Hosted sessions

Last updated: February 12, 2025

Hosted sessions are the simplest solution for authenticating transactions with 3D Secure (3DS).

Start a session and then redirect the customer using the link in the response. We'll gather the necessary payment, device and cardholder data and take care of the rest.

Information

Hosted sessions are suitable for authentications initiated from browsers only.

To begin, make a session request.

For the full API specification, see the API reference.

post

https://api.checkout.com/sessions

Information

To increase the likelihood of frictionless authentication, add additional data fields when requesting a session.


1{
2  "source": {
3    "type": "card",
4    "number": "4485040371536584",
5    "expiry_month": 1,
6    "expiry_year": 2030
7  },
8  "amount": 100,
9  "currency": "USD",
10  "authentication_type": "regular",
11  "authentication_category": "payment",
12  "challenge_indicator": "no_preference",
13  "reference": "ORD-5023-4E89",
14  "transaction_type": "goods_service",
15  "shipping_address": {
16    "address_line1": "123 Anywhere St.",
17    "address_line2": "Apt. 456",
18    "city": "Anytown",
19    "state": "AL",
20    "zip": "123456",
21    "country": "US"
22  },
23  "completion": {
24    "type": "hosted",
25    "success_url": "http://example.com/sessions/success",
26    "failure_url": "https://example.com/payments/failure"
27  }
28}

You receive a 202 - Accepted response with a _links.redirect link. For the full API specification, see the API reference.

Information

If the card is not enrolled in 3DS with the selected scheme, you receive a 422 response and a card_not_enrolled error.

If you want to continue to payment authorization, you can process the transaction as a non-3DS payment by setting 3ds.enabled to false in the payment request.


1{
2  "id": "sid_y3oqhf46pyzuxjbcn2giaqnb441",
3  "transaction_id": "9aea641d-0549-4222-9ca9-d90b43a4f38c",
4  "amount": 120,
5  "currency": "USD",
6  "authentication_type": "regular",
7  "authentication_category": "payment",
8  "status": "pending",
9  "next_actions": ["redirect_cardholder"],
10  "protocol_version": "2.2.0",
11  "reference": "ORD-5023-4E89",
12  "_links": {
13    "redirect": {
14      "href": "http://3ds2.checkout.com/interceptor/sid_y3oqhf46pyzuxjbcn2giaqnb44"
15    },
16    "self": {
17      "href": "https://api.checkout.com/sessions/sid_y3oqhf46pyzuxjbcn2giaqnb441"
18    }
19  }
20}

Field name	Description
`id` string	The unique session identifier.
`transaction_id` string	The transaction identifier. This needs to be provided when communicating directly with the issuing bank's access control server (ACS).
`amount` integer	The payment amount.
`currency` string	The three-letter ISO currency code.
`authentication_type` string	Indicates the type of payment this session is for.
`authentication_category` string	Indicates the category of the authentication request.
`status` string	The status of the session. Should be `pending`. See all possible statuses and their meanings.
`next_actions` array	Specifies what action to take to complete the session. For example: `redirect_cardholder`. See all possible actions and their meanings.
`protocol_version` string	The 3DS version used for authentication.
`reference` string	A reference you can later use to identify this payment, such as an order number.
`recurring` object	Contains the recurring fields submitted in the request.
`installment` object	Contains the installment fields submitted in the request.
`_links` object	The links related to the session.
`_links.redirect` object	The link where the cardholder should be redirected to after authentication.
`_links.self` object	The URL of the session.

Learn more about exemptions.

In regions where SCA is mandated, following the Payment Services Directive (PSD2) means the initial cardholder-initiated transaction (CIT) payment will require SCA. As such, you must authenticate the CIT with a challenge in these mandated regions.

In your API request, set authentication_type to recurring or installment.

You will also need to send the recurring or installment object with the following required fields.

Information

For Visa payments, the initial customer-initiated transaction (CIT) to set up a recurring or installment series should be processed as a regular authentication and the additional fields described in the following fields are not required.

Field name	Description
`number_of_payments` Only applies to `installment` payments.	Integer Min : 1 Indicates the agreed total number of payment installments to be made in the duration of the installment agreement.
`days_between_payments`	Integer Default : 1 Indicates the minimum number of days between authorizations. If no value is specified for a recurring authentication type the default value will be used.
`expiry`	String Default : "99991231" Date after which no further authorizations are performed, in the format `YYYYMMDD`. If no value is specified for a recurring authentication type the default value will be used.

For non-recurring or non-installment payments, these fields will be ignored if they are sent to the API.


1{
2  "source": {
3    "type": "card",
4    "number": "4485040371536584",
5    "expiry_month": 1,
6    "expiry_year": 2030
7  },
8  "amount": 100,
9  "currency": "USD",
10  "authentication_type": "installment",
11  "installment": {
12    "number_of_payments": 12,
13    "days_between payments": 28,
14    "expiry": 20251231
15  },
16  "authentication_category": "payment",
17  "reference": "ORD-5023-4E89",
18  "transaction_type": "goods_service",
19  "shipping_address": {
20    "address_line1": "123 Anywhere St.",
21    "address_line2": "Apt. 456",
22    "city": "Anytown",
23    "state": "AL",
24    "zip": "123456",
25    "country": "US"
26  },
27  "completion": {
28    "type": "hosted",
29    "callback_url": "https://example.com/sessions/callback"
30  }
31}

Redirect the customer using the _links.redirect URL you received in the response.

In the background, our Sessions API will then gather the device data, process the challenge (if required), and authenticate the payment. After authentication is completed, your customer will be redirected to your success_url or failure_url. You can now continue to authorize the payment via our Payments API.

Information

If the authentication is approved or attempted, the customer will be redirected to your success URL. All other authentication results will redirect the customer to your failure URL.

Below are the possible values of the status field, which tell you the current status of the session.

Status	Description
`pending`	Authentication has been requested and the session has been started. The session `id` is passed back to your server and can be shared with the mobile app (iOS or Android) SDK.
`processing`	The 3DS server has updated the authentication with channel data collected by the SDKs and has created and sent an authentication request to the directory server. The access control server is now evaluating the data to decide whether to authenticate the transaction (frictionless) or challenge it.
`approved`	The payment has been successfully authenticated (frictionless or challenged).
`attempted`	The payment has been authenticated by a stand-in service, because the access control server could not be reached or does not support 3DS2 natively. You can treat this as a successful authentication and proceed to authorization.
`unavailable`	Authentication failed because of technical problems with the directory server or the issuer's access control server.
`declined`	The transaction was not authenticated. The issuer denied the transaction.
`rejected`	The transaction was rejected. The issuer is rejecting the authentication and requests that authorisation not be attempted.
`challenged`	Authentication has been requested but the issuer requires that the cardholder be presented with a challenge.
`challenge_abandoned`	Authentication has been started and challenged, but the cardholder did not complete the challenge.
`expired`	Authentication has been started but the channel data could not be collected, meaning an authentication request was not created.

Below are the possible values for the next_actions field. When present, they identify what action to take in order to complete the session.

Session type	Action	Description	Channel
Hosted	`redirect_cardholder`	Redirect the customer so we can handle all the other necessary actions (collect channel data, issuer fingerprint, and challenge) for you.	Browser only
Hosted and non-hosted	`complete`	No further actions are required. You can complete the session.	Browser and app

When requesting a session, you can add additional data fields to increase the chances of a frictionless authentication. Below is a summary of the optional data you can add to your request.

Type of data	Description and examples
Client user data	Data that supports the specific authentication and information about the authentication method used. For example, your own credentials, and the issuer's credentials.
Prior transaction information	For returning users and recurring transactions, gather and submit data with each following transaction. For example, when the recurring payment plan expires, payment references, and the authentication method used.
Address match	Indicates whether the cardholder's shipping and billing address are the same.
Cardholder account / user information	Information about the cardholder and their account on your platform. For example, how long they've had an account with you, and the number of purchases they've made in the last six months.
User purchase history	Details of the cardholder's purchase history. For example, the number of purchases in the last six months, and the number of card attempts in the last 24 hours.
Shipping address usage	Information about the use of the shipping address. For example, when the shipping address was first used, and whether the address name matches the cardholder's name.
Suspicious account activity	Indicates whether you've experienced any suspicious activity on the cardholder's account.
Cardholder information	Additional information you want to provide about the cardholder and their account with you.
Cardholder email address	The email address associated with the cardholder's account.
Cardholder shipping address	The cardholder's full shipping address.
Shipping method	Indicate the shipping method being used for the order, or flag non-shippable items, like digital goods. For example, whether it's being shipped to a verified address on file, or being picked up by the cardholder from a local store.
Delivery information	Information about the delivery, like the delivery email address or delivery timeframe.

Hosted sessions

Information

Step 1: Request a session

Endpoints

Information

Request example

Response example

Information

Additional response fields

Exemptions

Recurring and installment payments

Information

Request example

Step 2: Redirect the customer

Information

Session properties

Session statuses

Next actions

Additional authentication data