Skip to main content

Introduction

The debiX Auth Provider API enables an integrative solution for 3DS Out-of-Band (OOB) authentication, allowing the cardholder to validate the 3DS transaction in the bank’s own application. This API allows to transmit 3DS authentication request between a merchant website or application and an authentication provider for enrolled debit cards via the debiX backend. The authentication request and response are exchanged asynchronously, first by means of a request from debiX to the authentication provider and then by the latter invoking a callback endpoint implemented by debiX. For this reason, two separate specifications are provided ("SIX-to- Provider" and "Provider-to-SIX", respectively).

Overview

A 3DS authentication may be required when a user initiates an e-commerce transaction with their debit card. However, only debit cards previously registered via the debiX API endpoint /cards/3ds are eligible to be authenticated using the flow described below. The authentication flow exchange between debiX and the authentication provider occurs asynchronously, which is why two separate specifications exist.

Authentication flow

The cardholder proceeds to payment at checkout in an online-shopping web or mobile application (merchant). The merchant initiates the 3DS authentication using the 3DS requester, which is forwarded to debiX.

If the card is known to debiX, the authentication flow is forwarded to the authentication provider by means of a request to /authentication containing information identifying the concerned debit card, as well as information allowing the customer to verify the legitimacy of the transaction. This endpoint is part of the specification of SIX-to-Provider.

The response to the aforementioned request occurs asynchronously via the /callback endpoint provided by debiX. This endpoint is described in the documentation of the specification of Provider-to-SIX.

If the authentication request is cancelled by the initiating system, debiX will forward the cancellation of the authentication request via the /authentication/{threeDsTransactionId}/cancel call.

A more detailed look at the flow is provided in the section API Flow.