**Last updated**: 22 April 2025 | [**Change log**](/access/products/3ds/changelog/) # Authentication `POST` your authentication request to the `3ds:authenticate` action link. Your authentication request sends order and risk data used to decide if a [challenge](/access/products/3ds/web/challenge-verification) is required. ## Authentication example request Card Token Network Token Minimum Recommended key:values ## How much data to provide [Device data](/access/products/3ds/web/device-data) and values in the `authentication` request are used by the issuer to decide if the transaction is likely to be fraudulent. How this data is interpreted varies by issuer. Supplying more data increases the chances of the outcome being frictionless (without a [challenge](/access/products/3ds/web/challenge-verification)). Some issuers may fail the authentication entirely without the recommended fields. ### EMVco required values - `instruction.paymentInstrument.cardHolderName` - `riskData.account.email` 1 - `riskData.transaction.phoneNumber` 1 - `transaction.firstName` 2 - `transaction.lastName` 2 1 Either `riskData.account.email` or `riskData.transaction.phoneNumber` are required. 2 Only required if `instruction.paymentInstrument.cardHolderName` is not provided br The following are considered mandatory by EMVco and are already part of Device Data Collection. We recommend providing these in the API request along with other device values to maximize authentication rates if [Device Data Collection fails](#device-data-collection-failure). - `deviceData.browserScreenWidth` 1 - `deviceData.browserScreenHeight` 1 - `deviceData.ipAddress` 1 Provide for web/browser integration only #### EMVco recommended values - `instruction.paymentInstrument.billingAddress.city` - `instruction.paymentInstrument.billingAddress.country` - `instruction.paymentInstrument.billingAddress.address1` - `instruction.paymentInstrument.billingAddress.postalCode` - `instruction.paymentInstrument.billingAddress.state` 1 Provide for web/browser integration only ### Device Data Collection failure In the event the device data collection fails to run (browser/native), additionally provide the following, to maintain healthy authentication rates and reduce issuer challenges: - `deviceData.ipAddress` 1 - `deviceData.browserLanguage` - `deviceData.browserScreenHeight` - `deviceData.browserScreenWidth` - `deviceData.browserJavaEnabled` - `deviceData.browserColorDepth` - `deviceData.timeZone` - `deviceData.browserJavascriptEnabled` 1 Only this value applies to (iOS/Android), the others are not applicable ### Full authentication request schema You can either see the full schema in the [API Reference](/access/products/3ds/openapi) section or expand the sections below. The riskData object in particular contains additional data that, while not mandatory or specifically recommended by EMVco, may be used by some issuers as part of their risk analysis. ## Authentication responses Best practice Access Worldpay returns a `WP-CorrelationId` in the headers of service responses. We **highly recommend** you log this. The `WP-CorrelationId` is used by us to examine individual service requests. The response contains the outcome of your authentication request. To understand more about the `outcomes` and how to reproduce them, see [3DS testing](/access/products/3ds/testing). You can see the full response schema in the [API Reference](/access/products/3ds/openapi/other/authenticate#other/authenticate/response&c=200). Authenticated Successful frictionless authentication authenticated ```json authenticated { "outcome": "authenticated", "transactionReference": "Memory265-13/08/1876", "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581", "status": "Y", "enrolled": "Y", "authentication": { "version": "2.1.0", "authenticationValue": "MAAAAAAAAAAAAAAAAAAAAAAAAAA=", "eci": "05", "transactionId": "c5b808e7-1de1-4069-a17b-f70d3b3b1645" } } ``` authenticated - Cartes Bancaires ```json authenticated - Cartes Bancaires { "outcome": "authenticated", "transactionReference": "Memory265-13/08/1876", "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581", "status": "Y", "enrolled": "Y", "authentication": { "version": "2.1.0", "authenticationValue": "AJkBBkhgQQAAAE4gSEJydQAAAAA=", "eci": "05", "transactionId": "be122acf-0ba7-4eff-aa5b-fb53e9ad2f87", "cryptogramAlgorithm": "1", "challengePreference": "challengeMandated", "authenticationFlow": "frictionless", "brand": "cartesBancaires" } } ``` Authentication failed Issuer failed the authentication without providing the option for a challenge authenticationFailed ```json authenticationFailed { "outcome": "authenticationFailed", "transactionReference": "Memory265-13/08/1876", "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581", "status": "N", "enrolled": "Y", "authentication": { "version": "2.1.0", "eci": "07", "transactionId": "c5b808e7-1de1-4069-a17b-f70d3b3b1645" }, "_links": { "3ds:authenticate": { "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication" }, "curies": [ { "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}", "templated": true, "name": "3ds" } ] } } ``` authenticationFailed - Cartes Bancaires ```json authenticationFailed - Cartes Bancaires "transactionReference": "Memory265-13/08/1876", "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581", "status": "N", "enrolled": "Y", "authentication": { "version": "2.1.0", "eci": "07", "transactionId": "424c464d-3b04-4101-950a-8a71cd1f9dc6", "challengePreference": "challengeMandated", "authenticationFlow": "frictionless", "statusReason": "01", "brand": "cartesBancaires" }, "_links": { "3ds:authenticate": { "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication" }, "curies": [ { "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}", "name": "3ds", "templated": true } ] } } ``` Challenged Issuer challenge required based on a risk assessment they have performed. challenged ```json challenged { "outcome": "challenged", "transactionReference": "Memory265-13/08/1876", "authentication": { "version": "2.1.0" }, "challenge": { "reference": "123456789", "url": "https://ChallengePageUrl.example.com", "jwt": "VGhpcyBpcyBhIGJhc2UgNjQgZW5jb2RlZCBleGFtcGxlIG9mIGEgM0RTICJwYXlsb2FkIg==", "payload": "eyJtZXNzYWdlVHlwZSI6IkNSZXEiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMS4wIiwidGhyZWVE" }, "_links": { "3ds:verify": { "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/verification" }, "curies": [ { "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}", "templated": true, "name": "3ds" } ] } } ``` Unavailable Error/timeout whilst attempting authentication. Not a recognized outage. unavailable ```json unavailable { "outcome": "unavailable", "transactionReference": "Memory265-13/08/1876", "status": "U", "enrolled": "U", "_links": { "3ds:authenticate": { "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication" }, "curies": [ { "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}", "templated": true, "name": "3ds" } ] } } ``` Authentication outage Recognized downstream 3DS outage. [See below](#authentication-outage) authenticationOutage ```json authenticationOutage { "outcome": "authenticationOutage", "transactionReference": "Memory265-13/08/1876", "_links": { "3ds:authenticate": { "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication" }, "curies": [{ "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}", "templated": true, "name": "3ds" }] } } ``` Bypassed Bypass the authentication flow using Cardinal rules engine configuration. Part of 3DS premium. bypassed ```json bypassed { "outcome": "bypassed", "transactionReference": "Memory265-13/08/1876", "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581", "status": "Y", "enrolled": "B", "authentication": { "version": "2.1.0", "eci": "07", "transactionId": "c5b808e7-1de1-4069-a17b-f70d3b3b1645" } } ``` Warning You cannot re-use the `authenticationValue` in multiple authorization requests. Re-using the `authenticationValue` in this way will result in issuer declines and may incur fees. ### Authentication outage If the outcome is `authenticationOutage` due to a recognized downstream issue (e.g. Visa/Mastercard/ACS provider), you can attempt authorization using the authentication outage exemption in the authorization request. This will increase the likelihood of receiving a successful authorization but will not be eligible for liability shift. This is not currently enabled by default, speak to your Implementation Manager to be set up for `authenticationOutage` responses. Apply the details (such as `eci`, `version`, `authenticationValue`, `transactionId`) required by [Card Payments](/access/products/card-payments/) in the [authorization request](/access/products/card-payments/authorize-a-payment#3ds). If the outcome is `challenged`, proceed with [challenge display & verification](/access/products/3ds/web/challenge-verification). See [Testing](/access/products/3ds/testing) for details. **Next steps** [Challenge](/access/products/3ds/web/challenge-verification)[Take a payment](/access/products/card-payments/authorize-a-payment#3ds) [Testing](/access/products/3ds/testing)