--- title: "How Strong Customer Authentication (SCA) works with Adyen's APIs" description: "Learn how to to perform SCA when making requests to Adyen's APIs." url: "https://docs.adyen.com/business-accounts/how-sca-works" source_url: "https://docs.adyen.com/business-accounts/how-sca-works.md" canonical: "https://docs.adyen.com/business-accounts/how-sca-works" last_modified: "2022-11-30T17:52:00+01:00" language: "en" --- # How Strong Customer Authentication (SCA) works with Adyen's APIs Learn how to to perform SCA when making requests to Adyen's APIs. [View source](/business-accounts/how-sca-works.md) The purpose of this page is to provide an overview of the SCA process and *not* to provide examples for specific use cases. Some procedures involving business accounts require you to perform Strong Customer Authentication (SCA). For example: * Making funds transfers to third-party bank accounts. * Consulting the transaction history of a business account. * Creating transfer limits. When you make API requests for this procedure, you must also perform SCA. After verifying the identity of your user, the Authentication SDK produces an output that you must include in your API request. Adyen validates this information before sending back a successful response. This page explains how the SCA process works when using Adyen's Authentication SDK. ## Requirements Before you begin, make sure that you fulfill the following requirements: | Requirement | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Integration type** | You must have an [Adyen for Platforms](/adyen-for-platforms-model) integration that includes business accounts. | | **API credentials** | To make API requests, you need an [API credential for webservices](/business-accounts/manage-access?tab=balance_platform_configuration_0_1#manage-api-credentials). The [roles](/business-accounts/manage-access?tab=balance_platform_configuration_0_1#frequently-used-roles) that you need depend on the specific API request that you want to make. | | **Setup steps** | Make sure that you have installed the Authentication SDK. | ## How it works After your user starts a procedure that requires SCA, your application initiates the SCA flow. Your user must successfully complete the SCA flow to the API requests required for the procedure. The following diagram shows the flow for performing SCA challenges to validate API requests. [![](/user/pages/reuse/pfs-business-accounts/auth-sdk/how-sca-works/sca-flow.svg)](/user/pages/reuse/pfs-business-accounts/auth-sdk/how-sca-works/sca-flow.svg) As shown in the preceding diagram, the flow for performing SCA on your user is as follows: 1. The Authentication SDK checks if the device is eligible for SCA. 1. Your application initializes the Authentication SDK. 2. The Authentication SDK calls a method that checks if the device is eligible for SCA. 3. If the check is successful, the Authentication SDK passes the `sdkOutput` to your server. 2. Your server makes an API request to initiate the procedure. 1. Your server makes an API request to Adyen including the `sdkOutput` from the previous step in the header. 2. If the request is successful, Adyen returns an **HTTP 401** response that includes an `sdkInput`. 3. Your server passes the `sdkInput` to the Authentication SDK. 3. The Authentication SDK initiates the SCA verification process for your user. 1. The Authentication SDK calls a method to prompt an SCA challenge in your application. 2. Your user completes the challenge. 3. The Authentication SDK validates the solution of the challenge. 4. If the challenge is completed successfully, the Authentication SDK passes a new `sdkOutput` to your server. 4. Your server makes an API request to finalize the procedure. 1. Your server makes an API request to Adyen including the `sdkOutput` from the previous step in the header. 2. If the request is successful, Adyen returns an **HTTP 2xx** response. The exact HTTP status code depends on the endpoint. The following sections explain more details about the steps in the flow. ## Check SCA eligibility Before initiating a procedure that requires SCA, you must check that the device is eligible for SCA. The following tabs explain how to check for SCA eligibility using the Authentication SDK for Kotlin, Swift, or JavaScript. This functionality requires additional configuration from Adyen. To enable it, contact our [Support Team](https://ca-test.adyen.com/ca/ca/contactUs/support.shtml?form=other). ### Tab: Android (Kotlin) To check if the Android device is eligible for SCA: 1. Initiate the `AdyenAuthentication` class in your Activity or Fragment. **Initiate authentication** ```kotlin private lateinit var adyenAuthentication: AdyenAuthentication override fun onCreate(savedInstanceState: Bundle?) { super.onCreate(savedInstanceState) adyenAuthentication = AdyenAuthentication(this) } ``` 2. Check if SCA is available on the device. **Check SCA eligibility** ```kotlin lifecycleScope.launch { val availabilityResult: AvailabilityResult = adyenAuthentication.checkAvailability() if (availabilityResult is AvailabilityResult.Available) { availabilityResult.sdkOutput } } ``` The function returns an `sdkOutput`. 3. Pass the `sdkOutput` to your server. ### Tab: iOS (Swift) To check if the iOS device is eligible for SCA: 1. Initialize the `AuthenticationService` class. **Initialize authentication service** ```swift let configuration = AuthenticationService.Configuration( localizedRegistrationReason: registrationReason, localizedAuthenticationReason: authenticationReason, appleTeamIdendtifier: appleTeamIdentifier ) let authenticationService = AuthenticationService(configuration: configuration) ``` 2. Check if SCA is available on the device. **Check SCA eligibility** ```swift let sdkOutput = try authenticationService.checkSupport() /// send the sdkOutput to your backend ``` The function returns an `sdkOutput`. 3. Pass the `sdkOutput` to your server. ### Tab: Web (JavaScript) To check if the web browser on your web-enabled device is eligible for SCA: 1. Import the node package in your application. `RelyingPartyName` is the name the user will be presented with when creating or validating a `WebAuthn` operation. We recommend that the value of the `RelyingPartyName` be the merchant name or the URL domain. **Import web sdk and initiate authentication** ```javascript import ScaWebauthn from '@adyen/bpscaweb'; const scaWebauthn = ScaWebauthn.create({ relyingPartyName: 'merchant', }); const sdkOutput = await scaWebauthn.checkAvailability().catch((error) => /* SCA_UNAVAILABLE error*/); ``` If the user's browser supports SCA, the function returns `sdkOutput` to exchange in requests to the server. If SCA is not supported, the method throws an `SCA_UNAVAILABLE` error. 2. Pass the `sdkOutput` to your server. You will use the `sdkOutput` when [initiating a procedure](#initiate-procedure). ## Initiate the procedure To initiate a procedure that requires SCA: 1. Make an API request to the endpoint that you need. In the header, specify the following parameter: | Parameter | Type | Required | Description | | ------------------ | ------ | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `WWW-Authenticate` | Header | ![-white\_check\_mark-](/user/data/smileys/emoji/white_check_mark.png "-white_check_mark-") | Include the following values: - `SCA realm`: Specifies the type of procedure that you want to do. Example values: **Transfer**, **Transaction**, **TransferLimit**. - `auth-param1`: Base64-encoded value of **sdkOutput** you get when you [checked the SCA eligibility](#check-sca) of the device. | The following example shows the `WWW-Authenticate` header using the `SCA realm` **Transfers**. **Header of a transfer request that requires SCA** ```bash 'WWW-Authenticate: SCA realm="Transfer" auth-param1="eyJpZCI6ICJ1c2VyMTIzIiwgInRva2VuIjog..."' ``` 2. Verify that you receive an **HTTP 401** response that includes the `WWW-Authenticate` parameter in the header. The value of this parameter also includes: * `SCA realm`: This must be the same value as the one in the request header. * `auth-param1`: This is a new base64-encoded blob of data. 3. Pass the new `auth-param1` value to the SDK as `sdkInput`. ## Authenticate your user To register the device with the Authentication SDK: 1. Authenticate the user by performing [two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) (2FA). 2. Trigger the SDK to start the device registration and pass `sdkInput` you received when you [initiated the procedure](#initiate-procedure). ### Tab: Android (Kotlin) **Register device with SCA SDK** ```kotlin lifecycleScope.launch { val registrationResult: AuthenticationResult = adyenAuthentication.register("sdkInput") when (registrationResult) { is AuthenticationResult.RegistrationSuccessful -> { registrationResult.sdkOutput } is AuthenticationResult.Canceled -> { // cardholder canceled the flow } is AuthenticationResult.Error -> { // Unexpected error registrationResult.errorMessage } is AuthenticationResult.AuthenticationError -> { // FIDO API Error registrationResult.authenticationError } } } ``` ### Tab: iOS (Swift) **Register device with SCA SDK** ```swift let sdkOutput = try await authenticationService.register(withBase64URLString: sdkInput) /// send the sdkOutput to the backend ``` The SDK uses the [Apple DeviceCheck framework](https://developer.apple.com/documentation/devicecheck) to generate a Base64-encoded `sdkOutput` data blob. To do this, the SDK authenticates the user using Touch ID, Face ID, or the device passcode. To enable Face ID support, add `NSFaceIDUsageDescription` to `Info.plist`. ### Tab: Web (JavaScript) **Register device with SCA SDK** ```javascript const sdkOutput = await scaWebauthn.register(sdkInput); ``` After a successful registration, the SDK generates a Base64-encoded `sdkOutput` data blob. 3. Pass `sdkOutput` to your server. ## Finalize the procedure To finalize a procedure after SCA was completed: 1. Make an API request to the endpoint that you need. In the header, specify the following parameter: | Parameter | Type | Required | Description | | ------------------ | ------ | ------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `WWW-Authenticate` | Header | ![-white\_check\_mark-](/user/data/smileys/emoji/white_check_mark.png "-white_check_mark-") | Include the following values: - `SCA realm`: Specifies the type of procedure that you want to do. Use the same value that you used when you [initiated the procedure](#initiate-procedure). - `auth-param1`: Base64-encoded value of **sdkOutput** you get when you [authenticated your user](#authenticate-user) of the device. | 2. Verify that you receive an **HTTP 2xx** response. This means that the request was successful.\ The HTTP status and the content of the response depend on the endpoint. ## Next steps [required](/business-accounts/register-sca-devices) [Register an SCA device](/business-accounts/register-sca-devices) [Find out how to use our Authentication SDK to register an iOS or Android device, or other web-enabled device for SCA purposes.](/business-accounts/register-sca-devices) [Manage SCA devices](/business-accounts/manage-sca-devices) [Learn how to manage registered SCA devices.](/business-accounts/manage-sca-devices)