Use an Authentication in a Payment
Two optional source fields let a payment use a 3DS authentication you already
have, instead of running Moyasar's own 3DS step. Both apply to creditcard and
card sources, and either field disables Moyasar's 3DS for that payment.
Omitting both keeps the default flow unchanged.
Standalone 3D Secure is enabled only for selected merchants.
Reuse a Moyasar authentication — source.card_auth_id
Reference a standalone card_auth. Moyasar attaches
the existing authentication to the payment's card and goes straight to
authorization.
Endpoint: POST /v1/payments
Authentication: Publishable key
- JSON
- cURL
{
"amount": 10000,
"currency": "SAR",
"callback_url": "https://merchant.example/return",
"source": {
"type": "creditcard",
"name": "John Doe",
"number": "4111111111111111",
"month": "12",
"year": "2030",
"cvc": "123",
"card_auth_id": "ca_2a1b..."
}
}
curl -X POST https://api.moyasar.com/v1/payments \
-u pk_test_YOUR_PUBLISHABLE_KEY: \
-H "Content-Type: application/json" \
-d '{
"amount": 10000,
"currency": "SAR",
"callback_url": "https://merchant.example/return",
"source": {
"type": "creditcard",
"name": "John Doe",
"number": "4111111111111111",
"month": "12",
"year": "2030",
"cvc": "123",
"card_auth_id": "ca_2a1b..."
}
}'
The authentication must:
- belong to the same account,
- be
authenticated, - not be already consumed (each authentication can back a single payment), and
- match the payment on card fingerprint, amount, and currency.
If any check fails, the request is rejected with an invalid_card_auth error.
Bring your own — source.card_auth_data
Supply 3DS values you obtained elsewhere directly on the source. Moyasar attaches them to the payment's card and authorizes without running its own 3DS.
Endpoint: POST /v1/payments
Authentication: Publishable key
- JSON
- cURL
{
"amount": 10000,
"currency": "SAR",
"callback_url": "https://merchant.example/return",
"source": {
"type": "creditcard",
"name": "John Doe",
"number": "4111111111111111",
"month": "12",
"year": "2030",
"cvc": "123",
"card_auth_data": {
"provider": "acme-mpi",
"eci": "05",
"authentication_value": "AAICCGhVkQAAACcQaCFSdYh0YUg=",
"ds_transaction_id": "f8c3a0d2-7e76-4df1-8ba4-f457386d14bf",
"version": "2.2.0",
"transaction_status": "Y"
}
}
}
curl -X POST https://api.moyasar.com/v1/payments \
-u pk_test_YOUR_PUBLISHABLE_KEY: \
-H "Content-Type: application/json" \
-d '{
"amount": 10000,
"currency": "SAR",
"callback_url": "https://merchant.example/return",
"source": {
"type": "creditcard",
"name": "John Doe",
"number": "4111111111111111",
"month": "12",
"year": "2030",
"cvc": "123",
"card_auth_data": {
"provider": "acme-mpi",
"eci": "05",
"authentication_value": "AAICCGhVkQAAACcQaCFSdYh0YUg=",
"ds_transaction_id": "f8c3a0d2-7e76-4df1-8ba4-f457386d14bf",
"version": "2.2.0",
"transaction_status": "Y"
}
}
}'
Fields
| Field | Required | Description |
|---|---|---|
provider | Yes | Identifies where the 3DS data originated (e.g. the MPI or provider that produced it). |
eci | Yes | Electronic Commerce Indicator. |
authentication_value | Yes | The authentication value (CAVV / AAV), Base64. |
ds_transaction_id | Yes | Directory Server transaction ID. |
version | Yes | 3DS protocol version (e.g. 2.2.0). |
transaction_status | Yes | EMVCo transaction status (e.g. Y). |
auth_scheme | No | Directory Server used (visa, mada, master). |
acs_transaction_id | No | ACS transaction ID. |
ds_reference_number | No | Directory Server reference number. |
acs_reference_number | No | ACS reference number. |
Some acquirers require the full set of 3DS values, including acs_transaction_id,
ds_reference_number, and acs_reference_number. If your acquirer rejects the
payment with a data validation error, include these optional fields.