Authentication
On this page
Elavon’s 3D Secure 2 solution supports the following authentication mechanisms:
You must set up the authentication mechanism before you send any API requests to the 3DS Server.
HTTP Basic authentication
If you are integrating directly with the 3DS Server, you need to only set up the basic authentication. If you are sending requests to the 3DS Server through either the Web SDK or the mobile SDK (releasing soon), you will still need to set up the basic authentication first.
When you use this option, then every API request from your server to the 3DS Server will need an Authorization header with the type Basic.
Format of Basic Auth in a request header:
Authorization: Basic <Base64 encoded username:password>
Example:
Authorization: Basic dXNlcjpwYXNzd29yZA==
note
Merchants will get the username and password (API key) during the boarding process.
Reference: The ‘Basic’ HTTP Authentication Scheme by IETFopen_in_newLink opens new window
Token-based authentication using OAuth 2.0
To integrate with the 3DS Server using the Web SDK or the mobile SDK (iOS or Android), the SDK will need a bearer token to access the 3DS Server API. This method prevents the API key from getting exposed to the client-side code.
To provide this bearer token to the SDK, invoke the /token endpoint to authenticate using HTTP Basic Auth, where the username and the password are sent to the server in the Authorization header of the request.
- Test environment: GET https://uat.gw.fraud.eu.elavonaws.com/tokenopen_in_newLink opens new window
- Production environment: GET https://gw.fraud.elavon.com/tokenopen_in_newLink opens new window
Sample output that is returned as a response from /token API:
{
"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9JzY29wZSI6WyJjbGllbnRJZDphZnMtZ2F0ZXdheS1zdmMiLCJ1c2VybmFtZTpWUWg4R2hoZ1hQVjRGeWJkdmptUmMyTWgiXSwiZXhwIjoxNTUyOTUzMjA5LCJqdkiOiIxZGU3OGI5ZC0yMDg4LTQzMjgtYTg2YS0wMTdkZTlkZDkxMzci",
"expiresInSec": 598,
"validTo": "20210318153749"
}
note
The retrieved token value is valid for approximately 10 minutes. The validTo field value indicates the exact time of token expiry in the UTC format (YYYYMMDDHHMMSS).
Reference: The OAuth 2.0 Authorization Framework: Bearer Token Usageopen_in_newLink opens new window
Test credentials
To get authentication credentials that you would need to test the different integration options in the sandbox environment, fill in the information requested in this form.
3D Secure 2 test credentials request formopen_in_newLink opens new window
Error: Invalid authentication
If the API key you used in the requests made to the 3DS Server is invalid or expired, the server returns the following error message. If you receive this error message, verify that you have used the right API key or contact email#SEDevPortalSupport@elavon.com.
{
"status" : 401,
"failures" : [ {
"code" : "unauthorized",
"description" : "Unauthorized"
} ]
}