Authentication

On this page

Elavon's 3D Secure 2 solution supports the following authentication mechanisms:

  • HTTP basic authentication
  • Token authentication using OAuth 2.0

You must set up the authentication mechanism before you send any API requests to the 3DS Server.

HTTP Basic authentication


If you are integrating directly with the 3DS Server, you need to only set up the basic authentication. If you are sending requests to the 3DS Server through either the Web SDK or the mobile SDK (releasing soon), you will still need to set up the basic authentication first.

When you use this option, then every API request from your server to the 3DS Server will need an Authorization header with the type Basic.

Format of Basic Auth in a request header:

Authorization: Basic <Base64 encoded username:password>

Example:

Authorization: Basic dXNlcjpwYXNzd29yZA==

error_outline

note

Merchants will get the username and password (API key) during the boarding process.

Reference: The 'Basic' HTTP Authentication Scheme by IETF open_in_new

Token-based authentication using OAuth 2.0


To integrate with the 3DS Server using the Web SDK or the mobile SDK (iOS or Android), the SDK will need a bearer token to access the 3DS Server API. This method prevents the API key from getting exposed to the client-side code.

To provide this bearer token to the SDK, invoke the /token endpoint to authenticate using HTTP Basic Auth, where the username and the password are sent to the server in the Authorization header of the request.

Test environment: GET https://uat.gw.fraud.eu.elavonaws.com/token

Production environment: GET https://gw.fraud.elavon.com/token

Sample output that is returned as a response from /token API:

{
  "token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9JzY29wZSI6WyJjbGllbnRJZDphZnMtZ2F0ZXdheS1zdmMiLCJ1c2VybmFtZTpWUWg4R2hoZ1hQVjRGeWJkdmptUmMyTWgiXSwiZXhwIjoxNTUyOTUzMjA5LCJqdkiOiIxZGU3OGI5ZC0yMDg4LTQzMjgtYTg2YS0wMTdkZTlkZDkxMzci",
  "expiresInSec": 598,
  "validTo": "20210318153749"
}
error_outline

note

The retrieved token value is valid for approximately 10 minutes. The validTo field value indicates the exact time of token expiry in the UTC format (YYYYMMDDHHMMSS).

Reference: The OAuth 2.0 Authorization Framework: Bearer Token Usage open_in_new

Test credentials

To get authentication credentials that you would need to test the different integration options in the sandbox environment, fill in the information requested in this form.

3D Secure 2 test credentials request form open_in_new

Error: Invalid authentication


If the API key you used in the requests made to the 3DS Server is invalid or expired, the server returns the following error message. If you receive this error message, verify that you have used the right API key or contact email #SEDevPortalSupport@elavon.com.

{
  "status" : 401,
  "failures" : [ {
    "code" : "unauthorized",
    "description" : "Unauthorized"
  } ]
}

Related topics