Skip to main content
The Three-Domain Secure (3D Secure or 3DS) API provides a decision service that accepts scoring events from the Marqeta platform and evaluates whether to apply strong customer authentication (SCA) with 3DS or to exempt. This implementation is based on the EMV 3-D Secure Protocol and Core Functions Specification. For more information, see the specification on the EMVCo website. The 3DS API is RESTful, so it uses HTTP methods (POST, PUT, GET) to perform functions on objects. For example, to determine whether to send an SCA challenge, send a POST request to the /three-ds/decision endpoint. Some requests include data in their message body. The 3DS API requires that data be in JSON format. The 3DS API provides endpoints that enable you to:
  • Delegate decisioning – determine whether to send an SCA.
  • Notify a 3DS completion status.
  • Receive an Advanced Authentication challenge.
  • Update an authentication result to Marqeta.
For more on 3D Secure, see About 3D Secure.

Delegate decisioning - determine whether to send an SCA

Action: POST
Endpoint: /three-ds/decision
Evaluate whether or not the cardholder will be prompted with a strong customer authentication (SCA) challenge to complete this authentication. To participate in the delegated decision service, your system must handle messages sent by the Marqeta platform and return the appropriate response. This is the URL of the decision service endpoint hosted in your environment, to which POST messages are submitted by the Marqeta platform.

Request header

Body field details

The following table describes the payload required to score an access control server (ACS) request.

The ThreeDSDecisionRequest object

The message_extension object

The requester object

The cardholder_authentication_by_merchant object

The prior_cardholder_authentication object

The sdk object

The server object

The client_browser object

The device object

The cardholder_account object

The phones object

The statistics object

The directory_server object

This object describes information from the Directory Services (DS) in the network.

The recurring object

The transaction object

Contains information about how the payment is being made.

The card_acceptor object

Warning
This object reports information as supplied by the merchant, and could contain inaccurate or unexpected values.

The risk_indicators object

The delivery object

The gift_cards object

The pre_order object

The whitelist object

The AddressPhysical object

Provides details related to the cardholder’s shipping/billing address.

The card_expiry_date object

ThreeDSDecisionResponse (response)

The response to an ACS decision request. Your decision service must respond to each delegated decision request with a decision of CHALLENGE, DECLINE, or EXEMPT. Ensure that your response body adheres to the specifications in this section. You must include all required fields regardless of whether you challenge or exempt the request.

APIResponseWithErrors (response)

A list of problems with the request that the caller might be able to fix.

Response codes

Sample request body

JSON

Sample response body

JSON

Notify a 3DS completion status

Action: POST
Endpoint: /three-ds/challenge-result
Informs the Delegated 3DS decision service whether or not the strong customer authentication (SCA) challenge has succeeded, which is required to evaluate future transactions. This is the URL of the notification endpoint hosted in your environment, to which POST messages are submitted by the Marqeta platform.

Body field details

The following table describes the payload required to score an ACS request.

The ThreeDSChallengeResultRequest object

DecisionServiceResponse (response)

Provides information regarding the call and how it was handled.

Response codes

Sample request body

JSON

Sample response

JSON

Receive an Advanced Authentication challenge

Action: POST
Endpoint: /three-ds/authentication
Stand up this endpoint to receive a cardholder challenge from Marqeta using Advanced Authentication. An Advanced Authentication request prompts you to challenge the cardholder using advanced methods such as biometrics or voice recognition. For details on the Advanced Authentication process, see Advanced Authentication and Advanced authentication lifecycle.

Request header

Body field details

The following table describes the payload required to authenticate a request.

The ThreeDSAuthenticationRequest object

The transaction object

Contains information about how the payment is being made.

The card_acceptor object

Warning
This object reports information as supplied by the merchant, and could contain inaccurate or unexpected values.

Response codes

Sample request body

JSON

Sample response

JSON

Update an authentication result to Marqeta

Action: POST
Endpoint URL: https://authentication-acs.marqeta.com/v3/three-ds/authentication-result
Accepts the 3DS out-of-band/decoupled challenge result and informs the ACS of the cardholder authentication result. Use your Marqeta Core API credentials.

Body field details

The following table describes the response to an ACS authentication request.

The ThreeDSAuthenticationResultRequest object

Response codes

Sample request body

JSON

Sample response

JSON