Account icon

How Strong Customer Authentication (SCA) works with Adyen's APIs

Learn how to to perform SCA when making requests to Adyen's APIs.

The purpose of this page is to provide an overview of the SCA process and not to provide examples for specific use cases.

Some procedures involving business accounts require you to perform Strong Customer Authentication (SCA). For example:

  • Making funds transfers to third-party bank accounts.
  • Consulting the transaction history of a business account.
  • Creating transfer limits.

When you make API requests for this procedure, you must also perform SCA. After verifying the identity of your user, the Authentication SDK produces an output that you must include in your API request. Adyen validates this information before sending back a successful response.

This page explains how the SCA process works when using Adyen's Authentication SDK.

Requirements

Before you begin, make sure that you fulfill the following requirements:

Requirement Description
Integration type You must have an Adyen for Platforms integration that includes business accounts.
API credentials To make API requests, you need an API credential for webservices. The roles that you need depend on the specific API request that you want to make.
Setup steps Make sure that you have installed the Authentication SDK.

How it works

After your user starts a procedure that requires SCA, your application initiates the SCA flow. Your user must successfully complete the SCA flow to the API requests required for the procedure.

The following diagram shows the flow for performing SCA challenges to validate API requests.

As shown in the preceding diagram, the flow for performing SCA on your user is as follows:

  1. The Authentication SDK checks if the device is eligible for SCA.
    1. Your application initializes the Authentication SDK.
    2. The Authentication SDK calls a method that checks if the device is eligible for SCA.
    3. If the check is successful, the Authentication SDK passes the sdkOutput to your server.
  2. Your server makes an API request to initiate the procedure.
    1. Your server makes an API request to Adyen including the sdkOutput from the previous step in the header.
    2. If the request is successful, Adyen returns an HTTP 401 response that includes an sdkInput.
    3. Your server passes the sdkInput to the Authentication SDK.
  3. The Authentication SDK initiates the SCA verification process for your user.
    1. The Authentication SDK calls a method to prompt an SCA challenge in your application.
    2. Your user completes the challenge.
    3. The Authentication SDK validates the solution of the challenge.
    4. If the challenge is completed successfully, the Authentication SDK passes a new sdkOutput to your server.
  4. Your server makes an API request to finalize the procedure.
    1. Your server makes an API request to Adyen including the sdkOutput from the previous step in the header.
    2. If the request is successful, Adyen returns an HTTP 2xx response. The exact HTTP status code depends on the endpoint.

The following sections explain more details about the steps in the flow.

Check SCA eligibility

Before initiating a procedure that requires SCA, you must check that the device is eligible for SCA.

The following tabs explain how to check for SCA eligibility using the Authentication SDK for Kotlin, Swift, or JavaScript.

This functionality requires additional configuration from Adyen. To enable it, contact our Support Team.

You will use the sdkOutput when initiating a procedure.

Initiate the procedure

To initiate a procedure that requires SCA:

  1. Make an API request to the endpoint that you need. In the header, specify the following parameter:

    Parameter Type Required Description
    WWW-Authenticate Header -white_check_mark- Include the following values:
    • SCA realm: Specifies the type of procedure that you want to do.
      Example values: Transfer, Transaction, TransferLimit.
    • auth-param1: Base64-encoded value of sdkOutput you get when you checked the SCA eligibility of the device.

    The following example shows the WWW-Authenticate header using the SCA realm Transfers.

  2. Verify that you receive an HTTP 401 response that includes the WWW-Authenticate parameter in the header. The value of this parameter also includes:

    • SCA realm: This must be the same value as the one in the request header.
    • auth-param1: This is a new base64-encoded blob of data.

  3. Pass the new auth-param1 value to the SDK as sdkInput.

Authenticate your user

To register the device with the Authentication SDK:

  1. Authenticate the user by performing two-factor authentication (2FA).

  2. Trigger the SDK to start the device registration and pass sdkInput you received when you initiated the procedure.

    After a successful registration, the SDK generates a Base64-encoded sdkOutput data blob.

  3. Pass sdkOutput to your server.

Finalize the procedure

To finalize a procedure after SCA was completed:

  1. Make an API request to the endpoint that you need. In the header, specify the following parameter:

    Parameter Type Required Description
    WWW-Authenticate Header -white_check_mark- Include the following values:
    • SCA realm: Specifies the type of procedure that you want to do.
      Use the same value that you used when you initiated the procedure.
    • auth-param1: Base64-encoded value of sdkOutput you get when you authenticated your user of the device.

  2. Verify that you receive an HTTP 2xx response. This means that the request was successful.
    The HTTP status and the content of the response depend on the endpoint.

Next steps

required
Register an SCA device

Find out how to use our Authentication SDK to register an iOS or Android device, or other web-enabled device for SCA purposes.
Manage SCA devices

Learn how to manage registered SCA devices.