This Postman collection provides a complete set of endpoints for the MudraVault API, a secure, feature-rich digital wallet system built with Express.js, MongoDB, Redis, and Razorpay. It includes:
\nUser Authentication with OTP (Email + Mobile)
\nWallet Management
\nPeer-to-Peer Transfers (P2P)
\nTransaction PIN (like UPI PIN)
\nRazorpay Integration for Top-ups
\nWebhook Handling & Transaction Verification
\nRate Limiting
\nTransaction Filtering & Analytics
\nSwagger Docs & Postman Docs Ready
\nThe collection is organized by features/modules for clarity:
\nPOST /otp/molile – Send OTP to Mobile Number
POST /otp/verify-mobile – Verify OTP sent to Mobile Number
POST /auth/signup – Register new users and save them in db
POST /otp/email – Send OTP to registered email
POST /otp/verify-otp – Verify OTP sent to Email
POST /auth/login – Login with email and password
POST /wallet/transfer – Internal wallet-to-wallet transfers (P2P)
GET /wallet/balance– Get balance and account number
POST /payments/topup – Create a Razorpay order for top-up and provide the link for Payment Page
POST /payments/webhook – Verify Razorpay payment via webhook
GET /transactions/history – Get complete transaction history using required filters
GET /transactions/pdf– Export the transaction history in form of pdf
POST/user/changePassword– Change the Password as per convenience
POST/user/changePin– Change the PIN as per convenience
Transaction PIN required for all sensitive actions (transfer, top-up)
\nOTP stored in Redis with auto-expiry
\nAll endpoints protected by JWT authentication middleware
\nImport the collection into Postman.
\nSet up the following Postman Environment Variables:
\nUse the Pre-request Scripts (where added) to automatically inject headers.
\nBegin with Authentication and OTP and follow the sequence in which the routes are presented in docs.
\nAll endpoints validated using Postman test scripts (where relevant).
\nEdge cases (e.g., expired OTPs, incorrect PINs, insufficient balance) can be tested using specific test data.
\nFor Razorpay webhooks, use ngrok / localtunnel and simulate events via the Razorpay dashboard.
If webhooks does not work then test them after deployment and make necessary changes.
\nSwagger Docs: https://virtual-wallet-api.onrender.com/api-docs/
\nGitHub Repo: https://github.com/tush1504/Virtual-Wallet-API
\nTech Stack: Node.js, Express, MongoDB, Redis, Razorpay, Nodemailer, 2Factor
\nMethod: POST
Endpoint: /otp/mobile
This API allows users to send an OTP (One Time Password) to a specified mobile number. Upon entering a valid mobile number, an OTP will be sent to that number via a voice call.
\n{\n \"mobile\": \"9876543210\"\n}\n\nOn a successful request, the API returns a status code of 200 with the following response format:
\n{\n \"message\": \"OTP sent to mobile number\"\n}\n\nOther endpoints of this API may return the following data structures:
\n{ \"balance\": 0, \"accountNumber\": \"\"}
\n{ \"message\": \"\", \"groupId\": \"\"}
\n{ \"total\": 0, \"page\": 0, \"limit\": 0, \"totalPages\": 0, \"transactions\": [ { \"_id\": \"\", \"referenceId\": \"\", \"groupId\": \"\", \"type\": \"\", \"payGateway\": \"\", \"status\": \"\", \"amount\": 0, \"description\": \"\", \"sender\": { \"_id\": \"\", \"contact\": \"\" }, \"receiver\": { \"_id\": \"\", \"contact\": \"\" }, \"user\": \"\", \"createdOn\": \"\", \"__v\": 0 } ]}
This structure may be returned with a status code of 200 as well.
This endpoint is used to send a One-Time Password (OTP) to the specified email address.
\nThis API is to be requested after signup process.
\nMethod: POST
\nURL: /otp/email
Content-Type: application/json
\nThe request body must be in JSON format and contain the following parameter:
\nExample Request Body:
\n{\n \"email\": \"example@example.com\"\n}\n\nOn a successful request, the server will respond with a 200 status code and a message confirming the action. The response will generally include the following structure:
\nExample Response:
\n{\n \"message\": \"OTP sent successfully\"\n}\n\nEnsure that the email provided is valid and accessible by the user, as the OTP will be sent to this address.
\nThe structure of the response may vary slightly depending on the context of the request, but it will generally include a message confirming the action taken.
\nThis endpoint is part of a broader API that may include functionalities like checking account balance, retrieving transactions, and managing user groups.
\nThis endpoint is used to verify a One-Time Password (OTP) associated with a mobile number. It is typically called after a user requests an OTP for authentication purposes.
\nMethod: POST
Endpoint: /otp/verify-mobile
The request body must be sent in JSON format and should contain the following parameters:
\nkey (string): The mobile number that is being verified.
\notp (string): The One-Time Password that was sent to the mobile number.
\nExample Request Body:
\n{\n \"key\": \"9479230415\",\n \"otp\": \"940414\"\n}\n\nUpon a successful verification, the API will return a response with a 200 status code. The response may vary based on the context of the request but typically includes:
\nmessage (string): A confirmation message regarding the OTP verification.
\nAdditional responses from related endpoints may include user account details, transaction history, or balance information, depending on the subsequent API calls made.
\nEnsure that the OTP is valid and has not expired before making this request.
\nThis endpoint is crucial for secure operations that require user authentication through mobile verification.
\nThis endpoint is used to create a new user account by submitting the user's details.
\nThe mobile number must be verified before accessing this request.
\nMethod: POST
URL: /auth/signup
The request body must be in JSON format and include the following parameters:
\nfirstName (string): The first name of the user.
lastName (string): The last name of the user.
email (string): The email address of the user.
contact (string): The contact number of the user.
gender (string): The gender of the user.
dob (string): The date of birth of the user in the format YYYY-MM-DD.
Example Request Body:
\n{\n \"firstName\": \"John\",\n \"lastName\": \"Doe\",\n \"email\": \"example@example.com\",\n \"contact\": \"1234567890\",\n \"gender\": \"male\",\n \"dob\": \"2000-01-01\"\n}\n\nThe response will return a JSON object.
\nStatus 200: Indicates successful account creation. The response will include a message confirming the registration.
\nStatus 400: Indicates a bad request. The response will include an empty message indicating that the request was not processed successfully.
\nExample Response:
\n{\n \"message\": \"\"\n}\n\nEnsure that all required fields are filled out correctly to avoid a 400 status response.
\nThe structure of the response may vary based on the endpoint being called, but typically includes a message or relevant user information.
\nFor successful responses from other related endpoints, you may receive structured data that includes user balances, account numbers, and transaction details.
\nThis endpoint is used to authenticate a user by logging them into the system. It requires the user's email and password to be sent in the request body. Upon successful authentication, the server will respond with relevant user data.
\nMethod: POST
\nEndpoint: /auth/login
Request Body: The request should be sent in JSON format with the following parameters:
\nemail (string): The email address of the user attempting to log in.
password (string): The password associated with the user's account.
Example Request Body:
\n{\n \"email\": \"user@example.com\",\n \"password\": \"your_password\"\n}\n\nOn a successful login, the server will return a response with a status code of 200. The response structure may vary based on subsequent API calls, but generally includes:
\nCommon Response Fields:
\nmessage (string): A message indicating the result of the login attempt.
balance (number): The current balance of the user's account.
accountNumber (string): The user's account number.
groupId (string): Identifier for the user's group.
transactions (array): A list of transaction objects associated with the user, which includes:
_id (string): Unique identifier for the transaction.
referenceId (string): Reference ID for the transaction.
groupId (string): Group ID associated with the transaction.
type (string): Type of transaction.
payGateway (string): Payment gateway used.
status (string): Current status of the transaction.
amount (number): Amount involved in the transaction.
description (string): Description of the transaction.
sender (object): Details of the sender, including:
_id (string): Sender's unique identifier.
contact (string): Sender's contact information.
receiver (object): Details of the receiver, including:
_id (string): Receiver's unique identifier.
contact (string): Receiver's contact information.
user (string): User associated with the transaction.
createdOn (string): Timestamp of when the transaction was created.
__v (number): Version key for the transaction.
Example Response:
\n{\n \"message\": \"Login successful\",\n \"balance\": 100,\n \"accountNumber\": \"123456789\",\n \"groupId\": \"group_1\",\n \"transactions\": [\n {\n \"_id\": \"transaction_id\",\n \"referenceId\": \"ref_id\",\n \"groupId\": \"group_id\",\n \"type\": \"credit\",\n \"payGateway\": \"gateway_name\",\n \"status\": \"completed\",\n \"amount\": 50,\n \"description\": \"Payment for services\",\n \"sender\": {\n \"_id\": \"sender_id\",\n \"contact\": \"sender@example.com\"\n },\n \"receiver\": {\n \"_id\": \"receiver_id\",\n \"contact\": \"receiver@example.com\"\n },\n \"user\": \"user_id\",\n \"createdOn\": \"2023-01-01T00:00:00Z\",\n \"__v\": 0\n }\n ]\n}\n\nThis endpoint is used to verify the One-Time Password (OTP) sent to a user's email address. It is essential for confirming the user's identity during the registration or login process.
\nOn successful verification , the lodin and wallet details of the user will be sent to the registered email.
\nMethod: POST
Endpoint: /otp/verify-email
Request Body:
The request body must be in JSON format and include the following parameters:
email (string): The email address of the user for whom the OTP is being verified.
otp (string): The One-Time Password sent to the user's email.
Example Request Body:
\n{\n \"email\": \"user@example.com\",\n \"otp\": \"123456\"\n}\n\nUpon a successful OTP verification, the API will return a response with a 200 status code. The response structure may vary based on the context of the request but generally includes:
\nmessage (string): A message indicating the success or failure of the OTP verification process.
Additional related data may include user account details or transaction information, depending on the context of the request.
\nExample Response:
\n{\n \"message\": \"OTP verified successfully.\"\n}\n\nEnsure that the email provided matches the email to which the OTP was sent.
\nThe OTP is time-sensitive; it may expire if not used within a specific timeframe.
\nUsers should handle responses appropriately to guide them through the verification process.
\nThis folder cintains all the routes that is required for successful registration and login into the program.
\n","_postman_id":"302f7669-582e-4217-b7ec-6b1c293a9bd1"},{"name":"Wallet","item":[{"name":"Balance","id":"1a68b22b-e789-402f-99c1-efeaa112fdee","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4ZGQ4OTI4OTA1OGRhYThkYjdmNWM4NyIsImlhdCI6MTc1OTM5Njc3MiwiZXhwIjoxNzYwMDAxNTcyfQ.3UHPePwBxvn15lSTT9yueRdYhbiIhCktihj_6m1ubuo","type":"text"}],"url":"/wallet/balance","description":"This endpoint retrieves the current balance of the user's wallet associated with their account.
\nMethod: GET
\nEndpoint: /wallet/balance
On a successful request, the API returns a JSON object with the following structure:
\n{\n \"balance\": 0,\n \"accountNumber\": \"\"\n}\n\nbalance (integer): The current balance in the user's wallet. This value may be zero or a positive integer.
\naccountNumber (string): The account number associated with the wallet. This may be an empty string if not applicable.
\nA successful request will return a 200 OK status code.
The response structure is consistent with other related endpoints in the API, which may return messages or transaction details.
\nEnsure that the user is authenticated and authorized to access their wallet balance before making this request.
\nThis endpoint allows users to transfer funds from their wallet to a specified contact. The transfer is initiated by sending a POST request to the /wallet/transfer endpoint with the necessary details in the request body.
The request body must be in JSON format and should include the following parameters:
\ncontact (string): The contact number of the recipient to whom the funds will be transferred.
\namount (number): The amount of money to be transferred.
\npin (string): The PIN code required to authorize the transfer.
\nExample Request Body:
\n{\n \"contact\": \"6265906318\",\n \"amount\": 1,\n \"pin\": \"1369\"\n}\n\nUpon a successful transfer, the API will respond with a status code of 200 and a JSON object containing the following fields:
message (string): A message indicating the result of the transfer operation (may be empty).
\ngroupId (string): An identifier for the group associated with the transfer (may be empty).
\nExample Response:
\n{\n \"message\": \"\",\n \"groupId\": \"\"\n}\n\nOther endpoints in the API may return similar structures, including messages and account details. For instance:
\nA response indicating the current balance or account number.
\nA response detailing transaction history, including transaction IDs, amounts, and statuses.
\nThis consistency in response structure helps in maintaining a uniform interaction pattern across the API.
\n","urlObject":{"path":["wallet","transfer"],"host":[""],"query":[],"variable":[]}},"response":[{"id":"e5489661-9371-4363-bf7c-98225400037a","name":"Internal Transfer","originalRequest":{"method":"POST","header":[{"key":"Authorization","value":"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4NWY4NTQxMDMxNTkyNzE5MmZmNjc0ZCIsImlhdCI6MTc1MTEwMDg1NywiZXhwIjoxNzUxNzA1NjU3fQ.VGfn8uYA9QUOY6Iv2lSG0sTzp1BOinTlqlOgCWvDXLM","type":"text"}],"body":{"mode":"raw","raw":"{\r\n \"contact\":\"6265906318\",\r\n \"amount\":1,\r\n \"pin\":\"1369\"\r\n}","options":{"raw":{"language":"json"}}},"url":"/wallet/transfer"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Content-Security-Policy","value":"default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"},{"key":"Cross-Origin-Opener-Policy","value":"same-origin"},{"key":"Cross-Origin-Resource-Policy","value":"same-origin"},{"key":"Origin-Agent-Cluster","value":"?1"},{"key":"Referrer-Policy","value":"no-referrer"},{"key":"Strict-Transport-Security","value":"max-age=31536000; includeSubDomains"},{"key":"X-Content-Type-Options","value":"nosniff"},{"key":"X-DNS-Prefetch-Control","value":"off"},{"key":"X-Download-Options","value":"noopen"},{"key":"X-Frame-Options","value":"SAMEORIGIN"},{"key":"X-Permitted-Cross-Domain-Policies","value":"none"},{"key":"X-XSS-Protection","value":"0"},{"key":"Content-Type","value":"application/json; charset=utf-8"},{"key":"Content-Length","value":"67"},{"key":"ETag","value":"W/\"43-7HTvxFAuTZfQvB6OkLNfdMCG4gE\""},{"key":"Date","value":"Sun, 29 Jun 2025 05:55:23 GMT"},{"key":"Connection","value":"keep-alive"},{"key":"Keep-Alive","value":"timeout=5"}],"cookie":[],"responseTime":null,"body":"{\n \"message\": \"Transfer successful\",\n \"groupId\": \"txn_1751176523563_268\"\n}"}],"_postman_id":"631072c6-bdb5-412b-988b-b43ff7aabba2"}],"id":"b004b671-15d6-4da5-941f-927b55308d68","_postman_id":"b004b671-15d6-4da5-941f-927b55308d68","description":""},{"name":"Payments","item":[{"name":"TopUp","id":"9cc25088-7712-4a46-bdff-03731f18df48","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4ZGQ4OTI4OTA1OGRhYThkYjdmNWM4NyIsImlhdCI6MTc1OTM5Njc3MiwiZXhwIjoxNzYwMDAxNTcyfQ.3UHPePwBxvn15lSTT9yueRdYhbiIhCktihj_6m1ubuo","type":"text"}],"body":{"mode":"raw","raw":"{\r\n \"amount\":50000\r\n}","options":{"raw":{"language":"json"}}},"url":"/payments/topup","description":"This endpoint allows users to initiate a top-up payment by providing the desired amount.
\nMethod: POST
\nURL: /payments/topup
Request Body (JSON):
\namount (integer, required): The amount to be topped up. This value should be specified in the smallest currency unit (e.g., cents for USD).Example Request Body:
\n{\n \"amount\": 50000\n}\n\nOn a successful request, the API will return a 200 status code with the following JSON structure:
\norderId (string): The unique identifier for the order created.
amount (integer): The amount that has been processed.
paymentLink (string): A link to the payment page or confirmation.
Example Response:
\n{\n \"orderId\": \"\",\n \"amount\": 0,\n \"paymentLink\": \"\"\n}\n\nEnsure that the amount is a positive integer and represents the total value intended for the top-up.
\nThe response will confirm the order details, including the payment link for further actions.
\nThis endpoint is part of a larger API that may return various responses depending on the context of the request. Other endpoints may return messages or transaction details relevant to the user's account and activities.
\nThis endpoint allows users to retrieve the history of transactions associated with their account. It returns a paginated list of transactions, including details such as transaction IDs, amounts, statuses, and timestamps.
\nWe can use different Key-Values in the parametere section to get the transaction history as per our required filters.
\nMethod: GET
\nURL: /transactions/history
The response will return a JSON object with the following structure:
\n{\n \"total\": <number>, // Total number of transactions\n \"page\": <number>, // Current page number\n \"limit\": <number>, // Number of transactions per page\n \"totalPages\": <number>, // Total number of pages available\n \"transactions\": [ // Array of transaction objects\n {\n \"_id\": \"<string>\", // Unique identifier for the transaction\n \"referenceId\": \"<string>\", // Reference ID for the transaction\n \"groupId\": \"<string>\", // Group ID associated with the transaction\n \"type\": \"<string>\", // Type of transaction (e.g., credit, debit)\n \"payGateway\": \"<string>\", // Payment gateway used for the transaction\n \"status\": \"<string>\", // Current status of the transaction\n \"amount\": <number>, // Amount involved in the transaction\n \"description\": \"<string>\", // Description of the transaction\n \"sender\": { // Sender details\n \"_id\": \"<string>\", // Sender's unique identifier\n \"contact\": \"<string>\" // Sender's contact information\n },\n \"receiver\": { // Receiver details\n \"_id\": \"<string>\", // Receiver's unique identifier\n \"contact\": \"<string>\" // Receiver's contact information\n },\n \"user\": \"<string>\", // User associated with the transaction\n \"createdOn\": \"<string>\", // Timestamp of when the transaction was created\n \"__v\": <number> // Version key for the transaction\n }\n ]\n}\n\nThe total, page, limit, and totalPages fields provide pagination information.
The transactions array will contain transaction objects, each with detailed information.
If there are no transactions, the transactions array will be empty, and total will be 0.
Ensure to handle the pagination parameters appropriately if you are implementing this in your application.
\nA typical response might look like this:
\n{\n \"total\": 0,\n \"page\": 0,\n \"limit\": 0,\n \"totalPages\": 0,\n \"transactions\": []\n}\n\nThis indicates that there are currently no transactions available for the user.
\n","urlObject":{"path":["transactions","history"],"host":[""],"query":[],"variable":[]}},"response":[],"_postman_id":"4d4b8d6b-7b09-4700-80ce-41691172e03c"},{"name":"PDF","id":"a1cac084-576d-437b-b0c9-a9f658650a49","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4ZGQ4OTI4OTA1OGRhYThkYjdmNWM4NyIsImlhdCI6MTc1OTM5Njc3MiwiZXhwIjoxNzYwMDAxNTcyfQ.3UHPePwBxvn15lSTT9yueRdYhbiIhCktihj_6m1ubuo","type":"text"}],"url":"/transactions/pdf","description":"GET
/transactions/pdf
This endpoint retrieves a PDF document containing transaction details. It is designed to provide users with a downloadable format of their transaction history.
\nThere are no specific request parameters required for this endpoint.
\nOn a successful request, the server responds with a 200 OK status and the content type will be application/pdf. The response will not contain a JSON body, as the output is a PDF file.
The following are examples of responses from other related endpoints that share similar data models:
\n{\"message\":\"\"}
\n{\"balance\":0,\"accountNumber\":\"\"}
\n{\"message\":\"\",\"groupId\":\"\"}
\n{ \"total\":0, \"page\":0, \"limit\":0, \"totalPages\":0, \"transactions\":[ { \"_id\":\"\", \"referenceId\":\"\", \"groupId\":\"\", \"type\":\"\", \"payGateway\":\"\", \"status\":\"\", \"amount\":0, \"description\":\"\", \"sender\":{\"_id\":\"\",\"contact\":\"\"}, \"receiver\":{\"_id\":\"\",\"contact\":\"\"}, \"user\":\"\", \"createdOn\":\"\", \"__v\":0 } ]}
\nEnsure that the endpoint is accessed with proper authentication if required.
\nThe PDF document will contain the formatted transaction details as per the user's account history.
\nThis endpoint allows users to change their account PIN. It requires the current PIN and the new PIN to be provided in the request body.
\nMethod: POST
\nEndpoint: /user/changePin
Content-Type: application/json
\nRequest Body Parameters:
\ncurrentPin (string): The user's current PIN that needs to be verified.
newPin (string): The new PIN that the user wishes to set.
Example Request Body:
\n{\n \"currentPin\": \"7337\",\n \"newPin\": \"9513\"\n}\n\nStatus Code: 200 OK
\nContent-Type: application/json
\nResponse Body:
\nmessage (string): A message indicating the result of the operation. The message may be empty, but a successful operation will return a 200 status code.Example Response:
\n{\n \"message\": \"\"\n}\n\nEnsure that the current PIN is correct before attempting to change it to avoid errors.
\nThe new PIN should meet any security requirements set by the application (e.g., length, complexity).
\nThis endpoint may return similar structured responses as other endpoints within the API, which typically include a message field indicating the success or failure of the request.