Step 1: Apply to Become a TPAP
You need to apply through a PSP bank and submit:
- Security architecture
- Data storage model
- Compliance documents
- Disaster recovery plan
NPCI then reviews and approves onboarding.
Step 2: Partner With a Sponsor (PSP) Bank
This bank will:
- Create UPI handles (e.g., @yourapp)
- Manage backend settlement
- Provide dispute redressal workflow
Choose a bank with high uptime and strong UPI capabilities.
Step 3: Build the User App
Minimum Features:
- UPI ID creation
- Send/Receive money
- Scan & Pay
- Bank balance
- UPI PIN setup
- Transaction history
Add‑on Features:
- Rewards
- Offers
- Credit line via UPI (allowed from Feb 14, 2026) [news.abplive.com]
- Merchant payments
- Autopay
Step 4: Integrate With NPCI’s UPI Switch
Your PSP bank provides:
- API keys
- Routing channels
- Callback endpoints
Your job:
- Implement UPI collect, pay, mandate, account fetch, and balance APIs
- Respect rate‑limits and timeout rules
Step 5: Implement NPCI‑Required Security Standards
Your app must include:
- App integrity checks
- Device binding
- Certificate pinning
- Fraud detection engine
- Encrypted data storage
- Logging + anomaly detection
Step 6: Complete Certification & Go‑Live
NPCI tests your app for:
- Functional correctness
- Security
- Scalability
- Fraud prevention
- Compliance with new 2026 rules
After approval → app goes live on Play Store/App Store.
💰 How Much Does It Cost to Build a UPI App Like GPay?
A typical UPI app build involves:
| Phase | Cost (Approx) |
|---|---|
| App Development (Android + iOS) | ₹40–90 lakh |
| Backend APIs & infra | ₹20–50 lakh |
| Compliance, audits & certification | ₹15–40 lakh |
| PSP onboarding & regulatory costs | ₹10–25 lakh |
| Annual maintenance | ₹30–70 lakh |
Large‑scale apps like PhonePe/GPay invest crores annually due to fraud prevention, scaling, and incentives.
🎯 Conclusion
Building a UPI app like GPay in 2026 is possible—but requires strict adherence to NPCI rules, strong banking partnerships, and compliance with new performance/security norms. With the right team and infrastructure, you can launch a scalable, secure, and competitive UPI app in India.
🚀 Want Help Planning Your UPI App?
I can help you:
- Understand TPAP requirements
- Create a compliance‑ready system design
- Estimate budget & features
- Prepare for NPCI audits
Just tell me your app idea, timeline, and budget, and I’ll build a customized roadmap for you!
