Skip to content
3DS authentication
/
/
Get 3DS authentication de...

3D Secure authentication service API (1.0.0)

This is an API reference for the 3D Secure authentication service.

Download OpenAPI description
three-d-secure-authentication.json
three-d-secure-authentication.yaml
Languages
Servers
Production environment
https://api-services.pxp.io/api/v1/
Sandbox environment
https://api-services.test.pxp.io/api/v1/

Standalone authentication

Operations

Integrated authentication

Operations

Pre-initiate an integrated authentication request

Request

Pre-initiates an integrated 3D Secure authentication request for a transaction. In integrated mode, PXP processes the transaction in a separate initiate transaction request using the 3D Secure supplied data. This step ensures that all required data is gathered and validated before the full authentication process, facilitating a smoother and more secure transaction flow.

Bodyapplication/json
amountobject(authenticationAmounts)

Details about the authenticated transaction's amount.

fingerprintCallbackUrlstringnon-emptyrequired

The fingerprint callback URL.

providerIdstring or null[ 0 .. 36 ] characters

The unique identifier for the provider.

Example: "provider_123456"
intentstring or null

The intent of the authentication request. This field is conditionally required: it's required if providerId isn't sent, otherwise it's optional. It makes sense to authenticate transactions with the following intents:

  • Purchase
  • Authorisation
  • EstimatedAuthorisation
  • Verification
Enum"Authorisation""Purchase""Payout""EstimatedAuthorisation""Verification""Refund""Void""Capture""Incremental""StandaloneRefund"
requestorAuthenticationIndicatorstring or null[ 0 .. 2 ] characters

Indicator used to specify the type of authentication request, such as payment authentication or account verification.

Possible values:

  • 01: Payment transaction
  • 02: Initial recurring transaction
  • 03: Initial card-on-file transaction for subsequent MITs
  • 04: Initial card-on-file transaction for subsequent CITs
  • 05: Store card details without purchase (card verification)
  • 06: Instalment transaction
  • 07: Billing agreement
  • 08: Split shipment
  • 09: Delayed shipment
  • 10: Split payment
Example: {"PaymentTransaction":{"value":1}}
sitestring[ 0 .. 10 ] charactersrequired

The site identifier for the merchant.

cardCard (object) or Gateway token (object) or Scheme token (object) or Scheme token (external) (object)(preinitiationCardData)required
One of:

Use full card details for authentication. This option requires the primary account number, expiry date, cardholder name, and optionally, the card verification code (CVC).

card.​primaryAccountNumberstring[ 13 .. 19 ] charactersrequired

The unique number assigned to a payment card, such as a credit or debit card.

Example: "4111111111111111"
card.​cardHolderNamestring[ 2 .. 45 ] characters

The full name of the individual who owns the payment card, printed on the physical card.

card.​expiryMonthinteger(int32)[ 1 .. 12 ]required

The expiry month [MM] of the card.

Example: 3
card.​expiryYearinteger(int32)[ 2000 .. 9999 ]required

The expiry year [YYYY] of the card.

Example: 2025
card.​cardVerificationCodestring[ 3 .. 4 ] characters

A 3 or 4 digit security code found on the card, used for verification in non-face-to-face transactions.

Example: "123"
curl -i -X POST \
  https://api-services.pxp.io/api/v1/threedsecure/integrated/authentications \
  -H 'Content-Type: application/json' \
  -d '{
    "amount": {
      "transactionValue": 0.1,
      "currencyCode": "EUR"
    },
    "fingerprintCallbackUrl": "string",
    "providerId": "provider_123456",
    "intent": "Authorisation",
    "requestorAuthenticationIndicator": {
      "PaymentTransaction": {
        "value": 1
      }
    },
    "site": "string",
    "card": {
      "primaryAccountNumber": "4111111111111111",
      "cardHolderName": "string",
      "expiryMonth": 3,
      "expiryYear": 2025,
      "cardVerificationCode": "123"
    }
  }'

Responses

OK

Bodyapplication/json
authenticationIdstring or null

A unique reference provided by PXP for the authentication request, represented as a GUID.

Example: "550e8400-e29b-41d4-a716-446655440000"
statestring or null(authenticationStateEnum)

The current state of the authentication request.

Enum"PendingClientData""AuthenticationSuccessful""AuthenticationFailed""AuthenticationRejected""AuthenticationError""PendingCustomerChallenge"
scaMandatedboolean

Whether Strong Customer Authentication (SCA) is mandated for this transaction.

Example: true
applicableExemptionsstring or null

Specifies any exemptions that apply to the transaction from SCA requirements.

Enum"LVP""TRA"
threeDSecureVersionstring or null

The version of the 3D Secure protocol being used for the authentication.

Example: "2.1.0"
threeDSecureFingerprintUrlstring or null

The URL to which the 3D Secure method data should be sent.

Example: "https://example.com/3ds-method"
threeDSecureFingerprintDatastring or null

Data required for the 3D Secure method, typically a base64 encoded string.

Example: "eyJ0aHJlZURTU2VjdXJlTWV0aG9kRGF0YSI6IlhYWiJ9"
threeDSecureSupportedboolean

Whether 3D Secure authentication is supported for this transaction.

Example: true
recommendedChallengeIndicatorstring or null

The recommended challenge indicator.

Response
application/json
{
  "authenticationId": "550e8400-e29b-41d4-a716-446655440000",
  "state": "PendingClientData",
  "scaMandated": true,
  "applicableExemptions": "LVP",
  "threeDSecureVersion": "2.1.0",
  "threeDSecureFingerprintUrl": "https://example.com/3ds-method",
  "threeDSecureFingerprintData": "eyJ0aHJlZURTU2VjdXJlTWV0aG9kRGF0YSI6IlhYWiJ9",
  "threeDSecureSupported": true,
  "recommendedChallengeIndicator": "string"
}

Initiate an integrated authentication request

Request

Authenticates an integrated 3D Secure transaction request. In integrated mode, PXP processes the transaction in conjunction with the 3D Secure authentication data. This ensures that the transaction is authenticated securely, leveraging the full authentication data collected during the pre-initiation phase. The request payload must include comprehensive details about the transaction, card information, merchant information, and additional contextual data necessary for the 3D Secure authentication flow.

Path
authenticationIdstringrequired

The authentication ID.

Bodyapplication/json
fingerprintNotificationstring or null

The URL for notifying the fingerprinting result. Base64 of {"threeDSMethodNotificationURL":"method url value","threeDSServerTransID":"transaction id value"}.

merchantCountryNumericCodestring= 3 charactersrequired

The three-digit country code of the merchant, following ISO 3166-1 numeric standard.

Example: "840"
merchantLegalNamestring[ 0 .. 40 ] charactersrequired

The legal name of the merchant.

Example: "ACME Ltd"
challengeWindowSizeinteger(int32)(challengeWindowSizeProperty)[ 1 .. 5 ]required

The desired size of the challenge window displayed to the cardholder during authentication.

Possible values:

  • 1: 250x400
  • 2: 390x400
  • 3: 500x600
  • 4: 600x400
  • 5: FullScreen
requestorChallengeIndicatorstring or null(integratedRequestorChallengeIndicatorProperty)[ 0 .. 2 ] charactersrequired

Indicator of whether a challenge is requested for this transaction (Integrated authentication).

Possible values:

  • 01: NoPreference
  • 02: NoChallengeRequested
  • 03: ChallengeRequested3dsRequestorPreference
  • 04: ChallengeRequestedMandate
  • 05: NoChallengeRequestedTRAPerformed
  • 10: NoChallengeRequestedLowValueExemption
Enum"01""02""03""04""05""10"
challengeCallbackUrlstring(uri)[ 1 .. 256 ] charactersrequired

The fully qualified URL of the system that receives the CRes message or error message. The CRes message is posted by the ACS through the cardholder's browser at the end of the challenge and receipt of the RRes message.

recurringobject(recurringData)

Details related to recurring transactions for 3D Secure authentication.

billingAddressobject(browserAuthenticationAddressRequest)

Details of the address used in browser-based authentication.

shippingAddressobject(browserAuthenticationAddressRequest)

Details of the address used in browser-based authentication.

browserDataobject(browserAuthenticationBrowserInformationRequest)required

Information about the browser used in the authentication process.

browserData.​acceptHeaderstring[ 0 .. 2048 ] charactersrequired

The Accept HTTP header field from the browser.

Example: "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
browserData.​colorDepthinteger(int32)required

The colour depth of the browser's screen, measured in bits per pixel.

Example: 24
browserData.​ipAddressstring or null[ 0 .. 45 ] characters

The IP address of the device running the browser, if available.

Example: "192.168.1.1"
browserData.​javaEnabledbooleanrequired

Whether the browser has Java enabled.

Example: true
browserData.​javaScriptEnabledbooleanrequired

Whether the browser has JavaScript enabled.

Example: true
browserData.​languagestring[ 0 .. 8 ] charactersrequired

The IETF BCP 47 language tag.

Example: "en-US"
browserData.​screenHeightinteger(int32)required

The height of the browser's screen in pixels.

Example: 1080
browserData.​screenWidthinteger(int32)required

The width of the browser's screen in pixels.

Example: 1920
browserData.​timeZoneOffsetInMinutesinteger(int32)required

The difference, in minutes, between UTC and the local time of the browser.

Example: -420
browserData.​userAgentstring[ 0 .. 2048 ] charactersrequired

The User-Agent string of the browser.

Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
shopperobject(browserAuthenticationCardholderInformationRequest)required

Details about the shopper involved in the authentication.

shopper.​emailstring or null[ 0 .. 254 ] characters

The email address of the shopper.

Example: "johndoe@example.com"
shopper.​homePhoneNumberstring or null^\d{1,3}-\d{1,15}$

The home phone number of the shopper.

Example: "+1234567890"
shopper.​mobilePhoneNumberstring or null^\d{1,3}-\d{1,15}$

The mobile phone number of the shopper.

Example: "+0987654321"
shopper.​workPhoneNumberstring or null^\d{1,3}-\d{1,15}$

The work phone number of the shopper.

Example: "+1123456789"
curl -i -X PUT \
  'https://api-services.pxp.io/api/v1/threedsecure/integrated/authentications/{authenticationId}/browser-authentication' \
  -H 'Content-Type: application/json' \
  -d '{
    "fingerprintNotification": "string",
    "merchantCountryNumericCode": "840",
    "merchantLegalName": "ACME Ltd",
    "challengeWindowSize": 1,
    "requestorChallengeIndicator": "01",
    "challengeCallbackUrl": "http://example.com",
    "recurring": {
      "expirationDate": "2024-12-31T23:59:59Z",
      "frequencyInDays": 30
    },
    "billingAddress": {
      "city": "San Francisco",
      "countryNumericCode": "840",
      "line1": "123 Market St",
      "line2": "Apt 456",
      "line3": "Building B",
      "postalCode": "94105",
      "stateCode": "CA"
    },
    "shippingAddress": {
      "city": "San Francisco",
      "countryNumericCode": "840",
      "line1": "123 Market St",
      "line2": "Apt 456",
      "line3": "Building B",
      "postalCode": "94105",
      "stateCode": "CA"
    },
    "browserData": {
      "acceptHeader": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
      "colorDepth": 24,
      "ipAddress": "192.168.1.1",
      "javaEnabled": true,
      "javaScriptEnabled": true,
      "language": "en-US",
      "screenHeight": 1080,
      "screenWidth": 1920,
      "timeZoneOffsetInMinutes": -420,
      "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
    },
    "shopper": {
      "email": "johndoe@example.com",
      "homePhoneNumber": "+1234567890",
      "mobilePhoneNumber": "+0987654321",
      "workPhoneNumber": "+1123456789"
    }
  }'

Responses

OK

Bodyapplication/json
uniqueIdstring or null
statestring or null(authenticationStateEnum)

The current state of the authentication request.

Enum"PendingClientData""AuthenticationSuccessful""AuthenticationFailed""AuthenticationRejected""AuthenticationError""PendingCustomerChallenge"
transactionStatusstring or null(transactionStatusEnum)

The status of the transaction.

Possible values include:

  • Y: AuthenticationVerificationSuccessful
  • N: NotAuthenticated_NotVerified
  • U: AuthenticationCouldNotBePerformed
  • A: AttemptsProcessingPerformed
  • C: ChallengeRequired
  • R: AuthenticationRejected
  • I: InformationalOnly
Enum"Y""N""U""A""C""R""I"
electronicCommerceIndicatorstring or null(electronicCommerceIndicatorProperty)

The indicator used to signify the level of security used in the authentication, often used in electronic commerce transactions.

Example: "05"
exemptionGrantedboolean

Whether an exemption from Strong Customer Authentication (SCA) was granted.

exemptionGrantedByIssuerstring or null(exemptionGrantedByIssuerProperty)

Specifies if the exemption was granted by the issuer.

Possible values:

  • 05: TransactionRiskAnalysisExemption
  • 08: TrustListExemption
  • 10: LowValueExemption
  • 11: SecureCorporatePaymentsExemption
  • 79: NoExemptionApplied
acsUrlstring or null

The URL of the Access Control Server (ACS) where the cardholder is redirected for challenge authentication.

Example: "https://acs.example.com/challenge"
challengeDatastring or null

Data required for the challenge authentication process, typically a base64 encoded string.

Example: "eyJjaGFsbGVuZ2VEYXRhIjoiQUJDIn0="
stateDataobject(stateDataResponse)

Details about the state. This is returned only when the transactionStatus is different from Y or A.

cardholderInfostring or null

The text provided by the ACS/issuer to the cardholder during a transaction.

Response
application/json
{
  "uniqueId": "string",
  "state": "PendingClientData",
  "transactionStatus": "Y",
  "electronicCommerceIndicator": "05",
  "exemptionGranted": true,
  "exemptionGrantedByIssuer": "string",
  "acsUrl": "https://acs.example.com/challenge",
  "challengeData": "eyJjaGFsbGVuZ2VEYXRhIjoiQUJDIn0=",
  "stateData": {
    "code": "01",
    "reason": "Card authentication failure"
  },
  "cardholderInfo": "string"
}

Get 3DS pre-initiate authentication details

Request

Retrieves the details of a specific 3DS pre-initiate authentication using the authenticationId provided in the path. Note: This endpoint is intended for use with the Components SDKs.

Path
authenticationIdstringrequired

The authentication ID.

curl -i -X GET \
  'https://api-services.pxp.io/api/v1/threedsecure/integrated/authentications/{authenticationId}/assessment'

Responses

OK

Bodyapplication/json
authenticationIdstring or null

A unique reference provided by PXP for the authentication request, represented as a GUID.

Example: "550e8400-e29b-41d4-a716-446655440000"
statestring or null(authenticationStateEnum)

The current state of the authentication request.

Enum"PendingClientData""AuthenticationSuccessful""AuthenticationFailed""AuthenticationRejected""AuthenticationError""PendingCustomerChallenge"
scaMandatedboolean

Whether Strong Customer Authentication (SCA) is mandated for this transaction.

Example: true
applicableExemptionsstring or null

Specifies any exemptions that apply to the transaction from SCA requirements.

Enum"LVP""TRA"
threeDSecureVersionstring or null

The version of the 3D Secure protocol being used for the authentication.

Example: "2.1.0"
threeDSecureFingerprintUrlstring or null

The URL to which the 3D Secure method data should be sent.

Example: "https://example.com/3ds-method"
threeDSecureFingerprintDatastring or null

Data required for the 3D Secure method, typically a base64 encoded string.

Example: "eyJ0aHJlZURTU2VjdXJlTWV0aG9kRGF0YSI6IlhYWiJ9"
threeDSecureSupportedboolean

Whether 3D Secure authentication is supported for this transaction.

Example: true
recommendedChallengeIndicatorstring or null

The recommended challenge indicator.

Response
application/json
{
  "authenticationId": "550e8400-e29b-41d4-a716-446655440000",
  "state": "PendingClientData",
  "scaMandated": true,
  "applicableExemptions": "LVP",
  "threeDSecureVersion": "2.1.0",
  "threeDSecureFingerprintUrl": "https://example.com/3ds-method",
  "threeDSecureFingerprintData": "eyJ0aHJlZURTU2VjdXJlTWV0aG9kRGF0YSI6IlhYWiJ9",
  "threeDSecureSupported": true,
  "recommendedChallengeIndicator": "string"
}

Get 3DS authentication details

Request

Retrieves the complete details of a specific 3DS authentication using the authenticationId provided in the path. Note: This endpoint is intended for use with the Components SDKs.

Path
authenticationIdstringrequired

The authentication ID.

curl -i -X GET \
  'https://api-services.pxp.io/api/v1/threedsecure/integrated/authentications/{authenticationId}/outcome'

Responses

OK

Bodyapplication/json
uniqueIdstring or null

The unique identifier for the authentication response.

statestring or null(authenticationStateEnum)

The current state of the authentication request.

Enum"PendingClientData""AuthenticationSuccessful""AuthenticationFailed""AuthenticationRejected""AuthenticationError""PendingCustomerChallenge"
transactionStatusstring or null(transactionStatusEnum)

The status of the transaction.

Possible values include:

  • Y: AuthenticationVerificationSuccessful
  • N: NotAuthenticated_NotVerified
  • U: AuthenticationCouldNotBePerformed
  • A: AttemptsProcessingPerformed
  • C: ChallengeRequired
  • R: AuthenticationRejected
  • I: InformationalOnly
Enum"Y""N""U""A""C""R""I"
electronicCommerceIndicatorstring or null(electronicCommerceIndicatorProperty)

The indicator used to signify the level of security used in the authentication, often used in electronic commerce transactions.

Example: "05"
exemptionGrantedboolean

Whether an exemption from Strong Customer Authentication (SCA) was granted.

exemptionGrantedByIssuerstring or null(exemptionGrantedByIssuerProperty)

Specifies if the exemption was granted by the issuer.

Possible values:

  • 05: TransactionRiskAnalysisExemption
  • 08: TrustListExemption
  • 10: LowValueExemption
  • 11: SecureCorporatePaymentsExemption
  • 79: NoExemptionApplied
Response
application/json
{
  "uniqueId": "string",
  "state": "PendingClientData",
  "transactionStatus": "Y",
  "electronicCommerceIndicator": "05",
  "exemptionGranted": true,
  "exemptionGrantedByIssuer": "string"
}
©2025 PXP Financial. PXP Financial Registered Office: The Corn Mill - 1 Roydon Road - Stanstead Abbotts - Hertfordshire - SG12 8XL - United Kingdom Phone +44 2038850598. PXP Financial is Authorised By The Financial Conduct Authority And Our Financial Services Register Number is 504318.