Payment Authentication
Authentication is a crucial step in many payment methods, adding an extra layer of security. Consumers must verify their identity through various methods before the payment can be authorized.
The vast majority of digital payment methods are authenticated, exceptions include:
- Card processing in markets with no SCA/3DS requirement
- SEPA Direct Debit when externally managed mandates are used
Implement flows, not specific payment methods
We offer a standardized set of consumer authentication types, also known as payment flows.
Build support for an authentication type and you'll be able to offer all current and future payment methods that use that flow.
Authentication Types
Browser-based redirection flow where the consumer is taken to a dedicated page (provided by either PPRO or the upstream scheme or network) to authenticate the payment. Learn more.
A barcode or QR code is presented to consumers as a method of authenticating via their mobile device or code scanning device. Generally used for desktop to mobile or in person payment flows. Learn more.
Provides a native app-to-app experience by triggering the consumer’s banking or payment app directly from the merchant’s mobile app. This flow ensures a smooth and secure payment experience without needing to switch between apps and browsers. Learn more.
Consumers receive a push notification on their mobile device prompting them to authenticate the payment within their banking or payment app. This flow is particularly effective for desktop-to-mobile transactions.Learn more.
Involves the generation of a one-time password (OTP) via SMS, email or app, which the consumer enters to authenticate the payment. This flow is widely used for its simplicity and security.Learn more.
Specifically designed for card payments, where the merchant obtains a 3DS cryptogram from an external authentication server and shares it with PPRO. This flow ensures compliance with industry regulations like PSD2. Learn more.
Providing authenticationSettings
In your /v1/payment-charges request, provide your supported authentication types and their required settings, as specified in the API Reference
Recommendation
To future-proof and simplify your implementation, we suggest sending all authentication types that you support, regardless of the payment method. We'll only respond with the supported flows.
// ...
"authenticationSettings": [
{
"type": "REDIRECT",
"settings": {
"returnUrl": "https://example.com/order_details?order_id=12345"
}
},
{
"type": "SCAN_CODE",
"settings": {
"scanBy": "2025-11-03T11:23:47.123Z"
}
},
{
"type": "APP_INTENT",
"settings": {
"mobileIntentUri": "exampleapp://payrequest"
}
},
{
"type": "APP_NOTIFICATION",
"settings": {}
}
]
// ...
Select the desired authentication type
In response, you'll receive all possible authentication types available for that payment method. In this example, APP_NOTIFICATION is not returned since it is not supported by the payment method.
//...
"authenticationMethods": [
{
"details": {
"requestUrl": "https://redirection-target.com",
"requestMethod": "GET"
},
"type": "REDIRECT"
},
{
"details": {
"mobileIntentUri": "paymentapp://paymentrequest"
},
"type": "APP_INTENT"
},
{
"details": {
"codeType": "QR",
"codeImage": "<BASE-64 encoded QR String>",
"scanBy": "2025-11-03T11:23:47.123Z",
"codePayload": "DAAAAAAAAAAAAABYAAEUlGHvm1-2gXEH-"
},
"type": "SCAN_CODE"
}
]
//...
Select the payment flow you wish to initiate and follow the steps provided on the subsequent pages:
Updated 5 days ago