Skip to main content

3D Secure
Enterprise

3D Secure is an Enterprise feature. Contact support@basistheory.com to request access.

Create a 3DS Session

POST
https://api.basistheory.com/3ds/sessions
Copy

Permissions

3ds:session:create

Request

curl "https://api.basistheory.com/3ds/sessions/" \
  -H "BT-API-KEY: <API_KEY>" \
  -H "Content-Type: application/json" \
  -X "POST" \
  -d '{
    "token_id": "af9f65fd-932f-4b3d-960a-1bd7a1d14d18",
    "type": "merchant"
  }'

Request Parameters

AttributeRequiredTypeDescription
token_idconditionalstringA card type token id. Required if token_intent_id not present.
token_intent_idconditionalstringA card type token intent id. Required if token_id not present.
panfalsestring
DEPRECATED
A card type token id.
typefalsestringThe 3DS session type between customer (CIT) and merchant (MIT). Defaults to customer.
deviceconditionalstringThe device type for the 3DS session between browser (web) or app (mobile). Required if type is customer.
device_infoconditionalobjectInformation about the device. See Device Info for details. Required if type is customer.

3DS sessions of type customer (CIT) are only officially supported through our frontend web, react-native and mobile SDKs. Using the API directly is not recommended and may lead to lower success rates. Basis Theory only supports creation of type merchant (MIT) through the API or backend SDKs.

Device Info Object
AttributeRequiredTypeDescription
browser_javascript_enabledconditionalboolIndicates if JavaScript is enabled in the browser. Required if session device is browser and type is customer.
browser_java_enabledconditionalboolIndicates if Java is enabled in the browser. Required if session device is browser and type is customer.
browser_languageconditionalstringThe language set in the browser. Required if session device is browser and type is customer.
browser_color_depthconditionalstringThe color depth of the browser. Required if session device is browser and type is customer.
browser_screen_heightconditionalstringThe screen height of the browser. Required if session device is browser and type is customer.
browser_screen_widthconditionalstringThe screen width of the browser.Required if session device is browser and type is customer.
browser_tzconditionalstringThe timezone of the browser. Required if session device is browser and type is customer.
browser_user_agentconditionalstringThe user agent string of the browser. Required if session device is browser and type is customer.
browser_accept_headerfalsestringThe HTTP Accept header value from the browser.
browser_ipfalsestringThe IP address of the browser.
sdk_transaction_idconditionalstringThe ID of the SDK transaction. Required if session device is app and type is customer.
sdk_application_idconditionalstringThe ID for the application using the SDK. Required if session device is app and type is customer.
sdk_encryption_dataconditionalstringThe encryption data used by the SDK. Required if session device is app and type is customer.
sdk_ephemeral_public_keyconditionalstringThe ephemeral public key used by the SDK. Required if session device is app and type is customer.
sdk_max_timeoutconditionalstringThe maximum timeout for the SDK. Required if session device is app and type is customer.
sdk_reference_numberconditionalstringThe reference number used by the SDK. Required if session device is app and type is customer.
sdk_render_optionsconditionalobjectThe render options used by the SDK. See SDK Render Options Required if session device is app and type is customer.
SDK Render Options
AttributeRequiredTypeDescription
sdk_interfaceconditionalstringThe interface types the mobile device supports.. Required if session device is app and type is customer.
sdk_ui_typeconditionalarrayThe UI types the device supports for displaying challenge UIs. Required if session device is app and type is customer.

Response

Returns relevant information about the created 3DS session in a Create Session Response object. Returns an error if the session cannot be retrieved.

{
  "id": "c0c22fcd-d42c-497e-a9a6-2eacd31770d7",
  "type": "customer",
  "cardBrand": "Visa",
  "method_url": "https://acs.example.com/3ds/acs/browser/method",
  "method_notification_url": "https://api.basistheory.com/3ds/sessions/c0c22fcd-d42c-497e-a9a6-2eacd31770d7/method-notification",
  "directory_server_id": "M000000003",
  "recommended_version": "2.2.0"
}

Create Session Response Object

AttributeTypeDescription
idstringThe ID of the 3DS session.
typestringThe 3DS session type.
card_brandstringThe brand for the card used in the 3DS transaction.
method_urlstringThe URL for the Method request, used by the 3DS SDK.
method_notification_urlstringThe URL for which to send the method completion notification, used by the 3DS Web SDK.
directory_server_idstringThe 3DS directory server ID, used by the 3DS Mobile SDKs.
recommended_versionstringThe 3DS version that was used for the transaction.

Get a Session

Get a 3DS Session by ID in the Tenant.

GET
https://api.basistheory.com/3ds/sessions/{id}
Copy

Permissions

3ds:session:read

Request

curl "https://api.basistheory.com/3ds/sessions/c0c22fcd-d42c-497e-a9a6-2eacd31770d7" \
  -H "BT-API-KEY: <API_KEY>"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the 3DS session.

Response

Returns a 3DS session with the id provided. Returns an error if the session cannot be retrieved.

{
  "id": "c0c22fcd-d42c-497e-a9a6-2eacd31770d7",
  "type": "customer",
  "tenant_id": "2fd20ec9-1255-4286-a0bc-bbb9b70f747f",
  "pan_token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
  "token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
  "card_brand": "Visa",
  "created_date": "2025-03-28T11:26:42.3528855+00:00",
  "created_by": "aea3512e-c9fb-4304-b6a8-7e53f8a33075",
  "modified_date": "2025-03-28T11:26:59.3003079+00:00",
  "modified_by": "8fc7beed-ac06-4529-a19f-bde6de591227",
  "device": "browser",
  "device_info": {
    "browser_accept_header": "*/*",
    "browser_javascript_enabled": true,
    "browser_java_enabled": false,
    "browser_language": "en-US",
    "browser_color_depth": "24",
    "browser_screen_height": "1440",
    "browser_screen_width": "2560",
    "browser_tz": "180",
    "browser_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
  },
  "version": {
    "recommended_version": "2.2.0",
    "available_versions": [
      "2.1.0",
      "2.2.0"
    ],
    "earliest_acs_supported_version": "2.1.0",
    "earliest_ds_supported_version": "2.1.0",
    "latest_acs_supported_version": "2.2.0",
    "latest_ds_supported_version": "2.2.0",
    "acs_information": [
      "threeds-auth-available",
      "threeds-attempts-supported",
      "threeds-whitelisting-supported"
    ],
  },
  "method": {
    "method_url": "https://acs.example.com/3ds/acs/browser/method",
    "method_completion_indicator": "Y"
  },
  "authentication": {
    "pan_token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
    "token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
    "session_id": "c0c22fcd-d42c-497e-a9a6-2eacd31770d7",
    "threeds_version": "2.2.0",
    "acs_transaction_id": "ec2a5868-ce1b-44c7-9249-bc5b0aa409a3",
    "ds_transaction_id": "22aeb643-1489-46ee-83aa-af1a01b457c9",
    "acs_reference_number": "mock-acs-reference-number",
    "ds_reference_number": "mock-directory-server-a",
    "liability_shifted": false,
    "authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
    "authentication_status": "successful",
    "authentication_status_code": "Y",
    "directory_status_code": "C",
    "eci": "05",
    "acs_challenge_mandated": "N",
    "authentication_challenge_type": "static",
    "acs_challenge_url": "https://acs.example.com/3ds/acs/browser/creq",
    "challenge_attempts": "01",
    "message_extensions": []
  }
}

Authenticate Session

Authenticate a 3DS Session.

POST
https://api.basistheory.com/3ds/sessions/{id}/authenticate
Copy

Permissions

3ds:session:authenticate

Request

curl "https://api.basistheory.com/3ds/sessions/c0c22fcd-d42c-497e-a9a6-2eacd31770d7/authenticate" \
  -H "BT-API-KEY: <API_KEY>" \
  -H "Content-Type: application/json" \
  -X "POST" \
  -d '{
    "authentication_category": "payment",
    "authentication_type": "payment-transaction",
    "challenge_preference": "no-challenge",
    "merchant_info": {
      "mid": "9876543210001",
      "acquirer_bin": "000000999",
      "name": "Example 3DS Merchant",
      "category_code": "7922",
      "country_code": "826",
      "url": "https://example.com"
    },
    "requestor_info": {
      "amex_requestor_type": "MER",
      "cb_siret_number": "78467169500087"
    },
    "purchase_info": {
      "amount": "80000",
      "currency": "826",
      "exponent": "2",
      "date": "20240109141010",
      "transaction_type": "purchase"
    },
    "cardholder_info": {
      "name": "John Doe",
      "email": "john@example.com"
    }
  }'

Request Parameters

AttributeRequiredTypeDescription
authentication_categorytruestringThe category of the 3DS authentication, see Authentication Categories for allowed values.
authentication_typetruestringThe type of 3DS transaction, see Authentication Types for allowed values.
request_decoupled_challengefalseboolIf a decoupled challenge is required in case of a challenge. Defaults to true for merchant session type.
decoupled_challenge_max_timeconditionalnumberThe maximum time in minutes for the decoupled challenge. Required if request_decoupled_challenge is true or session type is merchant.
challenge_preferencefalsestringThe merchant 3DS challenge preference, see Challenge Preferences for allowed values.
merchant_infoconditionalMerchant InfoInformation about the merchant. Required if authentication_category is payment.
requestor_infoconditionalRequestor InfoAdditional nformation about the 3DS requestor for certain card brands. Required only if authenticating American Express, Discover or Cartes Bancaires transactions.
purchase_infoconditionalPurchase InfoInformation about the purchase (If any). Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction.
cardholder_infotrueCardholder InfoInformation about the cardholder.
broadcast_infofalseobjectUnstructured information sent to the 3DS Server, Directory Server and Access Control Server.
message_extensionsfalsearrayArray of Message Extensions - Data necessary to support requirements not defined in the standard 3DS format.

Authentication Categories

Authentication CategoryDescription
paymentUtilized when a future financial transaction is intended (including $0 authentications).
non-paymentUtilized when the authentication is unrelated to an actual or anticipated charge.

Authentication Types

The authentication type can differ depending on the 3DS session type. See table below for details.

Authentication TypeAllowed Session Type(s)Description
payment-transactioncustomerUsed for a single exchange of goods. (e.g. E-commerce checkout)
cardholder-emv-verificationcustomerFor verifying cardholder via EMV (chip-based authentication), typically in physical payment scenarios.
recurring-transactioncustomer, merchantUsed for ongoing subscriptions where the billed amount is always the same. (e.g. Monthly Subscription)
installment-transactioncustomer, merchantUsed for breaking a single purchase into multiple installments. (e.g. Buy Now Pay Later)
add-cardcustomer, merchantFor adding cards to a customer account—used to verify 3DS capability without an immediate transaction.
maintain-cardcustomer, merchantUsed to update or maintain existing card details without performing a payment.
account-verificationcustomer, merchantFor verifying a cardholder's account without charging a payment.
split-or-delayed-shipmentmerchantFor transactions where goods or services ship separately or at a delayed time from the initial order.
top-upmerchantUsed for adding funds to existing prepaid accounts or cards.
mail-ordermerchantTransactions initiated by mail without direct cardholder interaction.
telephone-ordermerchantTransactions initiated via telephone by merchant without cardholder physically present.
whitelist-status-checkmerchantChecks if the cardholder or merchant is on an issuer-approved whitelist.
other-paymentmerchantFor transactions that do not match any other specific payment authentication type.
billing-agreementmerchantEstablishes an agreement permitting future merchant-initiated transactions without further cardholder input.

Challenge Preferences

ValueCodeDescription
no-preference01No preference.
no-challenge02No challenge requested.
challenge-requested03Challenge requested.
challenge-mandated04Challenge mandated by the issuer.
no-challenge-risk-analysis-performed05No challenge, risk analysis already performed.
no-challenge-data-sharing-only06No challenge, data sharing only.
no-challenge-strong-consumer-auth07No challenge, strong consumer authentication already performed.
no-challenge-whitelist-exemption08No challenge, whitelist exemption.
challenge-requested-whitelist-prompt09Challenge requested, whitelist prompt if required.
cartes-bancaires90Enable Cartes Bancaires Scoring Service.

Purchase Info Object

This object contains information about the purchase itself (if the authentication category is a payment transaction).

AttributeRequiredTypeDescription
amountconditionalstringThe purchase amount without any punctuation (i.e. 80000). Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction.
currencyconditionalstringThe purchase currency in ISO 4217 currency code. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction.
exponentconditionalstringMinor units of currency as specified in ISO 4217. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction.
dateconditionalstringThe purchase date in UTC and YYYYMMDDhhmmss format. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction.
transaction_typeconditionalstringThe type of purchase transaction. See Purchase Transaction Types for values. Required if authentication_category is payment.
installment_countconditionalstringMaximum number of installments for installment payments. Required if authentication_type is installment-transaction.
recurring_expirationconditionalstringFinal recurring authorization date in YYYYMMDD format. Required if authentication_type is recurring-transaction.
recurring_frequencyconditionalstringMinimum number of days between recurring authorizations. Required if authentication_type is recurring-transaction.
Purchase Transaction Types
ValueDescription
purchaseFor standard purchase transactions/exchange of goods.
check-acceptanceFor transactions involving acceptance of checks as payment.
account-fundingFor funding transactions into an existing account or wallet (e.g., digital wallets, prepaid accounts).
quasi-cashTransactions involving purchasing items directly convertible to cash (e.g., casino chips, money orders).
prepaid-activation-loadTransactions used to activate or load funds onto prepaid cards.

Merchant Info Object

This object contain information about the merchant (who is collecting the money from the purchase).

AttributeRequiredTypeDescription
midconditionalstringThe merchant identifier. This value is provided by your acquirer/payments processor. Required if authentication_category is payment.
acquirer_binconditionalstringThe merchant Acquirer BIN. This value is provided by your acquirer/payments processor. Required if authentication_category is payment.
nameconditionalstringThe merchant's name as defined in the payment system. Required if authentication_category is payment.
urlconditionalstringThe merchant's URL. Required if authentication_category is payment.
country_codeconditionalstringISO 3166-1 numeric three-digit country code of the merchant. Required if authentication_category is payment.
category_codeconditionalstringThe merchant's category code (mcc), as defined by the card scheme. Required if authentication_category is payment.
risk_infofalseMerchant Risk InfoOptional information to de-risk the transaction.

Merchant Risk Info Object

AttributeRequiredTypeDescription
delivery_emailfalsestringThe delivery email address for electronic delivery merchandise.
delivery_time_framefalsestringThe merchandise delivery time frame. See Merchant Risk Delivery Time Frames for allowed values.
gift_card_amountfalsestringThe purchase amount total of prepaid or gift card(s) as an integer.
gift_card_countfalsestringThe total count of individual prepaid or gift cards/codes purchased.
gift_card_currencyfalsestringThe ISO 4217 three-digit currency code of the gift card.
pre_order_purchasefalseboolIf the merchandise order is a pre-order or not.
pre_order_datefalsestringThe date for when the pre-ordered merchandise will be available in YYYYMMDD format.
reordered_purchasefalseboolIf the cardholder is reordering previously purchase merchandise or not.
shipping_methodfalsestringThe shipping method chosen. See Merchant Risk Shipping Methods for allowed values.
Merchant Risk Delivery Time Frames
ValueDescription
electronic-deliveryMerchandise delivered electronically (e.g., email, download).
same-day-shippingMerchandise shipped on the same day as the transaction date.
overnight-shippingMerchandise shipped overnight for next-day delivery.
two-or-more-day-shippingMerchandise shipped with delivery taking two or more days.
Merchant Risk Shipping Methods
ValueDescription
ship-to-billing-addressMerchandise shipped directly to the cardholder's billing address.
ship-to-verified-addressMerchandise shipped to an address verified through issuer authentication.
ship-to-different-addressMerchandise shipped to an address different from the billing address.
ship-to-storeMerchandise shipped to a physical store for customer pickup.
digital-goodsMerchandise delivered digitally (e.g., software, online content).
travel-and-event-ticketsTravel arrangements or event tickets delivered electronically or physically.
otherMerchandise delivered via methods not covered by other categories.

Requestor Info Object

The Requestor Info object contains specific details required by certain card networks (American Express, Discover, and Cartes Bancaires).

If you accept transactions from any of these networks, you may include this information with every request. Basis Theory automatically handles the selection of appropriate values per card network.

AttributeRequiredTypeDescription
amex_requestor_typeconditional (AMEX only)stringThe merchant type as defined by American Express. See American Express Requestor Types for allowed values.
cb_siret_numberconditional (Cartes Bancaires only)stringThe SIRET number identifying the business establishment in France.
discover_client_idconditional (Discover only)stringThe unique Client ID assigned by Discover to the merchant/requestor.
American Express Requestor Types
Requestor TypeDescription
MERGeneral Merchant (default for most merchants).
AGGAggregator (accepts payments on behalf of third parties).
JCBJCB-Acquired Merchant (merchants acquired directly by JCB).
OTAOnline Travel Agency (travel or hospitality sectors).
OPTOptBlue Seller (merchants enrolled in AMEX OptBlue).
WALDigital Wallet (e.g., Apple Pay, Google Pay).

Cardholder Info Object

This object has information about who the cardholder is. Take note that most issuers tend to request at least the name and email properties for successful transactions.

AttributeRequiredTypeDescription
nametruestringThe cardholder name.
emailtruestringThe cardholder email.
account_idfalsestringThe cardholder account identifier - used to reference the cardholder in the merchant's system.
account_typefalsestringThe type of cardholder account. See Cardholder Account Types for allowed values.
account_infofalseCardholder Account InfoInformation about the cardholder's account.
authentication_infofalseCardholder Authentication InfoInformation on how the cardholder was authenticated in the merchant platform.
prior_authentication_infofalseCardholder Prior Authentication InfoInformation about the cardholder's previous 3DS authentication.
phone_numberfalseCardholder Phone NumberThe cardholder main phone number.
mobile_phone_numberfalseCardholder Phone NumberThe cardholder mobile phone number.
work_phone_numberfalseCardholder Phone NumberThe cardholder work phone number.
billing_shipping_address_matchfalsestringIf the billing and shipping address match or not. Use Y for yes and N for no.
billing_addressfalseCardholder AddressThe cardholder billing address.
shipping_addressfalseCardholder AddressThe cardholder shipping address.
Cardholder Account Types
ValueDescription
debitThe card used for the transaction is a debit card.
creditThe card used for the transaction is a credit card.

Cardholder Account Info Object

This object has information about the cardholder's account with the merchant platform.

AttributeRequiredTypeDescription
account_agefalsestringLength of time that the cardholder has had the account. See Cardholder Account Age for allowed values.
account_last_changedfalsestringTime since the account was last changed. See Cardholder Account Last Changed for allowed values.
account_change_datefalsestringDate the account was last changed in YYYYMMDD format.
account_created_datefalsestringDate the account was created in YYYYMMDDD format.
account_pwd_last_changedfalsestringTime since the account password was last changed. See Cardholder Account Password Last Changed for allowed values.
account_pwd_change_datefalsestringThe password change date in YYYYMMDD format.
purchase_count_half_yearfalsestringNumber of purchases by the cardholder in the last six months.
transaction_count_dayfalsestringNumber of transactions by this cardholder in the last 24 hours.
payment_account_agefalsestringDate the payment method was added to the account in YYYYMMDD format.
transaction_count_yearfalsestringNumber of transactions by this cardholder in the last year.
payment_account_createdfalsestringTime since the payment method was added to the account. See Cardholder Payment Account Created for allowed values.
shipping_address_first_usedfalsestringTime since the shipping address was first used. See Cardholder Shipping Address First Used for allowed values.
shipping_address_usage_datefalsestringDate when the shipping address was first used in YYYYMMDD format.
shipping_account_name_matchfalseboolIf the cardholder name matches with the shipping name for the transaction.
suspicious_activity_observedfalseboolIf any suspicious activity was ever observed in the cardholder account or not.
Cardholder Account Age
ValueDescription
no-accountThe cardholder does not have an account with the merchant.
created-this-transactionThe cardholder account was created during this transaction.
less-than-30-daysThe cardholder account was created less than 30 days ago.
30-to-60-daysThe cardholder account was created between 30 and 60 days ago.
more-than-60-daysThe cardholder account was created more than 60 days ago.
Cardholder Account Last Changed
ValueDescription
no-changeThe cardholder account has not been changed.
changed-this-transactionThe cardholder account was changed during this transaction.
less-than-30-daysThe cardholder account was changed less than 30 days ago.
30-to-60-daysThe cardholder account was changed between 30 and 60 days ago.
more-than-60-daysThe cardholder account was changed more than 60 days ago.
Cardholder Account Password Last Changed
ValueDescription
no-changeThe cardholder account password has not been changed.
changed-this-transactionThe cardholder account password was changed during this transaction.
less-than-30-daysThe cardholder account password was changed less than 30 days ago.
30-to-60-daysThe cardholder account password was changed between 30 and 60 days ago.
more-than-60-daysThe cardholder account password was changed more than 60 days ago.
Cardholder Payment Account Created
ValueDescription
no-accountThe cardholder does not have a payment account with the merchant.
created-this-transactionThe cardholder payment account was created during this transaction.
less-than-30-daysThe cardholder payment account was created less than 30 days ago.
30-to-60-daysThe cardholder payment account was created between 30 and 60 days ago.
more-than-60-daysThe cardholder payment account was created more than 60 days ago.
Cardholder Shipping Address First Used
ValueDescription
no-addressThe cardholder does not have a shipping address with the merchant.
address-first-usedThe cardholder shipping address was first used during this transaction.
less-than-30-daysThe cardholder shipping address was first used less than 30 days ago.
30-to-60-daysThe cardholder shipping address was first used between 30 and 60 days ago.
more-than-60-daysThe cardholder shipping address was first used more than 60 days ago.

Cardholder Authentication Info Object

This object has information on how the cardholder authenticated with the merchant platform.

AttributeRequiredTypeDescription
methodfalsestringThe cardholder method of authentication. See Cardholder Authentication Methods for allowed values.
timestampfalsestringThe UTC authentication timestamp in YYYYMMDDhhmm format.
datafalsestringAdditional data for a specific authentication process.
Cardholder Authentication Methods
ValueDescription
no-loginThe cardholder did not log in to the merchant platform.
username-passwordThe cardholder logged in using a username and password.
federated-idThe cardholder logged in using a federated identity (e.g., Google, Facebook).
issuer-credentialsThe cardholder logged in using issuer credentials.
third-partyThe cardholder logged in using a third-party authentication method.
fidoThe cardholder logged in using FIDO authentication.
fido-data-signedThe cardholder logged in using FIDO authentication with signed data.
src-assurance-dataSRC assurance data.

Cardholder Prior Authentication Info Object

This object has information about the cardholder prior 3DS transaction authentication.

AttributeRequiredTypeDescription
methodfalsestringThe cardholder prior 3DS authentication method. See Cardholder Prior Authentication Methods for allowed values.
timestampfalsestringThe UTC prior authentication timestamp in YYYYMMDDhhmm format.
reference_idfalsestringAn ACS Transaction ID for a prior authenticated transaction.
datafalsestringAdditional data for a specific authentication process.
Cardholder Prior Authentication Methods
ValueDescription
frictionlessThe cardholder authenticated a 3DS transaction frictionless.
challengedThe cardholder authenticated a 3DS transaction after a challenge.
avs-verifiedThe cardholder authenticated a 3DS transaction using AVS verification.
otherThe cardholder authenticated a 3DS transaction using other methods.

Cardholder Phone Number Object

AttributeRequiredTypeDescription
country_codefalsestringPhone country code.
numberfalsestringPhone subscriber number.

Cardholder Address Object

AttributeRequiredTypeDescription
line1falsestringThe first line of the address.
line2falsestringThe second line of the address.
line3falsestringThe third line of the address.
postal_codefalsestringAddress postal code.
cityfalsestringAddress city.
state_codefalsestringISO 3166-2 country subdivision code for the state or province of the address.
country_codefalsestringISO 3166-1 numeric three-digit country code of the address.

Response

Returns a 3DS authentication. Returns an error if there were validation errors, or the session failed to authenticate.

{
  "pan_token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
  "token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
  "session_id": "c0c22fcd-d42c-497e-a9a6-2eacd31770d7",
  "threeds_version": "2.2.0",
  "acs_transaction_id": "ec2a5868-ce1b-44c7-9249-bc5b0aa409a3",
  "ds_transaction_id": "22aeb643-1489-46ee-83aa-af1a01b457c9",
  "acs_reference_number": "mock-acs-reference-number",
  "ds_reference_number": "mock-directory-server-a",
  "liability_shifted": false,
  "authentication_status": "challenge",
  "authentication_status_code": "C",
  "directory_status_code": "C",
  "acs_challenge_mandated": "N",
  "authentication_challenge_type": "static",
  "acs_challenge_url": "https://acs.example.com/3ds/acs/browser/creq",
  "challenge_preference": "no-challenge",
  "challenge_preference_code": "02"
}

Get Challenge Result

Get the result of a 3DS Challenge for the given session id.

GET
https://api.basistheory.com/3ds/sessions/{id}/challenge-result
Copy

Permissions

3ds:session:authenticate

Request

curl "https://api.basistheory.com/3ds/sessions/c0c22fcd-d42c-497e-a9a6-2eacd31770d7/challenge-result" \
  -H "BT-API-KEY: <API_KEY>"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the 3DS session.

Response

Returns a 3DS authentication. Returns an error if the session was not found or if challenge result cannot be retrieved.

{
  "pan_token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
  "token_id": "f9e45271-b3de-4729-8c1a-9cdd42417fc5",
  "session_id": "c0c22fcd-d42c-497e-a9a6-2eacd31770d7",
  "threeds_version": "2.2.0",
  "acs_transaction_id": "ec2a5868-ce1b-44c7-9249-bc5b0aa409a3",
  "ds_transaction_id": "22aeb643-1489-46ee-83aa-af1a01b457c9",
  "acs_reference_number": "mock-acs-reference-number",
  "ds_reference_number": "mock-directory-server-a",
  "liability_shifted": false,
  "authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
  "authentication_status": "successful",
  "authentication_status_code": "Y",
  "directory_status_code": "C",
  "eci": "05",
  "acs_challenge_mandated": "N",
  "authentication_challenge_type": "static",
  "acs_challenge_url": "https://acs.example.com/3ds/acs/browser/creq",
  "challenge_attempts": "01",
  "message_extensions": []
}

Session Object

AttributeTypeDescription
iduuidUnique identifier of the session.
tenant_iduuidThe Tenant ID which owns the session.
typestringThe type of 3DS session - customer or merchant.
pan_token_idstring
DEPRECATED
The ID of the card token used in the 3DS transaction.
token_idstringThe ID of the card token used in the 3DS transaction.
token_intent_idstringThe ID of the card token intent used in the 3DS transaction.
card_brandstringThe brand for the card used in the 3DS transaction.
expiration_datestringDate for when the 3DS session will expire.
created_datestringCreated date of the session in ISO 8601 format.
created_byuuidThe Application ID which created the session.
modified_datestring(Optional) Last modified date of the session in ISO 8601 format.
modified_byuuid(Optional) The Application ID which last modified the session.
devicestringThe type of device used to create the 3DS session - browser or mobile.
device_infoDevice InfoInformation about the device (collected by the SDKs) used to create the 3DS session.
versionVersionInformation about the supported 3DS version.
methodMethodInformation about the 3DS method invocation (device fingerprinting).
authenticationAuthenticationThe 3DS session authentication outcome.

Device Info Object

AttributeTypeDescription
browser_javascript_enabledboolIndicates if JavaScript is enabled in the browser. (browser device only)
browser_java_enabledboolIndicates if Java is enabled in the browser. (browser device only)
browser_languagestringThe language set in the browser. (browser device only)
browser_color_depthstringThe color depth of the browser. (browser device only)
browser_screen_heightstringThe screen height of the browser. (browser device only)
browser_screen_widthstringThe screen width of the browser. (browser device only)
browser_tzstringThe timezone of the browser. (browser device only)
browser_user_agentstringThe user agent string of the browser. (browser device only)
browser_accept_headerstringThe HTTP Accept header value from the browser. (browser device only)
browser_ipstringThe IP address of the browser. (browser device only)
sdk_transaction_idstringThe ID of the SDK transaction. (app device only)
sdk_application_idstringThe ID for the application using the SDK. (app device only)
sdk_encryption_datastringThe encryption data used by the SDK. (app device only)
sdk_ephemeral_public_keystringThe ephemeral public key used by the SDK. (app device only)
sdk_max_timeoutstringThe maximum timeout for the SDK. (app device only)
sdk_reference_numberstringThe reference number used by the SDK. (app device only)
sdk_render_optionsobjectThe render options used by the SDK. See SDK Render Options. (app device only)

SDK Render Options Object

AttributeTypeDescription
sdk_interfacestringThe interface types the mobile device supports.
sdk_ui_typearrayThe UI types the device supports for displaying challenge UIs.

Version Object

AttributeTypeDescription
recommended_versionstringThe 3DS version that was used for the transaction.
available_versionarrayAll 3DS versions the card supports.
earliest_acs_supported_versionstringThe earliest 3DS version supported by the Access Control Server (ACS).
latest_acs_supported_versionstringThe latest 3DS version supported by the Access Control Server (ACS).
earliest_ds_supported_versionstringThe earliest 3DS version supported by the Directory Server (DS).
latest_ds_supported_versionstringThe latest 3DS version supported by the Directory Server (DS).
acs_informationarrayAdditional information provided by the Access Control Server (ACS).

Method Object

AttributeTypeDescription
method_urlstringThe URL for the Method request, used by the 3DS SDK.
method_completion_indicatorstringIndicates whether the method request completed successfully or not.

Method Completion Indicator

ValueDescription
YMethod request completed successfully.
NMethod request did not complete successfully.
UMethod request result was unavailable.

Authentication Object

AttributeTypeDescription
pan_token_idstring
DEPRECATED
The ID of the card token used in the 3DS transaction.
token_idstringThe ID of the card token used in the 3DS transaction.
token_intent_idstringThe ID of the card token intent used in the 3DS transaction.
session_idstringThe ID of the 3DS session.
threeds_versionstringThe 3DS version used in the transaction.
acs_transaction_idstringThe transaction ID from the 3DS Access Control Server (ACS).
ds_transaction_idstringThe transaction ID from the 3DS Directory Server (DS).
acs_reference_numberstringA unique identifier assigned to the DS by EMVCo.
ds_reference_numberstringA unique identifier assigned to the ACS by EMVCo.
liability_shifted_booleanIndicates whether liability for the transaction was shifted to the issuer or not.
authentication_valuestringThe token value used to authorize the transaction. Also know as CAVV, AAV, AEVV, etc.
authentication_statusstringThe outcome of the 3DS authentication. See Authentication Status.
authentication_status_codestringEMV character code for the authentication status.
authentication_status_reasonstringAdditional information about the authentication status if necessary. See Authentication Status Reason.
directory_status_codestringEMV character code for the directory authentication status.
ecistringElectronic Commerce Indicator (ECI).
acs_challenge_mandatedstringIndicates whether regional mandates (e.g., PSD2) required a challenge to be performed. See ACS Challenge Mandated.
authentication_challenge_typestringThe type of challenge authentication used (if challenge). See Authentication Challenge Type.
acs_challenge_urlstringThe URL to be used for the challenge.
challenge_preferencestringThe selected Challenge Preference during authentication.
challenge_preference_codestringEMV numeric code for the selected challenge preference.
challenge_attemptsstringThe number of challenges attempted by the cardholder.
challenge_cancel_reasonstringThe reason why a challenge was cancelled. See Challenge Cancel Reason.
challenge_cancel_reason_codestringEMV numeric code for the challenge cancel reason.
cardholder_infostringInformation from the issuer to be displayed to the cardholder.
whitelist_statusstringIndicates if the cardholder whitelisted the merchant. See Whitelist Status.
whitelist_status_sourcestringIdentifies the system that set the whitelist value. See Whitelist Status Source.
message_extensionsarrayArray of Message Extensions - Data necessary to support requirements not defined in the standard 3DS format.

ACS Challenge Mandated

ValueDescription
YChallenge is mandated by the ACS.
NChallenge is not mandated by the ACS.

Authentication Status

ValueCodeDescription
successfulY3DS authentication was successful.
attemptedA3DS authentication was attempted but not possible. Successful authentication granted by card brand on issuer's behalf.
failedNAuthentication failed, stop the transaction.
unavailableUAuthentication could not be performed. Try to proceed without the authentication value.
challengeCA challenge is required, use the SDK to perform the Challenge.
decoupled_challengeDA challenge will be performed by the issuer. Get the Challenge Result to learn the outcome.
rejectedRThe issuer rejected the authentication attempt.
informationalIAuthentication not requested, data sent to the ACS for informational purposes.

Authentication Status Reason

ValueDescription
card-authentication-failedCard authentication failed.
unknown-deviceUnknown device detected.
unsupported-deviceDevice not supported for authentication.
too-many-authentication-attemptsToo many failed authentication attempts.
card-expiredCard is expired.
invalid-card-numberCard number is invalid.
invalid-transactionTransaction is invalid - authentication not allowed.
no-card-recordNo record found for the card.
security-failureSecurity validation failed.
stolen-cardCard is reported stolen.
suspected-fraudTransaction flagged as fraudulent.
transaction-not-permittedTransaction not allowed for this card.
cardholder-not-enrolledCardholder not enrolled in 3DS - 3DS not required for card.
timeout-at-acsACS (Access Control Server) timeout.
low-confidenceLow confidence authentication, Frictionless Scenario Authentication successful - authentication results available for payment.
medium-confidenceMedium confidence authentication, Frictionless Scenario Authentication successful - authentication results available for payment.
high-confidenceHigh confidence authentication, Frictionless Scenario Authentication successful - authentication results available for payment.
very-high-confidenceVery high confidence authentication, Frictionless Scenario Authentication successful - authentication results available for payment.
max-challenges-exceededToo many authentication challenges.
non-payment-transaction-not-support3DS not supported for non-payment transactions.
3ri-not-supportedMerchant initiated 3DS transaction not supported (merchant session type).
acs-technical-issueACS encountered a technical issue.
decoupled-authentication-requiredDecoupled authentication is required.
decoupled-authentication-timeoutDecoupled authentication timed out.
insufficient-decoupled-authentication-timeNot enough time for decoupled authentication.
authentication-attempted-but-not-performedAuthentication attempted but not completed, Frictionless Scenario Authentication successful - authentication results available for payment.
identity-check-insightsAdditional identity verification insights provided, Frictionless Scenario Authentication successful - authentication results available for payment.
error-connecting-to-acsError connecting to ACS.
acs-timed-outRequest timed out at ACS.
invalid-response-from-acsACS sent an invalid response.
system-error-response-from-acsSystem error occurred at ACS.
internal-error-while-generating-cavvInternal error while generating authentication value.
vmid-not-eligible-for-requested-programMerchant ID is not eligible for 3DS program, reach out to Basis Theory.
protocol-version-not-supported-by-acsACS does not support this protocol version, reach out to Basis Theory.
device-3ri-not-routed-to-smart-authentication-stand-inDevice merchant initiated transaction routing issue.
transaction-excluded-from-attempts-processingTransaction was excluded from attempts processing.

Authentication Challenge Type

ValueDescription
staticStatic challenge, for example, a password or passcode.
dynamicDynamic challenge, for example, a one time password (OTP).
out-of-bandOut-of-Band challenge, for example, using the issuing bank's mobile app.
decoupledDecoupled challenge.

Challenge Cancel Reason

ValueCodeDescription
cardholder-canceled01Cardholder selected 'Cancel' on the challenge.
requestor-canceled023DS requestor cancelled authentication.
transaction-abandoned03Transaction was abandoned.
acs-timeout04Transaction timed out at ACS.
acs-timeout-request-not-received05Transaction timed out at ACS - Challenge request not received.
error06Transaction error.
unknown07Unknown reason.

Whitelist Status

ValueDescription
merchant-trustedMerchant is trusted by the cardholder.
merchant-not-trustedMerchant has not yet been trusted by the cardholder.
not-eligibleNot eligible to whitelist as determined by the issuer.
pending-confirmationPending confirmation by the cardholder.
request-to-trust-rejectedCardholder rejected the request to trust the merchant.
unknownTrusted status unknown.

Whitelist Status Source

ValueDescription
3ds-server3DS Server.
directory-serverDirectory Server (DS).
acsAccess Control Server (ACS).

Message Extension Object

AttributeTypeDescription
idstringThe id for the extensions.
namestringThe name for the extension.
criticalboolIf the extension is critical or not.
datastringData carried in the extension.

Error Handling

Errors generated by the Basis Theory API (e.g., invalid API keys or validation errors) follow the standard API Error formatting.

However, errors that occur externally during the 3DS flow (e.g., errors originating from the ACS, Directory Server, or 3DS Server) will return a specific 424 3DS Service Error.

3DS Service Error

3DS Service Errors are returned when an error occurs within the 3DS Server, Directory Server (DS), or Access Control Server (ACS) during authentication.

The API responds with a 424 HTTP status code and the following error format:

{
  "error": {
    "title": "3DS Service Error",
    "detail": "The 3DS service returned an error. See the 'error' field for more details.",
    "status": 424,
    "error": {
      "service_status": "403",
      "session_id": "c0c22fcd-d42c-497e-a9a6-2eacd31770d7",
      "error_source": "3DS Server",
      "message": "Access denied by issuer. See 'details' for additional detail.",
      "detail": "The merchant_info.acquirer_bin is not recognized by the issuer.",
    }
  }
}
AttributeTypeDescription
titlestringA short, human-readable summary of the problem
detailstringA human-readable explanation specific to this occurrence of the problem
statusintegerHTTP status code of the response. Always (424) for these errors.
error3DS Service ErrorError object with specific details about the returned 3DS Service Error

3DS Service Error Object

AttributeTypeDescription
service_statusstringThe status code returned by the service.
session_idstringThe ID of the affected 3DS session.
error_sourcestringThe source of the error (3DS Server, Access Control Server, Directory Server).
messagestringShort description provided by the external 3DS service.
detailstringAdditional detailed information regarding the error.

Test Cards

Please contact support@basistheory.com before testing the 3DS feature.

See below a pre-defined list of cards that can be used to test different 3DS scenarios.

The "Card Brand" column is meant for usage when testing Bin Details and is not reflected in 3DS responses.
Card NumberCard Brand3DS ScenarioIs Luhn Valid
5204247750001471MASTERCARDSuccessful Frictionless AuthenticationYes
6011601160116011DISCOVERSuccessful Frictionless AuthenticationYes
340000000004001AMEXSuccessful Frictionless AuthenticationYes
4000020000000000VISASuccessful Challenge AuthenticationYes
370000000000002AMEXSuccessful Challenge AuthenticationYes
3566002020360505JCBSuccessful Challenge AuthenticationYes
3566006663297692JCBSuccessful Challenge AuthenticationYes
4005562231212123VISASuccessful Challenge Authentication - Method not RequiredYes
4761369980320253VISASuccessful Mandated Challenge AuthenticationYes
5200000000001104MASTERCARDSuccessful Mandated Challenge AuthenticationYes
4000000000000341VISASuccessful Out-of-Band Challenge AuthenticationYes
4005571701111111VISAAttempted Challenge AuthenticationYes
4111111111111111VISAAuthentication AttemptedYes
5424180011113336MASTERCARDAuthentication AttemptedYes
4264281511112228VISAAuthentication FailedYes
5424180000000171MASTERCARDAuthentication FailedYes
5405001111111165MASTERCARDAuthentication UnavailableYes
5405001111111116MASTERCARDAuthentication RejectedYes
4055011111111111VISAFailed Challenge AuthenticationYes
5427660064241339MASTERCARDFailed Challenge AuthenticationYes
6011361011110004DISCOVERFailed Out of Band Challenge AuthenticationYes
6011361000008888DISCOVERUnavailable Challenge AuthenticationYes
6011361000001115DISCOVERRejected Challenge AuthenticationYes
4264281500003339VISA3DS Directory Server ErrorYes
5424180011110001MASTERCARD3DS Directory Server ErrorYes
4264281500001119VISAInternal 3DS Server ErrorYes
4200000000000002VISASuccessful Frictionless AuthenticationNo
4200000000000004VISASuccessful Challenge AuthenticationNo
4200000000000014VISASuccessful Challenge Authentication - Method not RequiredNo
4200000000000015VISASuccessful Mandated Challenge AuthenticationNo
4200000000000016VISASuccessful Out-of-Band Challenge AuthenticationNo
4200000000000008VISAAttempted Challenge AuthenticationNo
4200000000000003VISAAuthentication AttemptedNo
4200000000000005VISAAuthentication FailedNo
4200000000000006VISAAuthentication UnavailableNo
4200000000000007VISAAuthentication RejectedNo
4200000000000009VISAFailed Challenge AuthenticationNo
4200000000000017VISAFailed Out of Band Challenge AuthenticationNo
4200000000000010VISAUnavailable Challenge AuthenticationNo
4200000000000011VISARejected Challenge AuthenticationNo
4200000000000012VISA3DS Directory Server ErrorNo
4200000000000013VISAInternal 3DS Server ErrorNo