On this page
No Headings
Last updated: June 30, 2026
Use Postman to explore and test PayPal APIs. Learn more in our Postman guide.
Use the following code to request either SCA_ALWAYS or SCA_WHEN_REQUIRED as a verification attribute for the card object.
curl -v -X POST https://api-m.sandbox.paypal.com/v2/checkout/orders \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ACCESS-TOKEN" \
-H "PayPal-Partner-Attribution-ID: BN-CODE" \
-H "PayPal-Auth-Assertion: PAYPAL-AUTH-ASSERTION" \
-H "PayPal-Request-Id: PAYPAL-REQUEST-ID" \
-d '{
"intent": "CAPTURE",
"purchase_units": [
{
"reference_id": "d9f80740-38f0-11e8-b467-0ed5f89f718b",
"amount": {
"currency_code": "USD",
"value": "100.00"
}
}
],
"payment_source": {
"card": {
"number": "4868719460707704",
"expiry": "2025-02",
"security_code": "123",
"name": "Firstname Lastname",
"billing_address": {
"address_line_1": "123 Main St.",
"address_line_2": "Unit B",
"admin_area_2": "Anytown",
"admin_area_1": "CA",
"postal_code": "12345",
"country_code": "US"
},
"attributes": {
"verification": {
"method": "SCA_ALWAYS"
}
}
}
}
}'The merchant must redirect the payer to PayPal to complete 3D Secure authentication.
To trigger the authentication:
https://example.com/webapp/myshop?action=verify&flow=3ds&cart_id=ORDER-ID&redirect_uri=MERCHANT-LANDING-PAGE
curl -v -X GET https://api-m.sandbox.paypal.com/v2/checkout/orders/3TE883926L0940023?fields=payment_source \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ACCESS-TOKEN" \
-H "PayPal-Partner-Attribution-ID: BN-CODE" \
-H "PayPal-Auth-Assertion: PAYPAL-AUTH-ASSERTION" \"response": {
"status": "200 OK",
"headers": {
"Content-Type": "application/json"
},
"body": {
"payment_source": {
"card": {
"last_digits": "7704",
"brand": "VISA",
"type": "CREDIT",
"authentication_result": {
"liability_shift": "POSSIBLE",
"three_d_secure": {
"enrollment_status": "Y",
"authentication_status": "Y"
}
}
}
}
}After a buyer resolves the 3D Secure contingency thrown by the create order endpoint, the merchant or partner must call the authorize order and capture order endpoints with an empty payload to complete the transaction.
After a buyer resolves the 3D Secure contingency thrown by the authorize order and capture order endpoints, the merchant or partner must call the authorize order and capture order endpoints again with an empty payload to complete the transaction.
Move from PayPal's production environment to go live.
Learn more about 3D Secure response parameters
Generate 3D Secure responses for various card testing scenarios in the PayPal sandbox