**Last updated**: 22 April 2025 | [**Change log**](/products/3ds/changelog/)

# Authentication

`POST` your authentication request to the `3ds:authenticate` action link. Your authentication request sends order and risk data used to decide if a [challenge](/products/3ds/android-ios/challenge-verification) is required.

## Authentication example request

Card
Token
Network Token
Minimum Recommended key:values
## How much data to provide

The issuer uses [device data](/products/3ds/android-ios/device-data) and values in the `authentication` request to decide if the transaction is likely to be fraudulent.
How this data is interpreted varies by issuer. Supplying more data increases the chances of the outcome being frictionless (without a [challenge](/products/3ds/android-ios/challenge-verification)).
Some issuers may fail the authentication entirely without the recommended fields.

### EMVco required values

- `instruction.paymentInstrument.cardHolderName`
- `riskData.account.email` 1
- `riskData.transaction.phoneNumber` 1
- `transaction.firstName` 2
- `transaction.lastName` 2


1 Either `customer.email` or `customer.phoneNumber` are required.

2 Only required if `instruction.paymentInstrument.cardHolderName` is not provided

br
The following are considered mandatory by EMVco and are already part of Device Data Collection. We recommend providing these in the API request along with other device values to maximize authentication rates if [Device Data Collection fails](#device-data-collection-failure).

- `deviceData.ipAddress`


1 Provide for web/browser integration only

#### EMVco recommended values

- `instruction.paymentInstrument.billingAddress.city`
- `instruction.paymentInstrument.billingAddress.country`
- `instruction.paymentInstrument.billingAddress.address1`
- `instruction.paymentInstrument.billingAddress.postalCode`
- `instruction.paymentInstrument.billingAddress.state`


1 Provide for web/browser integration only

### Device Data Collection failure

In the event the Device Data Collection fails to run (browser/native), additionally provide the following, to maintain healthy authentication rates and reduce issuer challenges. For the native SDK the application data is collected as part of initialization. Browser specific device data is not required.

- `deviceData.ipAddress`


### Full authentication request schema

You can either see the full schema in the [API Reference](/products/3ds/openapi) section or expand the sections below. The riskData object, in particular, contains additional data that, while not mandatory or specifically recommended by EMVco,may be used by some issuers as part of their risk analysis.

## Authentication responses

Best practice
Access Worldpay returns a `WP-CorrelationId` in the headers of service responses. We highly recommend you log this. The `WP-CorrelationId` is used by us to examine individual service requests.

The response contains the outcome of your authentication request. To understand more about the `outcomes` and how to reproduce them, see [3DS testing](/products/3ds/testing).

You can see the full response schema in the [API Reference](/products/3ds/openapi/other/authenticate#other/authenticate/response&c=200).

Authenticated
Successful frictionless authentication

authenticated
  {
      "outcome": "authenticated",
      "transactionReference": "Memory265-13/08/1876",
      "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
      "status": "Y",
      "enrolled": "Y",
      "authentication": {
          "version": "2.1.0",
          "authenticationValue": "MAAAAAAAAAAAAAAAAAAAAAAAAAA=",
          "eci": "05",
          "transactionId": "c5b808e7-1de1-4069-a17b-f70d3b3b1645"
      }
  }
authenticated - Cartes Bancaires
  {
      "outcome": "authenticated",
      "transactionReference": "Memory265-13/08/1876",
      "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
      "status": "Y",
      "enrolled": "Y",
      "authentication": {
          "version": "2.1.0",
          "authenticationValue": "AJkBBkhgQQAAAE4gSEJydQAAAAA=",
          "eci": "05",
          "transactionId": "be122acf-0ba7-4eff-aa5b-fb53e9ad2f87",
          "cryptogramAlgorithm": "1",
          "challengePreference": "challengeMandated",
          "authenticationFlow": "frictionless",
          "brand": "cartesBancaires"
      }
  }
Authentication failed
Issuer failed the authentication without providing the option for a challenge

authenticationFailed
  {
      "outcome": "authenticationFailed",
      "transactionReference": "Memory265-13/08/1876",
      "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
      "status": "N",
      "enrolled": "Y",
      "authentication": {
          "version": "2.1.0",
          "eci": "07",
          "transactionId": "c5b808e7-1de1-4069-a17b-f70d3b3b1645"
      },
      "_links": {
          "3ds:authenticate": {
              "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
          },
          "curies": [
              {
                  "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                  "templated": true,
                  "name": "3ds"
              }
          ]
      }
  }
authenticationFailed - Cartes Bancaires
    "transactionReference": "Memory265-13/08/1876",
    "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
    "status": "N",
    "enrolled": "Y",
    "authentication": {
        "version": "2.1.0",
        "eci": "07",
        "transactionId": "424c464d-3b04-4101-950a-8a71cd1f9dc6",
        "challengePreference": "challengeMandated",
        "authenticationFlow": "frictionless",
        "statusReason": "01",
        "brand": "cartesBancaires"
    },
    "_links": {
        "3ds:authenticate": {
            "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
        },
        "curies": [
            {
                "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                "name": "3ds",
                "templated": true
            }
        ]
    }
}
Challenged
Issuer challenge required based on a risk assessment they have performed.

challenged
  {
      "outcome": "challenged",
      "transactionReference": "Memory265-13/08/1876",
      "authentication": {
          "version": "2.1.0"
      },
      "challenge": {
          "reference": "123456789",
          "url": "https://ChallengePageUrl.example.com",
          "jwt": "VGhpcyBpcyBhIGJhc2UgNjQgZW5jb2RlZCBleGFtcGxlIG9mIGEgM0RTICJwYXlsb2FkIg==",
          "payload": "eyJtZXNzYWdlVHlwZSI6IkNSZXEiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMS4wIiwidGhyZWVE"
      },
      "_links": {
          "3ds:verify": {
              "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/verification"
          },
          "curies": [
              {
                  "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                  "templated": true,
                  "name": "3ds"
              }
          ]
      }
  }
Unavailable
Error/timeout whilst attempting authentication. Not a recognized outage.

unavailable
  {
      "outcome": "unavailable",
      "transactionReference": "Memory265-13/08/1876",
      "status": "U",
      "enrolled": "U",
      "_links": {
          "3ds:authenticate": {
              "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
          },
          "curies": [
              {
                  "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                  "templated": true,
                  "name": "3ds"
              }
          ]
      }
  }
Authentication outage
Recognized downstream 3DS outage. [See below](#authentication-outage)

authenticationOutage
    {
        "outcome": "authenticationOutage",
        "transactionReference": "Memory265-13/08/1876",
        "_links": {
            "3ds:authenticate": {
                "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
            },
            "curies": [{
                "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                "templated": true,
                "name": "3ds"
            }]
        }
    }
Bypassed
Bypass the authentication flow using Cardinal rules engine configuration. Part of 3DS premium.

bypassed
  {
      "outcome": "bypassed",
      "transactionReference": "Memory265-13/08/1876",
      "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
      "status": "Y",
      "enrolled": "B",
      "authentication": {
          "version": "2.1.0",
          "eci": "07",
          "transactionId": "c5b808e7-1de1-4069-a17b-f70d3b3b1645"
      }
  }
### Authentication outage

If the outcome is `authenticationOutage` due to a recognized downstream issue (e.g. Visa/Mastercard/ACS provider), you can attempt authorization using the authentication outage exemption in the authorization request. This will increase the likelihood of receiving a successful authorization but will not be eligible for liability shift.

This is currently not enabled by default, speak to your Implementation Manager to be set up for `authenticationOutage` responses.

Apply the details (such as `eci`, `version`, `authenticationValue`, `transactionId`) required by [Card Payments](/products/card-payments/) in the [authorization request](/products/card-payments/authorize-a-payment#3ds). If the outcome is `challenged`, proceed with [challenge display & verification](/products/3ds/android-ios/challenge-verification). See [Testing](/products/3ds/testing) for details.

**Next steps**

[Challenge](/products/3ds/android-ios/challenge-verification)[Take a payment](/products/card-payments/authorize-a-payment#3ds)
[Testing](/products/3ds/testing)