Guides
PortalContact Sales
Start typing to search…
  1. Integration Examples

OTP Delegate

The OTP Delegate flow uses a SMS OTP challenge to satisfy the possession SCA factor. Rather than Apata sending the OTP directly to the cardholder, the issuer handles delivery - and optionally verification - keeping phone numbers and OTP logic within the issuer's own system.

Delegate Send Only

Apata generates the OTP and passes it to the issuer via webhook. The issuer delivers it to the cardholder. Apata verifies the code when the cardholder submits it.

Delegate Send and Verify

Apata triggers the issuer to generate and send the OTP. When the cardholder submits the code, Apata delegates verification to the issuer as well. The issuer's phone numbers and OTP logic are never shared with Apata.

📘

See the SMS OTP challenge method for configuration details. API references: One Time Passcode webhook · Verify One Time Passcode webhook.

Delegate Send Only

Apata generates a 6-digit OTP and includes it in the webhook payload. The issuer delivers it to the cardholder via SMS. Apata handles verification when the cardholder submits the code in the Challenge Interface.

How It Works

  1. Apata receives an AReq and calls the Card Link endpoint to fetch card details.
  2. The Risk Profile is evaluated - a challenge is required.
  3. On receiving the CReq, Apata generates a 6-digit OTP.
  4. Apata calls the One Time Passcode webhook with the OTP included in the payload.
  5. The issuer sends the OTP to the cardholder via SMS.
  6. The cardholder submits the OTP in the Challenge Interface.
  7. Apata verifies the OTP and completes the RReq/RRes exchange.

Sequence Diagram

sequenceDiagram
    autonumber
    participant ch as Cardholder
    participant 3ds as 3DS Server
    participant ds as Directory Server
    participant acs as Apata ACS
    participant issuer as Issuer
    ch->>3ds: Initiate transaction
    3ds->>ds: AReq
    ds->>acs: AReq
    acs->>issuer: Card Link request
    issuer->>acs: Card details
    acs->>acs: Evaluate Risk Profile - challenge required
    acs->>ds: ARes (transStatus C)
    ds->>3ds: ARes (transStatus C)
    3ds->>acs: CReq
    acs->>acs: Generate 6-digit OTP
    acs->>issuer: One Time Passcode webhook (includes OTP)
    acs->>ch: Render Challenge Interface
    issuer->>ch: Deliver OTP via SMS
    ch->>acs: Submit OTP
    acs->>acs: Verify OTP
    acs->>ds: RReq
    ds->>3ds: RReq
    3ds->>ds: RRes
    ds->>acs: RRes
    acs->>ch: Redirect to merchant
    opt Finalised Event
        acs->>issuer: Finalised Event notification
    end

Delegate Send and Verify

Apata triggers the issuer to generate and send the OTP. The passcode field is omitted from the webhook payload - the issuer generates its own OTP. When the cardholder submits the code, Apata calls a second webhook to delegate verification to the issuer. Neither the cardholder's phone number nor the OTP is ever shared with Apata.

How It Works

  1. Apata receives an AReq and calls the Card Link endpoint to fetch card details.
  2. The Risk Profile is evaluated - a challenge is required.
  3. On receiving the CReq, Apata calls the One Time Passcode webhook without a passcode, signalling the issuer to generate and send its own OTP.
  4. The issuer generates and delivers the OTP to the cardholder via SMS.
  5. The cardholder submits the OTP in the Challenge Interface.
  6. Apata calls the Verify One Time Passcode webhook, passing the submitted code to the issuer for verification.
  7. The issuer returns the verification result.
  8. Apata completes the RReq/RRes exchange.

Sequence Diagram

sequenceDiagram
    autonumber
    participant ch as Cardholder
    participant 3ds as 3DS Server
    participant ds as Directory Server
    participant acs as Apata ACS
    participant issuer as Issuer
    ch->>3ds: Initiate transaction
    3ds->>ds: AReq
    ds->>acs: AReq
    acs->>issuer: Card Link request
    issuer->>acs: Card details
    acs->>acs: Evaluate Risk Profile - challenge required
    acs->>ds: ARes (transStatus C)
    ds->>3ds: ARes (transStatus C)
    3ds->>acs: CReq
    acs->>issuer: One Time Passcode webhook (no OTP)
    acs->>ch: Render Challenge Interface
    issuer->>ch: Deliver OTP via SMS
    ch->>acs: Submit OTP
    acs->>issuer: Verify One Time Passcode webhook
    issuer->>acs: Verification result
    acs->>ds: RReq
    ds->>3ds: RReq
    3ds->>ds: RRes
    ds->>acs: RRes
    acs->>ch: Redirect to merchant
    opt Finalised Event
        acs->>issuer: Finalised Event notification
    end
📘

The Finalised Event webhook is optional and delivers the full transaction outcome to the issuer once authentication is complete. See the Finalised Event guide for details.

Updated 18 days ago