Skip to main content

Send an Embedded or Hybrid SCA Challenge

POST 
/auth/sca/events/:eventId/challenges

Sends a challenge via a secure communication mechanism as part of the ongoing Embedded or Hybrid SCA process.

Once an SCA process is initiated, a challenge must be sent through one of the available verification mechanisms (e.g., send an OTP code via SMS). Тhe challenges have their own expiration (e.g., the OTP sent via SMS is valid for only a short time). If a challenge expires, a new one must be sent. Each challenge sent for the same process will increment the currentChallenges field. This process can only be performed a limited number of times, as defined by allowableChallenges (its value is determined by the best security practices). If this limit is exceeded, an error will be returned, and no additional challenges can be sent for the same process until a cooldown period has elapsed. After this period, the currentChallenges are reset, and new challenges can be sent for the same process as previously described.

More details can be found in Strong Customer Authentication.

Request

Path Parameters

    eventId stringrequired

    Unique identifier for the SCA event, associated with the current event challenge.

Body

    walletOperationId stringrequired

    A distinct identifier for the wallet operation. This identifier is used to associate the wallet operation with the SCA authentication event.

    verification

    object

    required

    Verification details associated with the SCA authentication event attempt.

    method SCA Authentication Event Attempt Verification Method (string)required

    Possible values: [PASSWORD, PIN, PASSKEYS, OTP, PUSH_NOTIFICATION, BIOMETRIC]

    Method used for verifying the SCA authentication event attempt.

    • PASSWORD - A secret combination of characters, typically chosen by the user, used to authenticate their identity.
    • PIN - A numeric code, typically six digits, used to authenticate the user's identity.
    • PASSKEYS - A set of predefined keys or a pattern chosen by the user to authenticate their identity.
    • OTP - One-Time Password sent via SMS, email, or authenticator application to the user's registered device.
    • PUSH_NOTIFICATION - A notification sent to the user's mobile device prompting them to approve or deny the authentication request.
    • BIOMETRIC - Authentication based on unique physical characteristics of the user, such as fingerprint, facial recognition, or iris scan.
    channel SCA Authentication Event Attempt Verification Channel (string)

    Possible values: [SMS, EMAIL, AUTHENTICATOR]

    Channel used to send the verification method to the user.

    • SMS - Verification method sent via SMS to the user's registered device.
    • EMAIL - Verification method sent via email to the user's registered address.
    • AUTHENTICATOR - Verification method generated by an authenticator application installed on the user's device.

    deviceInfo

    object

    required

    Provides information about the device that the end-customer uses to access the service.

    appType stringrequired

    Possible values: [WEB_APP, MOBILE_APP, API]

    threatMetrixSessionId stringrequired

    Possible values: <= 100 characters

    ThreatMetrics session id.

Responses

Created

Schema

    eventId stringrequired

    A distinct identifier for the SCA authentication event.

    walletOperationId stringrequired

    A distinct identifier for the wallet operation. This identifier is used to associate the wallet operation with the SCA authentication event.

    authenticationMode SCA Authentication Mode (string)required

    Possible values: [OUTSOURCED, EMBEDDED, HYBRID]

    Mode of the Strong Customer Authentication (SCA) authentication process.

    • OUTSOURCED - The partner is responsible for handling the entire SCA process.
    • EMBEDDED - Paysafe is responsible for handling the entire SCA process, including user authentication and compliance with regulations like PSD2.
    • HYBRID - Paysafe manages the entire SCA process, excluding the communication with the end-user.

    verification

    object

    required

    Verification details associated with the SCA authentication event attempt.

    method SCA Authentication Event Attempt Verification Method (string)required

    Possible values: [PASSWORD, PIN, PASSKEYS, OTP, PUSH_NOTIFICATION, BIOMETRIC]

    Method used for verifying the SCA authentication event attempt.

    • PASSWORD - A secret combination of characters, typically chosen by the user, used to authenticate their identity.
    • PIN - A numeric code, typically six digits, used to authenticate the user's identity.
    • PASSKEYS - A set of predefined keys or a pattern chosen by the user to authenticate their identity.
    • OTP - One-Time Password sent via SMS, email, or authenticator application to the user's registered device.
    • PUSH_NOTIFICATION - A notification sent to the user's mobile device prompting them to approve or deny the authentication request.
    • BIOMETRIC - Authentication based on unique physical characteristics of the user, such as fingerprint, facial recognition, or iris scan.
    channel SCA Authentication Event Attempt Verification Channel (string)

    Possible values: [SMS, EMAIL, AUTHENTICATOR]

    Channel used to send the verification method to the user.

    • SMS - Verification method sent via SMS to the user's registered device.
    • EMAIL - Verification method sent via email to the user's registered address.
    • AUTHENTICATOR - Verification method generated by an authenticator application installed on the user's device.
    currentChallenges integer

    The number of challenges currently sent as part of the authentication process for the same wallet operation.

    allowableChallenges integer

    The maximum number of allowed challenges that can be sent as part of the authentication process for the same wallet operation.

    creationTime date-timerequired

    Represents RFC 3339, section 5.6 date-time.

    expirationTime date-time

    Represents RFC 3339, section 5.6 date-time.

Loading...