API Terms of Use (India)
Information Technology Act 2000 | Indian Contract Act 1872 | DPDP Act 2023
These API Terms of Use ("Terms") are effective from [Effective Date] and govern access to and use of the [API Name] provided by [Provider Name], GSTIN [Provider GSTIN], registered at [Provider Address] ("Provider"), available at [API Portal URL].
By accessing or using the API, the developer or company accessing the API ("Developer") agrees to be bound by these Terms. If you do not agree, do not access the API.
1. LICENCE GRANT
1.1 The Provider grants the Developer a limited, non-exclusive, non-transferable, revocable licence to access and use the [API Name] solely for: [Permitted Use].
1.2 The Developer shall not: (a) reverse engineer, decompile, or disassemble the API; (b) use the API to build a competing product; (c) sublicence, sell, or resell API access; (d) exceed the rate limits specified in Clause 3; (e) use the API for any purpose that violates applicable Indian law including the IT Act 2000, the Prevention of Money Laundering Act 2002, or applicable RBI/SEBI regulations.
1.3 The Provider owns all IP in the API, documentation, and related technology under the Copyright Act 1957 and Trade Marks Act 1999. The Developer owns its application code.
2. AUTHENTICATION AND API KEYS
2.1 API access requires authentication via API keys, OAuth 2.0 tokens, or other credentials issued by the Provider ("API Credentials"). The Developer is solely responsible for maintaining the security of API Credentials.
2.2 The Developer shall not share API Credentials with any third party and must notify the Provider immediately at [API Portal URL] upon discovering any compromise of API Credentials.
2.3 The Provider may revoke or rotate API Credentials immediately if security is compromised or Terms are breached, without liability to the Developer.
3. RATE LIMITS AND USAGE QUOTAS
3.1 The Developer's use of the API is subject to a rate limit of [Rate Limit]. Exceeding this limit may result in throttling (reduction in response speed) or temporary suspension of API access.
3.2 The Provider reserves the right to modify rate limits on 30 days' written notice to the Developer. Emergency modifications may be made immediately in response to security threats or regulatory requirements.
4. DATA HANDLING — IT ACT 2000 AND DPDP ACT 2023
4.1 The API may provide access to: [Data Categories]. The Developer shall handle all data accessed via the API in compliance with the DPDP Act 2023 and Section 43A of the IT Act 2000.
4.2 The Developer shall implement security measures meeting [Security Standard] standards to protect data accessed via the API.
4.3 The Developer shall not store personal data beyond the period necessary for the permitted use, and shall delete data upon the Provider's request or upon termination of API access.
4.4 The Developer shall report any security incident or data breach involving API data to the Provider within 24 hours of discovery.
5. LIABILITY AND INDEMNITY
5.1 The Provider's total aggregate liability for all claims arising from or related to the API shall not exceed ₹[Liability Cap]. The Provider shall have no liability for indirect, consequential, special, incidental, or punitive damages including loss of profits or data.
5.2 The Developer shall indemnify the Provider against all claims, losses, and expenses arising from: (a) the Developer's application or use of the API beyond the permitted scope; (b) violation of applicable Indian law; and (c) infringement of third-party IP rights by the Developer's application.
5.3 The API is provided on an 'as-is' basis. The Provider does not warrant uninterrupted or error-free API availability.
6. GOVERNING LAW AND TERMINATION
6.1 These Terms are governed by the laws of India and the State of [Governing State]. Any dispute shall be subject to the exclusive jurisdiction of the courts at [Governing State].
6.2 The Provider may terminate API access immediately on breach of these Terms, and on 30 days' notice for any other reason. On termination, the Developer must immediately cease all API usage and delete all data obtained via the API.
API Provider (Authorised Signatory)
________________
Signature
Developer (Authorised Signatory)
________________
Signature
What Is a API Terms of Use (India)?
An API Terms of Use in India sets out the mutual obligations the parties accept and the terms that govern their dealings.
The Indian Contract Act 1872 provides the foundational legal framework for API terms of use as a contract: Section 10 requires a valid contract to have free consent, competent parties, lawful consideration, and a lawful object. Click-wrap API terms of use — where the developer clicks 'I Agree' or completes account registration — constitute acceptance under Indian contract law, as confirmed by several High Court decisions including the Bombay High Court's recognition of click-wrap agreements as binding contracts.
The IT Act 2000 is central to API governance. Section 43 imposes civil liability (compensatory damages) for unauthorised access to computer systems, computer networks, and computer resources — API terms must define the boundary between authorised and unauthorised access to prevent misuse claims. Section 43A imposes liability on 'body corporates' that handle 'sensitive personal data or information' (SPDI) negligently, creating a duty of care for API providers handling personal data. Section 66 criminalises hacking and unauthorised access, providing API providers with criminal law remedies against malicious API users.
The DPDP Act 2023, enacted by Parliament in August 2023, governs the processing of digital personal data of Indian residents. API providers processing personal data must comply with the Act's requirements for notice, consent, data minimisation, storage limitation, and data principal rights. The Data Protection Board of India — to be established under the DPDP Act — will adjudicate complaints and impose penalties up to ₹250 crore for significant breaches. API terms of use must address how personal data processed through the API is handled in compliance with the DPDP Act.
For fintech and payment APIs, the RBI's Guidelines on Regulation of Payment Aggregators and Payment Gateways (March 2020), the RBI's Master Direction on Prepaid Payment Instruments, the NPCI's UPI circulars, and the RBI's Account Aggregator framework impose additional API governance requirements that must be incorporated in API terms. SEBI's circulars on API access for capital market intermediaries impose obligations on technology vendors providing APIs to brokers and investment advisers.
The legal framework governing the API Terms of Use (India) in India draws on several key statutes and regulatory bodies. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Parties executing a API Terms of Use (India) in India should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Indian Contract Act, 1872 sets the foundational requirements.
When Do You Need a API Terms of Use (India)?
India API Terms of Use are needed whenever an Indian technology company, SaaS provider, fintech, data aggregator, or platform operator exposes an API for use by third-party developers, business customers, or integration partners, and the API access involves commercially sensitive data, personal data of Indian residents, financial transactions, or regulated services.
SaaS and cloud platform API access: Technology companies providing SaaS products — enterprise software, HR platforms, ERP systems, e-commerce platforms, logistics software — that expose APIs for integration with customers' internal systems or third-party tools must publish API Terms of Use. The terms establish the permitted integration scope, rate limits, data handling obligations under the DPDP Act 2023, and liability allocation between the SaaS provider and the integrating customer.
Fintech and payment API providers: Companies operating payment aggregator APIs (regulated by the RBI), UPI SDK integrations (governed by NPCI's UPI circulars), account aggregator APIs (governed by the RBI's AA framework), and digital lending APIs (governed by the RBI's Digital Lending Guidelines 2022) must have API terms that incorporate the RBI's regulatory requirements for their specific product category. Without proper API terms, the fintech company may face regulatory action from the RBI for inadequate governance of its developer ecosystem.
Data and analytics API providers: Companies that aggregate and sell access to structured data — real estate price data, credit risk data, alternative data for lending, commodities price feeds, or traffic and logistics data — through APIs must define permitted use cases, data attribution requirements, and restrictions on redistribution. Where the data includes personal information of Indian residents, DPDP Act 2023 compliance provisions are mandatory.
Healthcare and telemedicine API integrations: Digital health platforms, telemedicine companies, and hospital management systems that expose APIs for integration with insurance providers, laboratories, pharmacies, and EMR systems must comply with the National Health Authority's Health Data Management Policy and, where patient data is involved, include strict DPDP Act-compliant data handling provisions in the API terms.
Government and e-governance API integrations: Companies integrating with government API platforms — DigiLocker API, Aadhaar e-KYC API (via UIDAI authorised agencies), GSTN API, CoWIN API, or state government open data APIs — must accept the government's API terms while also publishing their own downstream API terms for any sub-licensing of access to end users or business customers.
What to Include in Your API Terms of Use (India)
Thorough India API Terms of Use must address the full range of contractual, regulatory, and technical governance issues arising from API access in the Indian legal and regulatory environment.
Licence grant and scope: The API terms must grant a specific, non-exclusive, non-transferable, revocable licence to access and use the API for defined permitted purposes only. The scope must specify: whether the licence covers commercial use, internal use, or both; the geographic territory (India, worldwide); whether the developer may sublicense access to their own end users; the permitted application types (web application, mobile application, integration with specific platforms); and any prohibited use cases. Vague licence language creates uncertainty about permitted use and enforcement rights.
Authentication, security, and API key management: The terms must specify the authentication mechanism — API key, OAuth 2.0, JWT tokens, or two-factor authentication — and the developer's obligations to keep credentials secure, rotate keys periodically, and report any suspected credential compromise immediately. The developer must be prohibited from sharing API credentials with unauthorised parties. Under Section 43 of the IT Act 2000, using another party's API credentials without authorisation is punishable with imprisonment.
Rate limits, quotas, and SLA: Rate limits (API calls per minute, per hour, per day) and data transfer quotas must be clearly specified for each tier of service. The provider's right to throttle access upon limit breach and to modify rate limits on notice should be stated. Service level commitments (uptime percentages, response time targets) and remedies for SLA failure (service credits) should be addressed.
DPDP Act 2023 compliance — personal data handling: Where the API processes personal data of Indian residents, the terms must: identify whether the provider acts as a Data Fiduciary or Data Processor under the DPDP Act 2023; specify the categories of personal data processed through the API; require the developer (if acting as a Data Fiduciary) to obtain valid consent from Data Principals before processing their data through the API; impose security safeguard obligations on the developer under Section 8(4) of the DPDP Act; and specify breach notification obligations — the provider must notify the Data Protection Board and affected Data Principals of a personal data breach under Section 8(6) of the DPDP Act.
The API Terms of Use Act compliance — acceptable use: The terms must prohibit use of the API for activities that violate the IT Act 2000, including: unauthorised access to computer systems (Section 43/66); transmission of obscene material (Section 67); publication of sexually explicit content involving minors (Section 67B); identity theft (Section 66C); and violation of privacy (Section 66E). The terms should require developers to comply with all applicable laws including the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.
Intellectual property ownership: The provider owns all intellectual property in the API, API documentation, SDKs, and related technology. The developer's application code remains the developer's IP, but must not contain any elements that replicate, reverse engineer, or decompile the API. The Copyright Act 1957 protects the API provider's code as a literary work; the Trade Marks Act 1999 protects the provider's brand used in any permitted marketing of API integration.
Liability cap and consequential damage exclusion: The provider's aggregate liability must be capped — typically at fees paid in the preceding 3 to 6 months, or a fixed monetary cap (₹5 lakh to ₹50 lakh) for free-tier access. Consequential, indirect, punitive, and special damages must be excluded. Indian courts apply the foreseeability principle from Hadley v. Baxendale, but express exclusion removes ambiguity.
RBI and sector-specific regulatory compliance for fintech APIs: Payment aggregator API terms must incorporate PCI-DSS obligations for card data handling, the RBI's merchant onboarding requirements, and settlement obligations. Account aggregator API terms must address the consent artefact requirement. UPI API terms must address NPCI's UPI Circular obligations on TPAPs. Fintech API terms should include a developer representation that they hold all required RBI/SEBI/IRDAI authorisations for their intended use of the API. The forms-legal.com API Terms of Use (India) template covers the mandatory elements under Indian Contract Act, 1872.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). API Terms of Use (India) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/business/contracts/api-terms-of-use-india
"API Terms of Use (India) (India)." Forms Legal, 2026, https://forms-legal.com/india/business/contracts/api-terms-of-use-india.
@misc{formslegal-api-terms-of-use-india,
author = {{Forms Legal}},
title = {API Terms of Use (India) (India)},
year = {2026},
howpublished = {\url{https://forms-legal.com/india/business/contracts/api-terms-of-use-india}},
note = {Free legal document template. Based on Indian Contract Act, 1872}
}Also available for these jurisdictions:
Frequently Asked Questions
API Terms of Use in India are primarily governed by the Indian Contract Act 1872, the Information Technology Act 2000 (IT Act), and increasingly by the Digital Personal Data Protection Act 2023 (DPDP Act). The Indian Contract Act 1872 provides the foundational legal framework for the contractual relationship between the API provider and the developer/customer accessing the API — establishing the requirements for a valid contract (offer, acceptance, consideration, free consent, and lawful object). The IT Act 2000 is particularly relevant for API terms of use in several respects. Section 43 of the IT Act imposes penalties for unauthorised access to computer systems or networks, hacking, and data theft — API terms must define the boundary between authorised and unauthorised access and use. Section 43A imposes liability on body corporates for negligent handling of sensitive personal data, and API providers handling such data must include appropriate security obligations. Section 66 criminalises hacking and computer-related offences, which API providers can rely on against malicious API users. The DPDP Act 2023 applies wherever an API processes personal data of Indian residents. API providers must identify whether they are acting as a data fiduciary or data processor in the API relationship, and structure their API terms to comply with the Act's obligations — including consent requirements, security safeguards, breach notification, and data minimisation.
Comprehensive India API Terms of Use should include the following key provisions. Licence grant: A non-exclusive, non-transferable, revocable licence to access and use the API for the developer's permitted applications, subject to the terms. Clearly define the scope — whether the licence covers commercial use, the number of API calls permitted, and whether sublicensing to the developer's end users is permitted. Authentication and security: Requirements for API key management, OAuth 2.0 or equivalent authentication protocols, and the developer's obligation to maintain API credentials securely. Prohibit sharing of API keys and require immediate notification of any suspected compromise. Rate limits and quotas: Specific API call rate limits (e.g., calls per minute, per hour, per day), data transfer quotas, and consequences of exceeding limits — typically throttling or temporary suspension. Include the provider's right to adjust rate limits on notice. Acceptable use restrictions: Prohibit use of the API for scraping, reverse engineering, mining data beyond the permitted scope, building competing products, enabling illegal activities, or generating spam. Indian-specific prohibitions should include use for activities that violate Indian law including the IT Act 2000, the Prevention of Money Laundering Act 2002, and applicable RBI/SEBI regulations.
Payment and fintech APIs in India operate within a heavily regulated environment governed by the Reserve Bank of India (RBI), and API terms of use for such products must incorporate specific regulatory compliance provisions. Payment Aggregator and Payment Gateway APIs: The RBI's Guidelines on Regulation of Payment Aggregators and Payment Gateways (March 2020) require payment aggregators to be authorised by the RBI. Unauthorised entities providing payment API access to merchants must ensure their terms clearly define the role of each party and comply with the outsourcing guidelines applicable to payment system operators. Merchants (API customers) must comply with PCI-DSS standards for handling payment card data. Account Aggregator APIs: The Account Aggregator framework, developed under the RBI's Master Direction on Non-Banking Financial Companies (2016) and operationalised through the Financial Information Users (FIUs) and Financial Information Providers (FIPs) ecosystem, has specific consent architecture requirements. API terms for account aggregator access must address the Financial Information Management System (FIMS) consent artefact, data usage restrictions (data can only be used for the purpose specified in the consent artefact), and the prohibition on storing financial information beyond the specified purpose. Unified Payments Interface (UPI): NPCI's UPI circulars impose obligations on Third Party Application Providers (TPAPs) and Payment Service Providers (PSPs).
Liability and indemnity provisions in India API terms of use are particularly important given the scale at which API breaches can propagate — a single security failure or API misuse can affect thousands of end users simultaneously. Indian law under the Indian Contract Act 1872 and the IT Act 2000 provides the framework within which these provisions operate. Liability cap: API providers should include a liability cap limiting the provider's total aggregate liability to the developer to the fees paid by the developer in the preceding 3 or 6 months (or a fixed monetary cap for free-tier API access). This cap should apply to all claims arising from or related to the API terms, regardless of the theory of liability (contract, tort, or otherwise). Exclusion of consequential damages: Indian courts have traditionally applied the principle from Hadley v Baxendale — limiting recoverable damages to direct losses reasonably foreseeable at the time of contracting. However, to remove ambiguity, API terms should explicitly exclude liability for: loss of profits, loss of business, loss of revenue, loss of data, loss of goodwill, and any indirect, special, or consequential damages, whether or not such losses were foreseeable.
A API Terms of Use (India) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Indian Contract Act, 1872 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
SaaS Agreement (India)
A SaaS Agreement for India, governed by the IT Act 2000 and Indian Contract Act 1872. Covers software access licence, subscription fees, SLA, data processing obligations under the DPDP Act 2023, IP ownership, acceptable use, and termination. Suitable for cloud software vendors and enterprise customers.
Software Licence Agreement (India)
A comprehensive software licence agreement for India, governed by the Copyright Act 1957 and IT Act 2000. Covers source and object code licences, permitted use, user restrictions, support and maintenance, data protection under the DPDP Act 2023, and liability limitations.
Terms of Service (India)
Comprehensive terms of service for Indian websites and apps under the IT Act 2000 and Consumer Protection Act 2019. Covers user obligations, intellectual property, liability limitations, dispute resolution, and governing law.
Privacy Policy (India)
A comprehensive privacy policy for Indian businesses under the Digital Personal Data Protection Act 2023 (DPDP Act) and the Information Technology Act 2000. Covers data collection, processing purposes, user rights, data transfers, and grievance redressal.