Sessions

The Sessions API is a standalone solution to authenticate online transactions with the EMV 3D Secure (3DS) protocol, allowing you to implement smarter 3DS authentication flows.

It gives you greater visibility of the issuers' authentication decisions and provides a smoother experience for your customers, while helping you to fulfil the Strong Customer Authentication (SCA) requirements of the second Payment Services Directive (PSD2). And if the issuer does not support the latest version of 3DS, Sessions allows you to fallback to 3DS version 1.0 instead.

Once you have completed the authentication via Sessions, you can then authorize the payment through our payment gateway, another payment services provider (PSP) or using the identifier from the Sessions API response.

You can choose from two solutions: non-hosted or hosted.

Supported card schemes

Sessions currently supports Visa (Verified by Visa / Visa Secure) and Mastercard (Identity Check). We will soon add support for additional schemes, including American Express (SafeKey).

Non-hosted sessions are designed for those who want full control over their authentication flow.

Initiate an authentication through the Sessions API using a card or a network token, set completion.type to non-hosted and provide completion.callback_url to receive the authentication result.

You will then need to collect channel (either browser or mobile app) and additional authentication data, perform a challenge (if required), and handle the authentication result. You can then proceed to authorize the payment, either through our payment gateway or another PSP.

Get started with non-hosted sessions.

This is the simplest solution, where we manage the authentication flow for you.

Initiate an authentication through the Sessions API, set completion.type to hosted, provide completion.success_url and completion.failure_url, and redirect the customer using the link in the response. We'll then gather the necessary payment, device and cardholder data and take care of the rest.

Get started with hosted sessions.

When creating a session, you will need to authorize your request with access key authorization.

Use the following endpoint to generate an access_token, and use it to authorize your create session request.

post

https://access.checkout.com/connect/token


1grant_type=client_credentials&client_id= ack_3kgxgdj773yubf4sfmiht3r4h4
2&client_secret=PddTMk1FBjk1MDQHtBt1U8cHjZvS+Guc80NmcUHp3pHevOpt7EgYkT/DWae7gnOTlF6kPCPo+RZEu9xut/5VVA==


1curl --location --request POST 'https://access.sandbox.checkout.com/connect/token' \
2--header 'Content-Type: application/x-www-form-urlencoded' \
3--data-urlencode 'grant_type=client_credentials' \
4--data-urlencode 'client_id=ack_3kgxgdj773yubf4sfmiht3r4h4' \
5--data-urlencode 'client_secret=PddTMk1FBjk1MDQHtBt1U8cHjZvS+Guc80NmcUHp3pHevOpt7EgYkT/DWae7gnOTlF6kPCPo+RZEu9xut/5VWA=='

The token server will return a Bearer access_token in JSON Web Token (JWT) format.

Your access token is valid for the length of time (in seconds) indicated by the expires_in field. When it expires, you'll need to request a new one.


1{
2  "access_token": "eyJhb6sqaQ",
3  "expires_in": 3600,
4  "token_type": "Bearer",
5  "scope": "flow fx gateway"
6}

We've made some changes to our API

Sessions

Supported card schemes

Non-hosted

Hosted

Authorization

Request example

Response example

Non-hosted sessions

Hosted sessions

3DS Exemptions

Understand authentication failures