Skip to main content

Flow

SIX sends an authentication request to the authentication provider using the SIX-to-Provider API. Then, the authentication provider handles the authentication request and uses the Provider-to-SIX API to send its result back to SIX.

Authentication flow

This flow uses the SIX-to-Provider API.

When an authentication request for a known card reaches debiX, it is routed on to the authentication provider using its /authentication endpoint. The request contains four parameters, which are all mandatory:

  • The parameter threeDsTransactionId is used to correlate the three related requests (/authentication, /callback and /authentication/{threeDsTransactionId}/cancel).
  • authId allows the authentication provider to identify the card registered on a specific device (the authId is passed as an argument when registering a card via the debiX API endpoint /cards/3ds).
  • transactionDetail contains information pertaining to the transaction, such as merchant and transaction amount and is meant to allow the customer to verify the transaction.
  • threeDSRequestorAppURL provides a backlink to the merchant application, allowing the user to navigate back from an OOB authentication application.

The authentication provider would then synchronously confirm to debiX the reception of the authentication request and forward an authentication request notification to the cardholder's mobile device, prompting them to review the transaction. The access control server initiating the authentication request defines a validity period within which the cardholder is expected to give feedback. The status of the authentication request is then returned to debiX by invoking the /callback endpoint.

If the authentication request has been cancelled via the /authentication/{threeDsTransactionId}/cancel call, before the cardholder could accept/reject the authentication request, the authentication provider will then initiate a cancellation of the authentication request and inform the cardholder via their mobile device.

Authentication callback flow

This flow uses the Provider-to-SIX API.

After an authentication request is received by the authentication provider via the endpoint /authentication, the authentication provider is expected to forward it to the cardholder's mobile device, prompting them to review the transaction, after which the authentication provider would invoke the debiX /callback endpoint.

The /callback request contains three parameters:

  • threeDsTransactionId: Correlates the request/service call to the authentication provider with the callback from the authentication provider and is thus expected to correspond to the related prior /authentication request.
  • confirmationStatus: Status of the authentication request. It may be either ACCEPTED or DECLINED by the cardholder. If a technical error occurs preventing the successful display of the Push Notification on the device, then FAILED must be used. If the authentication provider sets a time window for the cardholder to accept or decline the authentication request and the cardholder fails to respond, then DECLINED must be used as the confirmationStatus.
  • oobAuthenticationMethod: This indicates the type of second factor used for authentication. This property is mandatory if the confirmationStatus is ACCEPTED, but not required if the confirmationStatus is FAILED, DECLINED or CANCELLED.

Note that there is a validity period defined by the access control server initiating the authentication request, within which the cardholder is expected to give feedback.