Skip to main content
3D Secure (3DS) authenticates the cardholder before card authorization and helps reduce fraud in card-not-present payments.
Rinne officially supports two 3DS integration patterns: session-first and transaction-first. There is no platform-level preferred flow. Choose the flow that matches your organization architecture.

Endpoint context (self vs merchant)

Use endpoint family based on the API key context you are operating in.

Security contract with rinne-js

Use rinne-js secure components as your source of card values:
Do not collect raw PAN/CVC in custom form fields. The Card Element encrypts the card number and CVC client-side before exposing them via mountedCard.values. Expiry month and year are collected but not encrypted — they are sent as plain strings to the 3DS session creation endpoint.

Critical ID mapping

How transactions enter AWAITING_3DS

A card transaction can enter AWAITING_3DS through any of the following:
  1. Risk/anti-fraud challenge requirement.
  2. Soft-decline recovery path.
  3. require_3ds: true in transaction create request.
refuse_on_challenge: true modifies challenge-trigger behavior:
  • Challenge-triggered paths are refused immediately (status = REFUSED).
  • status_reason is set to CHALLENGE_NOT_ALLOWED.
  • This avoids waiting in AWAITING_3DS when your organization does not run challenge UX.
require_3ds and refuse_on_challenge cannot both be true in the same transaction request.
These flags are transaction-creation policies only. They do not create a 3DS session or run challenge automatically.

Choosing the right flag strategy

require_3ds is useful when your transaction-first integration already handles AWAITING_3DS and /authenticate, but you need deterministic 3DS enforcement. refuse_on_challenge is useful when you prefer immediate refusal over any pending challenge workload.
With refuse_on_challenge, non-challenge transactions continue normal provider processing. Only challenge-triggered paths are refused.

Flow A: Session-first

Use this flow when authentication should happen before transaction creation.
1

Create a 3DS session

Required fields are amount, currency, and card. The merchant.website field is the support URL shown to cardholders during the challenge screen. If omitted, Rinne falls back to the website configured on your company or parent organization. The request fails if no website URL can be resolved from any source.Providing payer context (payer_email, payer_name, payer_document, billing_address) is optional but improves authentication rates. Issuers use this context to assess risk and reduce unnecessary challenges.
cURL
In practice, sessions come back as ACTION_REQUIRED or FAILED at creation — even for frictionless flows, authentication completes through the SDK element, not at session creation time. The API contract does allow AUTHENTICATED as a creation-time response for forward compatibility, so always branch on all three statuses rather than assuming only two.When auth_status is ACTION_REQUIRED, authentication_flow and liability_shift are null. They are populated only after the 3DS element completes the authentication flow.
Sessions expire 1 hour after creation. If the user takes too long to complete a challenge, you will need to create a new session and restart the authentication step.
2

Branch by auth_status and mount when required

Always branch on auth_status before deciding whether to mount:
  • FAILED: the card was rejected before the flow could start. Do not mount — surface the error and let the user retry with a different card.
  • AUTHENTICATED: frictionless authentication completed at session creation time. This is rare but allowed by the API contract. Skip mounting and proceed directly to transaction creation.
  • ACTION_REQUIRED: mount the element with tds_session_id. The SDK runs the full 3DS flow internally.
When the element is mounted, the issuer decides the authentication path:
  • Frictionless: the issuer authenticates the card silently in the background with no visible UI. onSuccess fires automatically.
  • Challenge: the issuer presents a verification step (OTP, app notification, etc.) inside the element. onSuccess fires after the user completes it.
Your code handles both identically — onSuccess is the signal to proceed in either case.
3

Create transaction with three_d_secure_session_id

Use session id as three_d_secure_session_id.
cURL
4

Handle transaction result

Card transactions typically resolve synchronously — the response already contains the final status (APPROVED, AUTHORIZED, or REFUSED). Use this status to drive your UI immediately.
A successful 3DS authentication does not guarantee the transaction will be approved. The issuer can still decline the transaction for reasons unrelated to authentication (insufficient funds, card blocked, etc.).

Flow B: Transaction-first

Use this flow when transaction orchestration starts before 3DS authentication and your backend owns the payment lifecycle from the first call.
In transaction-first, transaction status is the source of truth for when 3DS is required. Call /authenticate only for transactions currently in AWAITING_3DS.

Transaction-first status contract

Without require_3ds: true, some transactions can enter AWAITING_3DS later through two paths:
  • Risk assessment: Rinne’s anti-fraud rules determine the transaction needs cardholder verification.
  • Soft-decline recovery: the payment provider initially declines the transaction with a response code indicating 3DS authentication could resolve the decline (e.g., issuer requires authentication). Rinne automatically retries via the 3DS path instead of refusing immediately.
In both cases the transition is PROCESSINGAWAITING_3DS. Handle this either synchronously or asynchronously through webhooks or transaction polling, then run the same 3DS session/challenge/authenticate steps described below.
1

Create card transaction

For deterministic transaction-first 3DS entry, set require_3ds: true.
cURL
/authenticate only accepts three_d_secure_session_id. CVV is not sent again in this step.
2

Branch by transaction status

  • If status is AWAITING_3DS, continue to 3DS session creation.
  • If status is PROCESSING, AUTHORIZED, APPROVED, or REFUSED, do not call /authenticate.
  • If your asynchronous update later moves transaction to AWAITING_3DS, start 3DS at that point.
3

Create 3DS session and run challenge when required

Create a 3DS session for the same payment attempt:
  • Same company/merchant context as the transaction.
  • Same amount and currency as the transaction.
  • Encrypted card values from rinne-js.
  • Optionally include payer_email, payer_name, payer_document, and billing_address to improve authentication rates.
Use tds_session_id for frontend challenge mount and keep id for backend /authenticate.Branch on auth_status:
  • FAILED: do not mount — surface the error and let the user retry with a different card.
  • AUTHENTICATED: skip mounting and proceed directly to the /authenticate call.
  • ACTION_REQUIRED: mount the element. The SDK handles frictionless and challenge flows internally; onSuccess fires in both cases. Call /authenticate from onSuccess using the session id.
4

Authenticate pending transaction with session id

cURL
5

Handle transaction result

Card transactions typically resolve synchronously — the /authenticate response already contains the final status (APPROVED, AUTHORIZED, or REFUSED). Use this status to drive your UI immediately.If the response still shows AWAITING_3DS, the session failed validation and was not consumed. Check the error response for details and create a new session to retry.

Transaction-first authenticate failures and recovery

Session validation before consumption

Rinne validates all checks below before linking a 3DS session to a transaction:
  1. Same company/merchant scope.
  2. Same amount.
  3. Same currency.
  4. auth_status = AUTHENTICATED.
  5. Session has cryptogram.
  6. Session is not expired (sessions expire 1 hour after creation).
  7. consumption_status = NOT_CONSUMED.
Sessions are single-use and become unavailable after consumption. If any check fails, the request is rejected with a 400 validation error identifying which condition was not met.

Session create request fields

amount
integer
required
Amount in cents. Must exactly match the transaction amount you will use this session for.
currency
string
required
ISO 4217 currency code (e.g. BRL). Must exactly match the transaction currency.
card
object
required
Encrypted card data from the rinne-js Card Element.
merchant.website
string
Support URL shown to the cardholder during the challenge screen. Falls back to the website configured on your company or parent organization. The request fails if no URL can be resolved from any source.
payer_email
string
Cardholder email. Optional but helps issuers assess risk and reduces unnecessary challenges.
payer_name
string
Cardholder name as it appears on the card.
payer_document
string
Cardholder document number (e.g. CPF for Brazilian cardholders).
billing_address
object
Cardholder billing address.

Session response fields

id
string
Internal session UUID. Use this as three_d_secure_session_id in transaction create or /authenticate requests.
tds_session_id
string
Provider session ID. Pass this to rinne.elements.threeDSecure().mount(tds_session_id).
auth_status
string
Authentication outcome. One of ACTION_REQUIRED, AUTHENTICATED, or FAILED.
consumption_status
string
Whether the session has been linked to a transaction. Sessions are single-use.
authentication_flow
string | null
How authentication completed. Null at session creation — populated after the 3DS element finishes the authentication flow.
liability_shift
boolean | null
Whether liability for fraud chargebacks shifts away from the merchant. Null at session creation — populated after authentication completes.
  • true: fraud liability shifts away from the merchant. For frictionless and challenge flows the issuer accepts liability. For attempt flows the card network stands in and accepts liability when the issuer’s ACS is unavailable.
  • false: the merchant retains fraud liability.
You can still proceed with a transaction when liability_shift is false. The 3DS cryptogram is still valid — the difference is only in who bears the chargeback risk.
failure_reason
string | null
Human-readable failure reason when auth_status is FAILED. Null otherwise.
expires_at
string
ISO 8601 timestamp. Sessions expire 1 hour after creation. After this time, the session cannot be used and a new one must be created.
created_at
string
ISO 8601 timestamp of when the session was created.
updated_at
string
ISO 8601 timestamp of the last session update. Equals created_at initially — updated when the 3DS element completes authentication.

Idempotency and retry

  • Transaction create remains idempotent via request_id.
  • 3DS session create is non-idempotent by design.
  • If session is expired/consumed/mismatched, create a new session and retry.
  • If /authenticate result is uncertain (timeout/network failure), fetch transaction first. Retry only if transaction is still AWAITING_3DS and use a new session.