Skip to content

Last updated: February 15, 2023

Hosted sessions are the simplest solution for authenticating transactions with 3D Secure (3DS).

Start a session and then redirect the customer using the link in the response. We'll gather the necessary payment, device and cardholder data and take care of the rest.

Information

Hosted sessions are suitable for authentications initiated from browsers only.


Step 1: Request a session

To begin, make a session request.

Endpoints

For the full API specification, see the API reference.

post

https://api.checkout.com/sessions

Additional parameters

To increase the likelihood of frictionless authentication, add additional data fields when requesting a session.

Request example

1
{
2
"source": {
3
"type": "card",
4
"number": "4485040371536584",
5
"expiry_month": 1,
6
"expiry_year": 2030
7
},
8
"amount": 100,
9
"currency": "USD",
10
"authentication_type": "regular",
11
"authentication_category": "payment",
12
"challenge_indicator": "no_preference",
13
"reference": "ORD-5023-4E89",
14
"transaction_type": "goods_service",
15
"shipping_address": {
16
"address_line1": "123 Anywhere St.",
17
"address_line2": "Apt. 456",
18
"city": "Anytown",
19
"state": "AL",
20
"zip": "123456",
21
"country": "US"
22
},
23
"completion": {
24
"type": "hosted",
25
"success_url": "http://example.com/sessions/success",
26
"failure_url": "https://example.com/payments/failure"
27
}
28
}

Response example

You should receive a 202 - Accepted response with a _links.redirect link. For the full API specification, see the API reference.

1
{
2
"id": "sid_y3oqhf46pyzuxjbcn2giaqnb441",
3
"transaction_id": "9aea641d-0549-4222-9ca9-d90b43a4f38c",
4
"amount": 120,
5
"currency": "USD",
6
"authentication_type": "regular",
7
"authentication_category": "payment",
8
"status": "pending",
9
"next_actions": [
10
"redirect_cardholder"
11
],
12
"protocol_version": "2.2.0",
13
"reference": "ORD-5023-4E89",
14
"_links": {
15
"redirect": {
16
"href": "http://3ds2.checkout.com/interceptor/sid_y3oqhf46pyzuxjbcn2giaqnb44"
17
},
18
"self": {
19
"href": "https://api.checkout.com/sessions/sid_y3oqhf46pyzuxjbcn2giaqnb441"
20
}
21
}
22
}

Additional response fields

Field nameDescription

id

string

The unique session identifier.

transaction_id

string

The transaction identifier. This needs to be provided when communicating directly with the issuing bank's access control server (ACS).

amount

integer

The payment amount.

currency

string

The three-letter ISO currency code.

authentication_type

string

Indicates the type of payment this session is for.

authentication_category

string

Indicates the category of the authentication request.

status

string

The status of the session. Should be pending.

next_actions

array

Specifies what action to take to complete the session. For example: redirect_cardholder.

protocol_version

string

The 3DS version used for authentication.

reference

string

A reference you can later use to identify this payment, such as an order number.

recurring

object

Contains the recurring fields submitted in the request.

installment

object

Contains the installment fields submitted in the request.

_links

object

The links related to the session.

_links.redirect

object

The link where the cardholder should be redirected to after authentication.

_links.self

object

The URL of the session.


Exemptions

Learn more about exemptions.


Recurring and installment payments

In regions where SCA is mandated, following the Payment Services Directive (PSD2) means the initial cardholder-initiated transaction (CIT) payment will require SCA. As such, you must authenticate the CIT with a challenge in these mandated regions.

In your API request, set authentication_type to recurring or installment.

You will also need to send the recurring or installment object with the following required fields.

Visa requirements

For Visa payments, the initial customer-initiated transaction (CIT) to set up a recurring or installment series should be processed as a regular authentication and the additional fields described in the following fields are not required.

number_of_payments

Only applies to installment payments.

Integer
Min : 1
Indicates the agreed total number of payment installments to be made in the duration of the installment agreement.

days_between_payments

Integer
Default : 1
Indicates the minimum number of days between authorisations. If no value is specified for a recurring authentication type the default value will be used.

expiry

String
Default : "99991231"
Date after which no further authorisations are performed in the format YYYY/MM/DD. If no value is specified for a recurring authentication type the default value will be used.

For non-recurring or non-installment payments, these fields will be ignored if they are sent to the API.

Request example

1
{
2
"source": {
3
"type": "card",
4
"number": "4485040371536584",
5
"expiry_month": 1,
6
"expiry_year": 2030
7
},
8
"amount": 100,
9
"currency": "USD",
10
"authentication_type": "installment",
11
"installment": {
12
"number_of_payments": 12,
13
"days_between payments": 28,
14
"expiry": 20251231
15
},
16
"authentication_category": "payment",
17
"reference": "ORD-5023-4E89",
18
"transaction_type": "goods_service",
19
"shipping_address": {
20
"address_line1": "123 Anywhere St.",
21
"address_line2": "Apt. 456",
22
"city": "Anytown",
23
"state": "AL",
24
"zip": "123456",
25
"country": "US"
26
},
27
"completion": {
28
"type": "hosted",
29
"callback_url": "https://example.com/sessions/callback"
30
}
31
}

Step 2: Redirect the customer

Redirect the customer using the _links.redirect URL you received in the response.

In the background, our Sessions API will then gather the device data, process the challenge (if required), and authenticate the payment. After authentication is completed, your customer will be redirected to your success_url or failure_url. You can now continue to authorize the payment via our Payments API.

Information

If the authentication is approved or attempted, the customer will be redirected to your success URL. All other authentication results will redirect the customer to your failure URL.

Session properties

Session statuses

Below are the possible values of the status field, which tell you the current status of the session.

StatusDescription

pending

Authentication has been requested and the session has been started. The session id is passed back to your server and can be shared with the mobile app (iOS or Android) SDK.

processing

The 3DS server has updated the authentication with channel data collected by the SDKs and has created and sent an authentication request to the directory server. The access control server is now evaluating the data to decide whether to authenticate the transaction (frictionless) or challenge it.

approved

The payment has been successfully authenticated (frictionless or challenged).

attempted

The payment has been authenticated by a stand-in service, because the access control server could not be reached or does not support 3DS2 natively. You can treat this as a successful authentication and proceed to authorization.

unavailable

Authentication failed because of technical problems with the directory server or the issuer's access control server.

declined

The transaction was not authenticated. The issuer denied the transaction.

rejected

The transaction was rejected. The issuer is rejecting the authentication and requests that authorisation not be attempted.

challenged

Authentication has been requested but the issuer requires that the cardholder be presented with a challenge.

challenge_abandoned

Authentication has been started and challenged, but the cardholder did not complete the challenge.

expired

Authentication has been started but the channel data could not be collected, meaning an authentication request was not created.

Next actions

Below are the possible values for the next_actions field. When present, they identify what action to take in order to complete the session.

Session typeActionDescriptionChannel

Hosted

redirect_cardholder

Redirect the customer so we can handle all the other necessary actions (collect channel data, issuer fingerprint, and challenge) for you.

Browser only

Hosted and non-hosted

complete

No further actions are required. You can complete the session.

Browser and app


Additional authentication data

When requesting a session, you can add additional data fields to increase the chances of a frictionless authentication. Below is a summary of the optional data you can add to your request.

Type of dataDescription and examples

Client user data

Data that supports the specific authentication and information about the authentication method used.

For example, your own credentials, and the issuer's credentials.

Prior transaction information

For returning users and recurring transactions, gather and submit data with each following transaction.

For example, when the recurring payment plan expires, payment references, and the authentication method used.

Address match

Indicates whether the cardholder's shipping and billing address are the same.

Cardholder account / user information

Information about the cardholder and their account on your platform.

For example, how long they've had an account with you, and the number of purchases they've made in the last six months.

User purchase history

Details of the cardholder's purchase history.

For example, the number of purchases in the last six months, and the number of card attempts in the last 24 hours.

Shipping address usage

Information about the use of the shipping address.

For example, when the shipping address was first used, and whether the address name matches the cardholder's name.

Suspicious account activity

Indicates whether you've experienced any suspicious activity on the cardholder's account.

Cardholder information

Additional information you want to provide about the cardholder and their account with you.

Cardholder email address

The email address associated with the cardholder's account.

Cardholder shipping address

The cardholder's full shipping address.

Shipping method

Indicate the shipping method being used for the order, or flag non-shippable items, like digital goods.

For example, whether it's being shipped to a verified address on file, or being picked up by the cardholder from a local store.

Delivery information

Information about the delivery, like the delivery email address or delivery timeframe.