On this page

Elavon’s 3D Secure 2 solution supports the following authentication mechanisms:

  • HTTP basic authentication
  • Token authentication using OAuth 2.0

You must set up the authentication mechanism before you send any API requests to the 3DS Server.

HTTP Basic authentication

If you are integrating directly with the 3DS Server, you need to only set up the basic authentication. If you are sending requests to the 3DS Server through either the Web SDK or the mobile SDK (releasing soon), you will still need to set up the basic authentication first.

When you use this option, then every API request from your server to the 3DS Server will need an Authorization header with the type Basic.

Format of Basic Auth in a request header:

Authorization: Basic <Base64 encoded username:password>


Authorization: Basic dXNlcjpwYXNzd29yZA==


Merchants will get the username and password (API key) during the boarding process.

Reference: The ‘Basic’ HTTP Authentication Scheme by IETFLink opens new window

Token-based authentication using OAuth 2.0

To integrate with the 3DS Server using the Web SDK or the mobile SDK (iOS or Android), the SDK will need a bearer token to access the 3DS Server API. This method prevents the API key from getting exposed to the client-side code.

To provide this bearer token to the SDK, invoke the /token endpoint to authenticate using HTTP Basic Auth, where the username and the password are sent to the server in the Authorization header of the request.

Test environment: GET opens new window

Production environment: GET opens new window

Sample response

  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9eyJzY29wZSI6WyJjbGllbnRJZDphZnMtZ2F0ZXdheS1zdmMiLCJ1c2VybmFtZTpWUWg4R2hoZ1hQVjRGeWJkdmptUmMyTWgiXSwiZXhwIjoxNTUyOTUzMjA5LCJqdGkiOiIxZGU3OGI5ZC0yMDg",
  "expiresInSec": 598,
  "validTo": "20210318153749"

The retrieved token value is valid for approximately 10 minutes. The validTo field value in the response indicates the exact time of token expiry in the UTC format (YYYYMMDDHHMMSS).

Reference: The OAuth 2.0 Authorization Framework: Bearer Token UsageLink opens new window

Test credentials

To request authentication credentials that you would need to test the different integration options in the sandbox environment, fill in the information requested in this form.

3D Secure 2 test credentials request formLink opens new window

Error: Invalid authentication

If the API key you used in the requests made to the 3DS Server is invalid or expired, the server returns the following error message. If you receive this error message, verify that you have used the right API key or contact Elavon support at

  "status" : 401,
  "failures" : [ {
    "code" : "unauthorized",
    "description" : "Unauthorized"
  } ]

Related topics