How 3DS Works
3DS introduces a challenge step where the cardholder’s bank verifies their identity (via SMS code, biometric, or app confirmation) before the payment is authorized.Integration Flow
Server-to-Server (S2S) 3DS Flow
Checkout Session 3DS Flow
For checkout sessions, 3DS is handled entirely within the Axra-hosted checkout page. The customer never leaves the checkout experience.Implementation Guide
Step 1: Initiate the Charge
Include areturnUrl in your charge request. This is where the customer will be redirected after completing the 3DS challenge.
Step 2: Check for 3DS Requirement
Inspect the response. Ifstatus is requires_action, the customer must complete a 3DS challenge.
requiresAction object contains:
| Field | Type | Description |
|---|---|---|
type | string | 3ds_redirect, 3ds_challenge, or fingerprint |
redirectUrl | string | URL to redirect the customer for authentication |
Step 3: Redirect the Customer
Redirect the customer’s browser to theredirectUrl:
Step 4: Handle the Return
After the customer completes (or cancels) the 3DS challenge, they are redirected to yourreturnUrl. Confirm the payment:
Step 5: Handle the Result
When is 3DS Required?
3DS may be triggered by:- Card issuer rules: Some issuers require 3DS for all online transactions
- SCA regulation (PSD2): Required for European card payments over certain thresholds
- Risk scoring: Axra’s risk engine may trigger 3DS for suspicious transactions
- Amount thresholds: Some regions require 3DS above certain amounts
status: "succeeded".
Error Handling
3DS Failures
| Scenario | Response Status | What to Do |
|---|---|---|
| Card requires 3DS | requires_action | Redirect customer to redirectUrl |
| Customer cancels 3DS | failed | Show error, allow retry |
| 3DS authentication fails | failed | Show error, suggest different card |
| 3DS timeout | failed | Show error, allow retry |
| Card does not support 3DS | succeeded | Payment completes without 3DS (frictionless) |
Common Mistakes
- Missing
returnUrl: Without a return URL, the customer has nowhere to go after 3DS. Always include it for S2S charges. - Not checking
requires_action: If you ignore this status, the payment stays pending forever. - Confirming without 3DS completion: Calling confirm-3ds before the customer completes the challenge will fail.
- Hardcoding
transactionId: Always use thetransactionIdfrom the charge response — it is unique per transaction.
Testing 3DS
Test Cards
| Card Number | Behavior |
|---|---|
4000002500003155 | 3DS required, authentication succeeds |
4000008260003178 | 3DS required, authentication fails |
4242424242424242 | No 3DS required (frictionless) |
4000000000003220 | 3DS2 required (newer protocol) |
Testing Flow
- Use a sandbox/test API key
- Charge with a 3DS test card
- Follow the
redirectUrl— in test mode the challenge auto-completes - Confirm the payment
- Verify the
payment.completedwebhook fires
Liability Shift
When 3DS authentication succeeds:- Fraud liability shifts from the merchant to the card issuer
- If a fraudulent chargeback occurs, the merchant is protected
- Dispute fees may be waived for 3DS-authenticated transactions
