On this page:

Elavon 3D Secure 2.1 supports two authentication mechanisms that merchants can use to access Elavon's 3DS Server. Complete the authorization process before you make any API requests to Elavon’s 3DS Server.

HTTP Basic authentication

If you are integrating directly with the 3DS Server, use this option. If you use this option, then every API request from your server to the 3DS Server will need an Authorization header with the type Basic.

Format of Basic Auth in a request header:

Authorization: Basic <Base64 encoded username:password>


Authorization: Basic dXNlcjpwYXNzd29yZA==



Merchants will get the username and password (API key) during the boarding process.

Reference: The 'Basic' HTTP Authentication Scheme by IETF

Token authentication / OAuth 2.0 authorization

If you integrate with the 3DS Server using the Web SDK or the mobile SDK (iOS or Android), use the token authentication method. This method prevents the API key from getting exposed to the client-side code.

To use this option, you should first call the token API of the Elavon 3DS Server to get the bearer token using the following request:

Test: GET

Production: GET https://

You can use the username and password you got from the HTTP Basic authentication for this API request.

Sample output that is returned as a response from /token API:

  "expiresInSec": 598,
  "validTo": "20210318153749"


The retrieved token value is valid for approximately 10 minutes. The validTo field value indicates the exact time of token expiry in the UTC format (YYYYMMDDHHMMSS).

Reference: The OAuth 2.0 Authorization Framework: Bearer Token Usage

Error: Invalid authentication

If the API key you used in the requests made to the 3DS Server is invalid or expired, the server returns the following error message. If you receive this error message, verify that you have used the right API key or contact

  "status" : 401,
  "failures" : [ {
    "code" : "unauthorized",
    "description" : "Unauthorized"
  } ]

Related topics