3.2. /auth endpoint

The /auth endpoint is used to provide the issuer with data for performing an authentication. The resulting Authentication Response (ARes) can either be the final message due to a frictionless flow or lead to a challenge flow.

Please note that only ASCII characters are allowed, as described in Making requests to the 3-D Secure Server.

Request flow

This near-pseudocode describes the flow your code should perform.

  1. Generate the input as described in the reference (2.1.0, 2.2.0).

  2. Send the request to the 3-D Secure Server. Consult the requests guide for information about how to make requests. A simple request performed using cURL:

    /auth request example using cURL
    # First, add request json to file 'input.json'
    curl -H "APIKey: $APIKEY" \
         -H 'Content-Type: application/json; charset=utf-8' \
         -d @input.json \
  3. If the returned JSON has "messageType": "Erro" or the HTTP response code is not 200, then the request failed.

    Note that JSON is returned even if the HTTP status code is not 200, in all but the rarest cases.

  4. If transStatus is C, perform a challenge on the cardholder device.

    Otherwise, the authentication has been completed.

Response Data


A successful authentication request contains data as described in the reference (2.1.0, 2.2.0). The transaction status is contained in the transStatus and transStatusReason values.

This is an example of a successful (frictionless) authentication:

Example of an Authentication frictionless response (ARes)
 2  "acsOperatorID": "3dsecure.io-standin-acs",
 3  "acsReferenceNumber": "3dsecure.io-standin-acs",
 4  "acsTransID": "43163cd0-c849-4924-82c1-7bec32b94881",
 5  "authenticationValue": "mK225wGt2bLnnLB0UlRky0oHLnU=",
 6  "dsReferenceNumber": "3dsecure.io-standin-ds",
 7  "dsTransID": "1cf815e5-cc85-436f-8e13-9f5e5aea731f",
 8  "eci": "05",
 9  "messageType": "ARes",
10  "messageVersion": "2.1.0",
11  "threeDSServerTransID": "3f1ed47a-2edc-4b0e-a4cf-bdb0f65d48c6",
12  "transStatus": "Y"
Example of an Authentication challenge response (ARes)
 2  "acsChallengeMandated": "N",
 3  "acsOperatorID": "3dsecureio-standin-acs",
 4  "acsReferenceNumber": "3dsecureio-standin-acs",
 5  "acsTransID": "b85d3eb5-d2d2-45af-bc1b-6188021ae602",
 6  "acsURL": "https://acs.sandbox.3dsecure.io/browser/challenge/manual",
 7  "authenticationType": "01",
 8  "dsReferenceNumber": "3dsecureio-standin-ds",
 9  "dsTransID": "496af67a-56ed-4fd3-bbcf-690b0df93c3d",
10  "messageType": "ARes",
11  "messageVersion": "2.1.0",
12  "threeDSServerTransID": "218565e2-0cae-4236-868e-09168275c8c6",
13  "transStatus": "C"

To check if a transaction was successful:

  1. Parse as JSON

  2. Check that messageType is ARes

Note that a 3-D Secure Server transaction is considered successful even if transStatus is N. There is a difference between an authentication failure and a transaction failure. A failed authentication transStatus: N is a successful 3-D Secure transaction.

If messageType is ARes and transStatus is C, perform a challenge flow.


In all but the rarest cases an Erro message is returned on an error.

General endpoint information

  1. We expect an average upstream request time of about 2 seconds, so should you.

  2. The request will time out after 10 seconds, after which integrators will receive an error. The error returned will be

    Directory Server timeout response
     2  "errorCode": "405",
     3  "errorComponent": "S",
     4  "errorDescription": "Unable to contact Directory Server",
     5  "errorDetail": "Connection timeout",
     6  "errorMessageType": "AReq",
     7  "messageType": "Erro",
     8  "messageVersion": "2.1.0",
     9  "threeDSServerTransID": "2401433d-68be-4820-b1e7-5aa3b44dfa5a"