Standalone (Sessions)

The Standalone (Sessions) API is a standalone solution to authenticate online transactions with the EMV 3D Secure (3DS) protocol, allowing you to implement smarter 3DS authentication flows. The solution also:

gives you greater visibility of the issuers' authentication decisions
provides a smoother experience for your customers, while helping you fulfil the Strong Customer Authentication (SCA) requirements of the second Payment Services Directive (PSD2)

Once you have completed the authentication via Standalone (Sessions), you can then authorize the payment using one of the following methods:

our payment gateway
another payment services provider (PSP)
the identifier from the Standalone (Sessions) API response

You have two options to integrate with Standalone (Sessions):

hosted, in which Checkout.com hosts and manages the 3DS flow front end
non-hosted, in which you own and manage the 3DS flow front end

Standalone (Sessions) currently supports:

Visa Secure, provided by Visa
Identity Check, provided by Mastercard
SafeKey, provided by American Express
Fast’R, provided by Cartes Bancaires
J/Secure, provided by JCB
ProtectBuy, provided by Discover/Diners Club International (DCI)

Non-hosted sessions are designed for those who want full control over their authentication flow.

Initiate authentication through the Standalone (Sessions) API using a card or a network token and set the completion.type field to non-hosted.

You can also provide the optional completion.callback_url field to receive the authentication result.

You will then need to collect channel (either browser or mobile app) and additional authentication data, perform a challenge (if required), and handle the authentication result. You can then proceed to authorize the payment, either through our payment gateway or another PSP.

Get started with non-hosted sessions.

This is the simplest solution, where we manage the authentication flow for you.

Initiate authentication through the Standalone (Sessions) API and:

set the completion.type field to hosted
provide URLs in the completion.success_url and completion.failure_url fields

You should then redirect the customer to the link returned in the response. We'll then gather the necessary payment, device, and cardholder data and take care of the rest.

Get started with hosted sessions.

When creating a session, you will need to authorize your request with access key authorization.

Use the following endpoint to generate an access_token, and use it to authorize your create session request.

post

https://access.checkout.com/connect/token


1grant_type=client_credentials&client_id= ack_3kgxgdj773yubf4sfmiht3r4h4
2&client_secret=PddTMk1FBjk1MDQHtBt1U8cHjZvS+Guc80NmcUHp3pHevOpt7EgYkT/DWae7gnOTlF6kPCPo+RZEu9xut/5VVA==


1curl --location --request POST 'https://access.sandbox.checkout.com/connect/token' \
2--header 'Content-Type: application/x-www-form-urlencoded' \
3--data-urlencode 'grant_type=client_credentials' \
4--data-urlencode 'client_id=ack_3kgxgdj773yubf4sfmiht3r4h4' \
5--data-urlencode 'client_secret=PddTMk1FBjk1MDQHtBt1U8cHjZvS+Guc80NmcUHp3pHevOpt7EgYkT/DWae7gnOTlF6kPCPo+RZEu9xut/5VWA=='

The token server will return a Bearer access_token in JSON Web Token (JWT) format.

Your access token is valid for the length of time (in seconds) indicated by the expires_in field. When it expires, you'll need to request a new one.


1{
2  "access_token": "eyJhb6sqaQ",
3  "expires_in": 3600,
4  "token_type": "Bearer",
5  "scope": "flow fx gateway"
6}

Standalone (Sessions)

Non-hosted

Hosted

Authorization

Request example

Response example

Related topics

Non-hosted sessions

Hosted sessions

3DS Exemptions

Smart optimization of authentication requests