3D Secure: Orders API

APICurrent

Last updated: Oct 30th, 10:24am

Know before you code

  • You may be subject to PSD2 regulations if you are in Europe. We recommend incorporating 3D Secure into your integration and providing the cardholder's billing address during transaction processing.
  • For standard payments integrations, PayPal manages 3D Secure authentication automatically, so you do not need to make any changes.
  • Use Postman to explore and test PayPal APIs.

Run in Postman

Optional
Explore PayPal APIs with Postman

Use Postman to explore and test PayPal APIs. Learn more in our Postman guide

1

Include a contingency for 3D Secure

Use the following code to request either SCA_ALWAYS or SCA_WHEN_REQUIRED as a verification attribute for the card object.

  • SCA_ALWAYS triggers 3D Secure for each transaction, regardless of SCA requirements.
  • SCA_WHEN_REQUIRED returns a 3D Secure contingency when it is a mandate in the region where you operate. This attribute is the default when you don't pass any parameter.
    1curl -v -X POST https://api-m.sandbox.paypal.com/v2/checkout/orders \
    2 -H "Content-Type: application/json" \
    3 -H "Authorization: Bearer ACCESS-TOKEN" \
    4 -H "PayPal-Partner-Attribution-ID: BN-CODE" \
    5 -H "PayPal-Auth-Assertion: PAYPAL-AUTH-ASSERTION" \
    6 -H "PayPal-Request-Id: PAYPAL-REQUEST-ID" \
    7-d '{
    8 "intent": "CAPTURE",
    9 "purchase_units": [
    10 {
    11 "reference_id": "d9f80740-38f0-11e8-b467-0ed5f89f718b",
    12 "amount": {
    13 "currency_code": "USD",
    14 "value": "100.00"
    15 }
    16 }
    17 ],
    18 "payment_source": {
    19 "card": {
    20 "number": "4868719460707704",
    21 "expiry": "2025-02",
    22 "security_code": "123",
    23 "name": "Firstname Lastname",
    24 "billing_address": {
    25 "address_line_1": "123 Main St.",
    26 "address_line_2": "Unit B",
    27 "admin_area_2": "Anytown",
    28 "admin_area_1": "CA",
    29 "postal_code": "12345",
    30 "country_code": "US"
    31 },
    32 "attributes": {
    33 "verification": {
    34 "method": "SCA_ALWAYS"
    35 }
    36 }
    37 }
    38 }
    39}'

    Step result

    • A single-step payment request returns an HTTP 201 Created status.
    • A multi-step payment request returns an HTTP 422 Unprocessable Entity status.
    • A confirm order request returns an HTTP 200 OK status.
    3

    Buyer completes the authentication experience

    1. The issuing bank verifies authentication.
    2. The device data is collected, and JavaScript is posted directly to the issuing bank.

    3DS Request

      1curl -v -X GET https://api-m.sandbox.paypal.com/v2/checkout/orders/3TE883926L0940023?fields=payment_source \
      2 -H "Content-Type: application/json" \
      3 -H "Authorization: Bearer ACCESS-TOKEN" \
      4 -H "PayPal-Partner-Attribution-ID: BN-CODE" \
      5 -H "PayPal-Auth-Assertion: PAYPAL-AUTH-ASSERTION" \

      3DS Response

        1"response": {
        2 "status": "200 OK",
        3 "headers": {
        4 "Content-Type": "application/json"
        5 },
        6 "body": {
        7 "payment_source": {
        8 "card": {
        9 "last_digits": "7704",
        10 "brand": "VISA",
        11 "type": "CREDIT",
        12 "authentication_result": {
        13 "liability_shift": "POSSIBLE",
        14 "three_d_secure": {
        15 "enrollment_status": "Y",
        16 "authentication_status": "Y"
        17 }
        18 }
        19 }
        20 }
        21}
        4

        Proceed with the transaction

        Single-step API request

        After a buyer resolves the 3D Secure contingency thrown by the create order endpoint, the merchant or partner must call the authorize order and capture order endpoints with an empty payload to complete the transaction. 

        Multi-step API request

        After a buyer resolves the 3D Secure contingency thrown by the authorize order and capture order endpoints, the merchant or partner must call the authorize order and capture order endpoints again with an empty payload to complete the transaction.

        We use cookies to improve your experience on our site. May we use marketing cookies to show you personalized ads? Manage all cookies