Rinne officially supports two 3DS integration patterns: session-first and transaction-first. There is no platform-level preferred flow. Choose the flow that matches your organization architecture.
Endpoint context (self vs merchant)
Use endpoint family based on the API key context you are operating in.Security contract with rinne-js
Use rinne-js secure components as your source of card values:- Card Element for card number (encrypted), CVC (encrypted), and expiry (plain month/year).
- 3D Secure Element for challenge handling.
Critical ID mapping
How transactions enter AWAITING_3DS
A card transaction can enter AWAITING_3DS through any of the following:
- Risk/anti-fraud challenge requirement.
- Soft-decline recovery path.
require_3ds: truein transaction create request.
refuse_on_challenge: true modifies challenge-trigger behavior:
- Challenge-triggered paths are refused immediately (
status = REFUSED). status_reasonis set toCHALLENGE_NOT_ALLOWED.- This avoids waiting in
AWAITING_3DSwhen your organization does not run challenge UX.
These flags are transaction-creation policies only. They do not create a 3DS session or run challenge automatically.
Choosing the right flag strategy
require_3ds is useful when your transaction-first integration already handles AWAITING_3DS and /authenticate, but you need deterministic 3DS enforcement.
refuse_on_challenge is useful when you prefer immediate refusal over any pending challenge workload.
With
refuse_on_challenge, non-challenge transactions continue normal provider processing. Only challenge-triggered paths are refused.Flow A: Session-first
Use this flow when authentication should happen before transaction creation.1
Create a 3DS session
Required fields are
amount, currency, and card. The merchant.website field is the support URL shown to cardholders during the challenge screen. If omitted, Rinne falls back to the website configured on your company or parent organization. The request fails if no website URL can be resolved from any source.Providing payer context (payer_email, payer_name, payer_document, billing_address) is optional but improves authentication rates. Issuers use this context to assess risk and reduce unnecessary challenges.- Self endpoint
- Merchant endpoint
cURL
In practice, sessions come back as
ACTION_REQUIRED or FAILED at creation — even for frictionless flows, authentication completes through the SDK element, not at session creation time. The API contract does allow AUTHENTICATED as a creation-time response for forward compatibility, so always branch on all three statuses rather than assuming only two.When auth_status is ACTION_REQUIRED, authentication_flow and liability_shift are null. They are populated only after the 3DS element completes the authentication flow.Sessions expire 1 hour after creation. If the user takes too long to complete a challenge, you will need to create a new session and restart the authentication step.
2
Branch by auth_status and mount when required
Always branch on
auth_status before deciding whether to mount:FAILED: the card was rejected before the flow could start. Do not mount — surface the error and let the user retry with a different card.AUTHENTICATED: frictionless authentication completed at session creation time. This is rare but allowed by the API contract. Skip mounting and proceed directly to transaction creation.ACTION_REQUIRED: mount the element withtds_session_id. The SDK runs the full 3DS flow internally.
- Frictionless: the issuer authenticates the card silently in the background with no visible UI.
onSuccessfires automatically. - Challenge: the issuer presents a verification step (OTP, app notification, etc.) inside the element.
onSuccessfires after the user completes it.
onSuccess is the signal to proceed in either case.3
Create transaction with three_d_secure_session_id
Use session
id as three_d_secure_session_id.- Self endpoint
- Merchant endpoint
cURL
4
Handle transaction result
Card transactions typically resolve synchronously — the response already contains the final status (
APPROVED, AUTHORIZED, or REFUSED). Use this status to drive your UI immediately.A successful 3DS authentication does not guarantee the transaction will be approved. The issuer can still decline the transaction for reasons unrelated to authentication (insufficient funds, card blocked, etc.).
Flow B: Transaction-first
Use this flow when transaction orchestration starts before 3DS authentication and your backend owns the payment lifecycle from the first call.In transaction-first, transaction status is the source of truth for when 3DS is required. Call
/authenticate only for transactions currently in AWAITING_3DS.Transaction-first status contract
Without
require_3ds: true, some transactions can enter AWAITING_3DS later through two paths:- Risk assessment: Rinne’s anti-fraud rules determine the transaction needs cardholder verification.
- Soft-decline recovery: the payment provider initially declines the transaction with a response code indicating 3DS authentication could resolve the decline (e.g., issuer requires authentication). Rinne automatically retries via the 3DS path instead of refusing immediately.
PROCESSING → AWAITING_3DS. Handle this either synchronously or asynchronously through webhooks or transaction polling, then run the same 3DS session/challenge/authenticate steps described below.1
Create card transaction
For deterministic transaction-first 3DS entry, set
require_3ds: true.- Self endpoint
- Merchant endpoint
cURL
/authenticate only accepts three_d_secure_session_id. CVV is not sent again in this step.2
Branch by transaction status
- If status is
AWAITING_3DS, continue to 3DS session creation. - If status is
PROCESSING,AUTHORIZED,APPROVED, orREFUSED, do not call/authenticate. - If your asynchronous update later moves transaction to
AWAITING_3DS, start 3DS at that point.
3
Create 3DS session and run challenge when required
Create a 3DS session for the same payment attempt:
- Same company/merchant context as the transaction.
- Same
amountandcurrencyas the transaction. - Encrypted card values from rinne-js.
- Optionally include
payer_email,payer_name,payer_document, andbilling_addressto improve authentication rates.
tds_session_id for frontend challenge mount and keep id for backend /authenticate.Branch on auth_status:FAILED: do not mount — surface the error and let the user retry with a different card.AUTHENTICATED: skip mounting and proceed directly to the/authenticatecall.ACTION_REQUIRED: mount the element. The SDK handles frictionless and challenge flows internally;onSuccessfires in both cases. Call/authenticatefromonSuccessusing the sessionid.
4
Authenticate pending transaction with session id
- Self endpoint
- Merchant endpoint
cURL
5
Handle transaction result
Card transactions typically resolve synchronously — the
/authenticate response already contains the final status (APPROVED, AUTHORIZED, or REFUSED). Use this status to drive your UI immediately.If the response still shows AWAITING_3DS, the session failed validation and was not consumed. Check the error response for details and create a new session to retry.Transaction-first authenticate failures and recovery
Session validation before consumption
Rinne validates all checks below before linking a 3DS session to a transaction:- Same company/merchant scope.
- Same amount.
- Same currency.
auth_status = AUTHENTICATED.- Session has cryptogram.
- Session is not expired (sessions expire 1 hour after creation).
consumption_status = NOT_CONSUMED.
400 validation error identifying which condition was not met.
Session create request fields
Amount in cents. Must exactly match the transaction amount you will use this session for.
ISO 4217 currency code (e.g.
BRL). Must exactly match the transaction currency.Encrypted card data from the rinne-js Card Element.
Support URL shown to the cardholder during the challenge screen. Falls back to the website configured on your company or parent organization. The request fails if no URL can be resolved from any source.
Cardholder email. Optional but helps issuers assess risk and reduces unnecessary challenges.
Cardholder name as it appears on the card.
Cardholder document number (e.g. CPF for Brazilian cardholders).
Cardholder billing address.
Session response fields
Internal session UUID. Use this as
three_d_secure_session_id in transaction create or /authenticate requests.Provider session ID. Pass this to
rinne.elements.threeDSecure().mount(tds_session_id).Authentication outcome. One of
ACTION_REQUIRED, AUTHENTICATED, or FAILED.Whether the session has been linked to a transaction. Sessions are single-use.
How authentication completed. Null at session creation — populated after the 3DS element finishes the authentication flow.
Whether liability for fraud chargebacks shifts away from the merchant. Null at session creation — populated after authentication completes.
true: fraud liability shifts away from the merchant. Forfrictionlessandchallengeflows the issuer accepts liability. Forattemptflows the card network stands in and accepts liability when the issuer’s ACS is unavailable.false: the merchant retains fraud liability.
Human-readable failure reason when
auth_status is FAILED. Null otherwise.ISO 8601 timestamp. Sessions expire 1 hour after creation. After this time, the session cannot be used and a new one must be created.
ISO 8601 timestamp of when the session was created.
ISO 8601 timestamp of the last session update. Equals
created_at initially — updated when the 3DS element completes authentication.Idempotency and retry
- Transaction create remains idempotent via
request_id. - 3DS session create is non-idempotent by design.
- If session is expired/consumed/mismatched, create a new session and retry.
- If
/authenticateresult is uncertain (timeout/network failure), fetch transaction first. Retry only if transaction is stillAWAITING_3DSand use a new session.

