Non-hosted sessions

Last updated: February 15, 2023

For full control over your 3D Secure (3DS) authentication flow, use non-hosted sessions. These will be initiated by your back end.

Information

Non-hosted sessions are suitable for authentications initiated for both browsers and mobile apps.

All Sessions API endpoints will accept a valid JSON web token (JWT) bearer token. These short-lived tokens can be generated using your client id and secret, which you will have received when you created your account.

Tokens must contain the scope sessions:browser for browser channel flows or sessions:app for native mobile app channel flows. If you are unsure of the channel you're going to use when you request the session, you can include both scopes.

All endpoints following the request to create a new session will also accept the session secret; creating a session will return a session_secret property, which can be used in the Authorization header of subsequent requests for that session.

The session_secret is short-lived randomly generated string that can only be used for actions taken on a specific session, reducing the chance of it being leaked. This way the front end does not have to have access to the client secrets required to create JWT tokens (which, if exposed to the front end, can risk being leaked to malicious third parties).

Information

Note that any endpoint accessible with session_secret can also be accessed with a valid JWT token. This can be useful if you intend to access the endpoints from your back end, for instance, because you proxy the requests instead of making them directly from the front end.

Learn more about exemptions.

In regions where SCA is mandated, following the Payment Services Directive (PSD2) means the initial cardholder-initiated transaction (CIT) payment will require SCA. As such, you must authenticate the CIT with a challenge in these mandated regions.

In your API request, set authentication_type to recurring or installment.

You will also need to send the recurring or installment object with the following required fields.

Information

For Visa payments, the initial customer-initiated transaction (CIT) to set up a recurring or installment series should be processed as a regular authentication. The additional fields described in the following fields are not required.

Field name	Description
`number_of_payments` Only applies to `installment` payments.	Integer Minimum : 1 Indicates the agreed total number of payment installments to be made in the duration of the installment agreement.
`days_between_payments`	Integer Default : 1 Indicates the minimum number of days between authorizations. If no value is specified for a recurring authentication type the default value will be used.
`expiry`	String Default : "99991231" Date after which no further authorizations are performed, in the format `YYYYMMDD`. If no value is specified for a recurring authentication type the default value will be used.

For non-recurring or non-installment payments, these fields will be ignored if they are sent to the API.


1{
2  "source": {
3    "type": "card",
4    "number": "4485040371536584",
5    "expiry_month": 1,
6    "expiry_year": 2030
7  },
8  "amount": 100,
9  "currency": "USD",
10  "authentication_type": "installment",
11  "installment": {
12    "number_of_payments": 12,
13    "days_between payments": 28,
14    "expiry": 20251231
15  },
16  "authentication_category": "payment",
17  "reference": "ORD-5023-4E89",
18  "transaction_type": "goods_service",
19  "shipping_address": {
20    "address_line1": "123 Anywhere St.",
21    "address_line2": "Apt. 456",
22    "city": "Anytown",
23    "state": "AL",
24    "zip": "123456",
25    "country": "US"
26  },
27  "completion": {
28    "type": "non_hosted",
29    "callback_url": "https://example.com/sessions/callback"
30  }
31}

This is the first step to starting a 3DS authentication flow with Sessions. Authenticate the call with an access token and perform it from your back end.

For the full API specification, see the API reference.

post

https://api.checkout.com/sessions

Information

To increase the likelihood of frictionless authentication, add additional data fields when requesting a session.

Information

If you create a session with channel data, there is no need to update the channel data later on. A javascript_enabled field is required in the channel data to use 3DS version 2.2.0. See step 4 for more information.


1{
2  "source": {
3    "type": "card",
4    "number": "4485040371536584",
5    "expiry_month": 1,
6    "expiry_year": 2030
7  },
8  "amount": 100,
9  "currency": "USD",
10  "authentication_type": "regular",
11  "authentication_category": "payment",
12  "challenge_indicator": "no_preference",
13  "reference": "ORD-5023-4E89",
14  "transaction_type": "goods_service",
15  "shipping_address": {
16    "address_line1": "123 Anywhere St.",
17    "address_line2": "Apt. 456",
18    "city": "Anytown",
19    "state": "AL",
20    "zip": "123456",
21    "country": "US"
22  },
23  "completion": {
24    "type": "non_hosted",
25    "callback_url": "https://example.com/sessions/callback"
26  }
27}

You should receive a 202 - Accepted response, with a status of pending. It will also contain:

The session id (prefixed by sid_), which you'll use to get the session details in the next step.
A _links.three_ds_method_url URL, where the cardholder should be redirected to complete the Issuer Fingerprint, if the card supports this feature.
A next_actions property, which will tell you what action(s) to take next.

With the introduction of 3DS version 2.2.0, you may receive a 2.2.0 value in the protocol_version field in the response.


1{
2  "session_secret": "sek_Dal7UyiH8rIFXA4PfgiIk2jUyQkVDeEWgVBEL4TsRTE=",
3  "id": "sid_llraltf4jlwu5dxdtprcv7ba5i",
4  "transaction_id": "cc05e25a-4abc-4eed-8ee3-9be22afc20ea",
5  "amount": 6540,
6  "currency": "USD",
7  "completed": false,
8  "authentication_type": "regular",
9  "authentication_category": "payment",
10  "status": "pending",
11  "approved": false,
12  "protocol_version": "2.1.0",
13  "reference": "ORD-5023-4E89",
14  "next_actions": ["collect_channel_data", "issuer_fingerprint"],
15  "transaction_type": "goods_service",
16  "_links": {
17    "self": {
18      "href": "https://3ds2.ckotech.co/sessions/sid_llraltf4jlwu5dxdtprcv7ba5i"
19    },
20    "three_ds_method_url": {
21      "href": "https://api.hbsc.com/3dsmethod?tx=123456"
22    }
23  }
24}

Next, you need to gather the device data (meaning the details of the browser or mobile app that initiated the session) in order to make an authentication request. To do so, get the current session details with the following request.

Information

You can skip this step if your back end forwards the response of requesting a new session to your front end.

For the full API specification, see the API reference.

get

https://api.checkout.com/sessions/{session_id}

You will get a response with the property next_actions, which will tell you what you need to do next.

Field name Description

Field name	Description
`id` string	The unique identifier of the session.
`next_actions` array	Specifies what action to take to complete the session. Will be one of: `collect_channel_data`, `issuer_fingerprint` (browser-initiated only), `challenge_cardholder`, or `complete`. See below for all possible actions and their meanings.
`status` string	The status of the session. Should be `pending`. See below for all possible statuses and their meanings.

id

string

The unique identifier of the session.

next_actions

array

Specifies what action to take to complete the session. Will be one of: collect_channel_data, issuer_fingerprint (browser-initiated only), challenge_cardholder, or complete.

See below for all possible actions and their meanings.

status

string

The status of the session. Should be pending.

See below for all possible statuses and their meanings.

If there is no three_ds_method_url property available in the response, Sessions will automatically set the three_ds_method_completion property to U and continue the flow. You do not have to make a POST request to the Issuer Fingerprint endpoint. The following actions will be collect_channel_data, challenge_cardholder or complete, with their corresponding status pending, challenged or one of approved, declined, rejected or expired.

If one of the next actions after creating the session was issuer_fingerprint, this step must be completed before proceeding with the session.

This involves the customer's browser contacting the Access Control Server directly so that the latter can calculate a fingerprint of it.

To do this, you first need to construct the following payload:


1{
2  "threeDSServerTransID": //the transaction_id property of the session,
3  "threeDSMethodNotificationURL": //the URL that will receive the 3DS method notification message
4}

This payload needs to be base64 encoded and sent to the three_ds_method_url property of the _links object of the session using a POST request and putting the base64 encoded data in a form field called threeDSMethodData.

This will trigger a POST redirect to the threeDSMethodNotificationURL with a form parameter named threeDSMethodData. This will be a base64 encoded payload that, when decoded, will look like the following:


1{
2  "threeDSServerTransID": //the transaction_id property of the session
3}

If you do not wish to handle the notification manually you can use our interceptor application to do it for you. To do so, set the threeDSMethodNotificationURL with the applicable endpoint:

post

https://api.checkout.com/sessions-interceptor/3ds-method-notification

After you POST the threeDSMethodData, you can be notified about the completion by listening for a browser event as follows:


1window.addEventListener('message', messageCallback, false);

Where messageCallback is a function with the following signature:


1function messageCallback(event) {
2  console.log(event.data);
3}

And event.data will contain the following object:


1{
2  "threeDSServerTransID": //the transaction_id property of the session
3}

In order to update the three_ds_method_completion property, you'll need to send a POST request to the issuer_fingerprint property of the _links object of the session.

Once you've received the message, the fingerprint has completed successfully and you can set the three_ds_method_completion property to Y.

If you don't receive the message within 10 seconds of initiating the flow, set this property to N. You will need to implement a timeout logic to account for this.

Information

The response you receive from the Notification of Completion will only contain threeDSServerTransID and not a value of Y/N/U. The three_ds_method_completion property is determined only by which route the Issuer Fingerprint step takes.

Alternatively, if the session was created without channel data and you need to submit this after the Issuer Fingerprint step, you can make a single POST request to /sessions/{id}/collect-data (see Step 4) with the three_ds_method_completion property in the payload. This means you don't need to make a separate PUT request to /sessions/{id}/issuer-fingerprint.

Once you've completed the relevant actions indicated by the next_actions property, you need to update the session with the collected device data to make the authentication request.

A javascript_enabled field is introduced in the channel data for 3DS version 2.2.0. If this field is not provided in the request, we will add it and default the value to true.

Note

If you created the session with channel data, there is no need to complete this step. This step will be handled by our mobile SDKs for mobile app flows.

For the full API specification, see the API reference.

put

https://api.checkout.com/sessions/{session_id}/collect-data

Field name Description

Field name	Description
`channel` required string	Indicates the interface (either `browser` or `app`) being used to initiate the transaction. Set this to `browser`.
`accept_header` required string	Exact content of the HTTP accept headers as sent to the 3DS Requestor from the cardholder’s browser.
`java_enabled` required boolean	Boolean that represents the ability of the cardholder browser to execute Java. The value is returned from the `navigator.javaEnabled` property.
`javascript_enabled` optional boolean	Boolean that represents the ability of the cardholder browser to execute JavaScript. Default: `true`
`language` required string	Value representing the browser language as defined in IETF BCP47. Returned from the `navigator.language` property.
`color_depth` required string	Value representing the bit depth of the color palette for displaying images, in bits per pixel. Obtained from the cardholder's browser using the `screen.colorDepth` property.
`screen_height` required string	Total height of the cardholder’s screen in pixels. Value is returned from the `screen.height` property.
`screen_width` required string	Total width of the cardholder’s screen in pixels. Value is returned from the `screen.width` property.
`timezone` required string	Time difference between UTC time and the local time of the cardholder's browser, in minutes.
`user_agent` required string	Exact content of the HTTP user-agent header.
`ip_address` required string	IP address of the browser as returned by the HTTP headers to the 3DS Requestor.
`three_ds_method_completion` optional string	Indicates whether the 3DS Method successfully completed. `Y`: successfully completed `N`: did not successfully complete `U`: Unavailable (3DS Method URL was not present in the preparation response message data for the card range associated with the cardholder's account number).

channel

required

string

Indicates the interface (either browser or app) being used to initiate the transaction. Set this to browser.

accept_header

required

string

Exact content of the HTTP accept headers as sent to the 3DS Requestor from the cardholder’s browser.

java_enabled

required

boolean

Boolean that represents the ability of the cardholder browser to execute Java. The value is returned from the navigator.javaEnabled property.

javascript_enabled

optional

boolean

Boolean that represents the ability of the cardholder browser to execute JavaScript.

Default: true

language

required

string

Value representing the browser language as defined in IETF BCP47. Returned from the navigator.language property.

color_depth

required

string

Value representing the bit depth of the color palette for displaying images, in bits per pixel. Obtained from the cardholder's browser using the screen.colorDepth property.

screen_height

required

string

Total height of the cardholder’s screen in pixels. Value is returned from the screen.height property.

screen_width

required

string

Total width of the cardholder’s screen in pixels. Value is returned from the screen.width property.

timezone

required

string

Time difference between UTC time and the local time of the cardholder's browser, in minutes.

user_agent

required

string

Exact content of the HTTP user-agent header.

ip_address

required

string

IP address of the browser as returned by the HTTP headers to the 3DS Requestor.

three_ds_method_completion

optional

string

Indicates whether the 3DS Method successfully completed.

Y: successfully completed
N: did not successfully complete
U: Unavailable (3DS Method URL was not present in the preparation response message data for the card range associated with the cardholder's account number).

Field name	Description
`channel` required string	Indicates the interface (either `browser` or `app`) being used to initiate the transaction. Set this to `app`.
`sdk_app_id` string	A unique ID created upon all installations and updates of the 3DS Requestor App on a consumer device. This will be newly generated and stored by the SDK for each installation or update.
`sdk_max_timeout` required integer	Indicates the maximum amount of time (in minutes) for all exchanges.
`sdk_ephem_pub_key` required object	Public key component of the ephemeral key pair generated by the SDK and used to establish session keys between the SDK and access control server. In the authentication request, this data element is present as its own object. In the authentication response, this data element is contained within the ACS Signed Content JWS object.
`sdk_encrypted_data` required string	Contains data encrypted by the SDK for the directory server to decrypt.
`sdk_transaction_id` required string	Unique ID assigned by the SDK to identify a single transaction.
`sdk_interface_type` required string	Lists all the SDK interface types that the cardholder's device supports for displaying specific challenge user interfaces within the SDK. Values: native, html, both.
`sdk_ui_elements` required array	Lists all the elements that the cardholder's device supports for displaying the challenge user interface within the SDK. Values: text, single_select, multi_select, oob, html_other.

Once the update is received, an authentication request will be sent, returning an authentication response from the issuer with the outcome of the authentication: approved, attempted, unavailable, declined, rejected, or challenged.

This outcome sets the next_actions property in the update response, letting you know what to do next.

If an exemption was sent in the request and was successfully applied, you should expect an exemption object in the response.


1{
2  "exemption": {
3    "requested": "transaction_risk_assessment",
4    "applied": "transaction_risk_assessment",
5    "trusted_beneficiary": {
6      "status": "Y",
7      "source": "ACS"
8    }
9  }
10}

Field name Description

Field name	Description
`id` string	The unique identifier of the session.
`next_actions` array	Specifies what action to take to complete the session. `challenge_cardholder`: the issuer is challenging the authentication and the cardholder will need to submit additional credentials. `complete`: no further actions need to be taken. You can complete the session. See below for all possible actions and their meanings.
`status` string	The status of the session. Should be `processing`. If `expired`, the authentication was started but could not be completed. See below for all possible statuses and their meanings.

id

string

The unique identifier of the session.

next_actions

array

Specifies what action to take to complete the session.

challenge_cardholder: the issuer is challenging the authentication and the cardholder will need to submit additional credentials.
complete: no further actions need to be taken. You can complete the session.

See below for all possible actions and their meanings.

status

string

The status of the session. Should be processing. If expired, the authentication was started but could not be completed.

See below for all possible statuses and their meanings.

Information

This is only relevant for browser-based authentications. Our mobile SDKs will handle the challenge flow for mobile app authentications.

If, after completing the issuer fingerprint and channel data steps, the authentication is approved/declined immediately—the "frictionless" flow—you can proceed to complete the session.

If not, the cardholder will now be challenged to provide additional information to authenticate the payment—the "challenge" flow.


1{
2  "id": "sid_r5supjqo6kduppai4u56apandi",
3  "transaction_id": "a647658f-f20e-4787-bc08-e53be03c0d1a",
4  "amount": 1000,
5  "currency": "GBP",
6  "completed": false,
7  "authentication_type": "regular",
8  "authentication_category": "payment",
9  "status": "challenged",
10  "protocol_version": "2.1.0",
11  "next_actions": ["challenge_cardholder"],
12  "ds": {
13    "reference_number": "0c6e7212-710a-48c6-9e67-bf889569",
14    "transaction_id": "a05d24dd-b450-4d9c-9623-5df6835975f6"
15  },
16  "acs": {
17    "reference_number": "6f66a1bd-c4e0-4d6d-b233-739b5a2d",
18    "transaction_id": "d990b286-f75b-4347-9371-c66132cd7c21",
19    "operator_id": "cf99f707-d05d-44ac-bd4d-af691f82",
20    "url": "http://3ds2.ckotech.co/3ds2simulator/acs/challenge",
21    "challenge_mandated": true,
22    "authentication_type": "01"
23  },
24  "response_code": "C",
25  "response_status_reason": "01",
26  "challenged": true,
27  "transaction_type": "goods_service",
28  "_links": {
29    "self": {
30      "href": "https://3ds2-sandbox.cko.lon/sessions/sid_r5supjqo6kduppai4u56apandi"
31    }
32  }
33}

The next_actions field will contain the challenge_cardholder action (see example above). To proceed, create the challenge request (CReq) message as follows:


1{
2  "threeDSServerTransID": //the transaction_id field of the session,
3  "acsTransID": //the acs.transaction_id field of the session,
4  "messageType":"CReq",
5  "messageVersion": //the specific 3DS version used. Should be set to the protocol_version property of the session,
6  "challengeWindowSize": //the requested challenge size. See below for possible values
7}

Challenge window size value	Size
01	250-400px
02	390-400px
03	500-600px
04	600-400px
05	Full screen

Information

The style of the challenge window style is dependent on the issuer, so the above sizes may not be exact. We recommend that you render the challenge inside a frame so you have full control over the final size on your page.

Once the CReq message is constructed, it must be base64 encoded and posted to the acs.url property of the session, in a form field named creq. Ensure that the encoded CReq message does not contain any padding.

If the CReq message was successful, the response will be the HTML needed to render the challenge.


1<!DOCTYPE html>
2<html lang="en">
3  <head>
4    <meta charset="utf-8" />
5    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
6    <title>Checkout 3D Simulator</title>
7    <link rel="stylesheet" type="text/css" href="/3ds2simulator/css/main.css" />
8  </head>
9
10  <body>
11    <div id="picture-less-loading-container">
12      <div id="picture-less-loading"></div>
13    </div>
14    <div class="container">
15      <span class="main-title">Simulator</span>
16      <div class="wrap">
17        <div class="logo">
18          <image src="/3ds2simulator/images/logo.jpg" alt="Checkout.com logo" title="Checkout.com" />
19        </div>
20        <p class="title text-center">3D-Secure 2 Authentication</p>
21        <p class="disclaimer text-center">Please enter your password</p>
22        <form id="form" method="post" action="/3ds2simulator/acs/challenge-submit">
23          <input type="hidden" name="transactionId" />
24          <div class="input-wrap">
25            <i class="glyph-icon ckoicon-lock"></i>
26            <input
27              id="password"
28              type="password"
29              name="password"
30              class="form-field"
31              placeholder="Hint: Checkout1!"
32            />
33          </div>
34          <input type="submit" value="Continue" class="btn" id="txtButton" />
35        </form>
36      </div>
37    </div>
38    <script type="text/javascript" src="/3ds2simulator/js/main.js"></script>
39  </body>
40</html>

Information

The challenge is dependent on the card issuer, so the actual HTML may look different, but there should be a form for the cardholder to complete the challenge.

If you want to be notified about the completion of the challenge, you can register an event handler on your page as follows:


1window.addEventListener('message', messageCallback, false);

Where messageCallback is a function with the following signature:


1function messageCallback(event) {
2  console.log(event.data);
3}

And event.data will contain the following object:


1{
2  "transStatus": "Y",
3  "threeDSServerTransID": "352455b7-b3b1-4696-a916-69e2e4274e6c"
4}

Where threeDSServerTransID is the transaction_id of the session and transStatus is one of the following values:

Value	Description
`Y`	Authentication/Verification Successful
`N`	Not Authenticated/Account Not Verified (transaction denied)
`U`	Authentication/Account Verification Could Not Be Performed (a technical or other problem, as indicated in ARes or RReq)
`A`	Attempts Processing Performed (not authenticated/verified, but a proof of attempted authentication/verification is provided)
`R`	Authentication/Account Verification Rejected (issuer has rejected transaction)

Once the challenge has been completed, the session should move to a final state, allowing you to (optionally) complete the session.

Information

At this point the session should contain the eci and cryptogram (CAVV/AVV) properties needed for authorization, but these will only be returned when retrieving the session using a JWT token and not the session_secret. This is to protect them from leaking to the client side.

Information

The challenge flow should be completed within 15 minutes of initiating the flow. If this is not the case, the status of the challenge can be set to U.

Information

This is an optional step providing an easy way for you to be notified about the completion of the authentication.

Once the session is in a final state (approved, declined, rejected, unavailable, or attempted), you can choose to complete it.

This triggers a POST to the completion.callback_url field of the session and will respond with 204 if the call was successful or 500 otherwise. Alternatively, you can GET the session details to inspect it and verify its final status.

For the full API specification, see the API reference.

post

https://api.checkout.com/sessions/{session_id}/complete

If successful, we will use the callback_url to share the authentication outcome with you (see example below). If we receive a 2XX response from you, you will then get a successful 204 response with no content. If the payment was authenticated, you're now ready to authorize and complete the payment.

Information

If the authentication is approved ("response_code": "Y") or attempted ("A"), you can authorize the payment. If the authentication is unavailable due to technical issues ("U"), you can decide whether or not to proceed with the payment, based on your risk assessment.

With the introduction of 3DS version 2.2.0, you may receive a 2.2.0 value in the protocol_version field in the response.


1{
2  "session_id": "sid_llraltf4jlwu5dxdtprcv7ba5i",
3  "amount": 6540,
4  "currency": "USD",
5  "status": "approved",
6  "authentication_type": "regular",
7  "authentication_category": "payment",
8  "reference": "ORD-5023-4E89",
9  "approved": true,
10  "protocol_version": "2.1.0",
11  "response_code": "Y",
12  "response_reason": "01",
13  "cryptogram": "MTIzNDU2Nzg5MDA5ODc2NTQzMjE=",
14  "eci": "05",
15  "challenged": true
16}

Field name Description

Field name	Description
`session_id` string, 36 chars	The unique identifier for the session.
`amount` integer	The amount in the major currency.
`currency` string	The three-letter ISO currency code.
`status` string (enum)	Indicates the status of the session. One of: `challenge_abandoned` `expired` `approved` `attempted` `unavailable` `declined` `rejected`
`authentication_type` string	Indicates the type of payment this session is for.
`authentication_category` string (enum)	Indicates the category of the authentication request. One of: `payment` `non-payment`
`reference` string, maximum 100 chars	A reference you can later use to identify this payment, such as an order number.
`approved` boolean	Indicates whether the authentication was successful.
`protocol_version` string, maximum 50 chars	The 3DS version used for authentication. Possible values: `2.1.0` `2.2.0`
`response_code` string (enum)	The response from the DS or ACS which indicates whether a transaction qualifies as an authenticated transaction or account verification. One of: `Y`: authentication verification successful `N`: not authenticated / account not verified; transaction denied `U`: authentication/ account verification could not be performed; technical or other problem, as indicated in ARes or RReq `A`: attempts processing performed; not authenticated/verified, but a proof of attempted authentication/verification is provided `C`: challenge required; additional authentication is required using the CReq/CRes `D`: challenge required; decoupled authentication confirmed `R`: authentication / account verification rejected; issuer is rejecting authentication / verification and requests that the authorization not be attempted `I`: informational only; 3DS requestor challenge preference acknowledged
`response_reason` string	The response from the direct server (DS) or access control server (ACS) which provides information on why the `response_code` field has the specified value `01`: card authentication failed `02`: unknown device `03`: unsupported device `04`: exceeds authentication frequency limit `05`: expired card `06`: invalid card number `07`: invalid transaction `08`: no card record `09`: security failure `10`: stolen card `11`: suspected fraud `12`: transaction not permitted to cardholder `13`: cardholder not enrolled in service `14`: transaction timed out at the ACS `15`: low confidence `16`: medium confidence `17`: high confidence `18`: very high confidence `19`: exceeds ACS maximum challenges `20`: non-payment transaction not supported `21`: 3RI transaction not supported `22`: ACS technical issue `23`: decoupled authentication required by ACS but not requested by 3DS requestor `24`: 3DS requestor decoupled max expiry time exceeded `25`: decoupled authentication was provided in insufficient time to authenticate the cardholder. ACS will not make attempt. `26`: authentication attempted but not performed by the cardholder
`cryptogram` string, 28 chars	A payment system-specific value provided as part of the access control server (ACS) registration for each supported direct server (DS).
`eci` string, 2 chars	The electronic commerce indicator (ECI).
`challenged` boolean	Indicates whether this session involved a challenge.

session_id

string, 36 chars

The unique identifier for the session.

amount

integer

The amount in the major currency.

currency

string

The three-letter ISO currency code.

status

string (enum)

Indicates the status of the session.

One of:

challenge_abandoned
expired
approved
attempted
unavailable
declined
rejected

authentication_type

string

Indicates the type of payment this session is for.

authentication_category

string (enum)

Indicates the category of the authentication request.

One of:

payment
non-payment

reference

string, maximum 100 chars

A reference you can later use to identify this payment, such as an order number.

approved

boolean

Indicates whether the authentication was successful.

protocol_version

string, maximum 50 chars

The 3DS version used for authentication.

Possible values:

2.1.0
2.2.0

response_code

string (enum)

The response from the DS or ACS which indicates whether a transaction qualifies as an authenticated transaction or account verification.

One of:

Y: authentication verification successful
N: not authenticated / account not verified; transaction denied
U: authentication/ account verification could not be performed; technical or other problem, as indicated in ARes or RReq
A: attempts processing performed; not authenticated/verified, but a proof of attempted authentication/verification is provided
C: challenge required; additional authentication is required using the CReq/CRes
D: challenge required; decoupled authentication confirmed
R: authentication / account verification rejected; issuer is rejecting authentication / verification and requests that the authorization not be attempted
I: informational only; 3DS requestor challenge preference acknowledged

response_reason

string

The response from the direct server (DS) or access control server (ACS) which provides information on why the response_code field has the specified value

01: card authentication failed
02: unknown device
03: unsupported device
04: exceeds authentication frequency limit
05: expired card
06: invalid card number
07: invalid transaction
08: no card record
09: security failure
10: stolen card
11: suspected fraud
12: transaction not permitted to cardholder
13: cardholder not enrolled in service
14: transaction timed out at the ACS
15: low confidence
16: medium confidence
17: high confidence
18: very high confidence
19: exceeds ACS maximum challenges
20: non-payment transaction not supported
21: 3RI transaction not supported
22: ACS technical issue
23: decoupled authentication required by ACS but not requested by 3DS requestor
24: 3DS requestor decoupled max expiry time exceeded
25: decoupled authentication was provided in insufficient time to authenticate the cardholder. ACS will not make attempt.
26: authentication attempted but not performed by the cardholder

cryptogram

string, 28 chars

A payment system-specific value provided as part of the access control server (ACS) registration for each supported direct server (DS).

eci

string, 2 chars

The electronic commerce indicator (ECI).

challenged

boolean

Indicates whether this session involved a challenge.

Below are the possible values of the status field, which tell you the current status of the session.

Field name	Description
`pending`	Authentication has been requested and the session has been started. The session `id` is passed back to your server and can be shared with the mobile app (iOS or Android) SDK.
`processing`	The 3DS server has updated the authentication with channel data collected by the SDKs and has created and sent an authentication request to the directory server. The access control server is now evaluating the data to decide whether to authenticate the transaction (frictionless) or challenge it.
`approved`	The payment has been successfully authenticated (frictionless or challenged).
`attempted`	The payment has been authenticated by a stand-in service, because the access control server could not be reached or does not support 3DS natively. You can treat this as a successful authentication and proceed to authorization.
`unavailable`	Authentication failed because of technical problems with the directory server or the issuer's access control server.
`declined`	The transaction was not authenticated. The issuer denied the transaction.
`rejected`	The transaction was rejected. The issuer is rejecting the authentication and requests that authorization not be attempted.
`challenged`	Authentication has been requested but the issuer requires that the cardholder be presented with a challenge.
`challenge_abandoned`	Authentication has been started and challenged, but the cardholder did not complete the challenge.
`expired`	Authentication has been started but the channel data could not be collected, meaning an authentication request was not created.

Below are the possible values for the next_actions field. When present, they identify what action to take in order to complete the session.

Session type	Action	Description	Channel
`Non-hosted`	`collect_channel_data`	Indicates that the SDK should collect the device data and pass it to the Sessions API so that the 3DS server can create an authentication request.	Browser and app
	`issuer_fingerprint`	The issuer fingerprint is a step where the 3DS Method URL is used by the access control server before the authentication request to gather additional browser information to perform the risk assessment of the transaction. The use of the 3DS Method URL is optional.	Browser only
	`challenge_cardholder`	This occurs after an issuer decides to challenge an authentication. You should create a challenge request and submit it to the issuer's access control server to obtain the details to render a challenge window for the cardholder to submit their credentials.	Browser and app
Hosted and non-hosted	`complete`	No further actions are required. You can complete the session.	Browser and app

When requesting a session, you can add additional data fields to increase the chances of a frictionless authentication. Below is a summary of the optional data you can add to your request.

Type of data	Description and examples
Client user data	Data that supports the specific authentication and information about the authentication method used. For example, your own credentials, and the issuer's credentials.
Prior transaction information	For returning users and recurring transactions, gather and submit data with each following transaction. For example, when the recurring payment plan expires, payment references, and the authentication method used.
Account type	The account type used in your request. Issuer's attach different risk profiles to different accounts. For example, credit or debit.
Address match	Indicates whether the cardholder's shipping and billing address are the same. For example, how long they've had an account with you, and the number of purchases they've made in the last six months.
User purchase history	Details of the cardholder's purchase history. For example, the number of purchases in the last six months, and the number of card attempts in the last 24 hours.
Shipping address usage	Information about the use of the shipping address. For example, when the shipping address was first used, and whether the address name matches the cardholder's name.
Suspicious account activity	Indicates whether you've experienced any suspicious activity on the cardholder's account.
Cardholder information	Additional information you want to provide about the cardholder and their account with you.
Cardholder email address	The email address associated with the cardholder's account.
Cardholder shipping address	The cardholder's full shipping address.
Installment payment data	For transactions that are being paid in installments, you can provide information about the maximum number of authorizations permitted within that payment plan.
Prepaid and gift card transactions	Information about prepaid or gift card transactions. For example, the gift card amount, and whether or not the cardholder is pre-ordering a product.
Shipping method	Indicate the shipping method being used for the order, or flag non-shippable items, like digital goods. For example, whether it's being shipped to a verified address on file, or being picked up by the cardholder from a local store.
Delivery information	Information about the delivery, like the delivery email address or delivery timeframe.

Information

Authenticating your requests

Access tokens

Session secret

Information

Exemptions

Recurring and installment payments

Information

Request example

Step 1: Request a session

Endpoints

Information

Information

Request example

Response example

Step 2: Get session details

Information

Endpoints

Response

Step 3: Issuer fingerprint (browser only)

a) Create payload

b) Redirect

c) Notification of completion

d) Fingerprint completed

Information

Step 4: Collect channel data

Note

Endpoints

Body parameters

Response example

Additional response fields

Step 5: Challenge (browser only)

Information

Create challenge request

Information

Render the challenge

Information

Notification of outcome

Challenge completed

Information

Information

Step 6: Complete session (optional)

Information

Endpoints

The response

Information

Example authentication outcome

Session properties

Session statuses

Next actions

Additional authentication data