One Time Token
Represents a list of challenges that a user needs to clear in order to access protected resources.
Commonly used for Strong Customer Authentication & 2FA.
Learn from our guide to understand One Time Token Framework.
To ease reading in this document, we will use OTT as an abbreviation for one time token.
We suggest the following method to check if the OTT is ready to access an SCA protected endpoint.
Iterate through challenges array and look for any challenge that has the following properties:
requiredis truepassedis false
Unique identifier of a one time token.
Array of ChallengeObject.
Seconds until the one time token become expired.
The action bound to the one time token.
For example: BALANCE__GET_STATEMENT when we want to retrieve a balance account statement.
Creator of this one time token.
{"oneTimeToken": "5932d5b5-ec13-452f-8688-308feade7834","challenges": [{"primaryChallenge": {"type": "PIN","viewData": {"attributes": {"userId": 6146956}}},"alternatives": [],"required": true,"passed": false}],"validity": 3600,"actionType": "BALANCE__GET_STATEMENT","userId": 6146956}
Type of challenge user can do.
Alternative challenges that user can do instead of the primary ones.
Required (or not) to pass the OTT.
Status of this challenge.
{"primaryChallenge": {"type": "PIN","viewData": {"attributes": {"userId": 6146956}}},"alternatives": [],"required": true,"passed": false}
An object that provides data required to present a challenge window. It can be messages, IDs, or other attributes.
{"type": "PIN","viewData": {"attributes": {"userId": 6146956}}}
Enumerated string that indicates what sort of challenge user can do to pass the associated OTT.
| Type | Pre-requisite | Endpoint to trigger challenge | Endpoint to perform challenge |
|---|---|---|---|
| PIN | Create Pin | - | Verify Pin |
| FACE_MAP | Enrol FaceMap | - | Verify FaceMap |
| SMS | Create Phone Number | Trigger SMS Challenge | Verify SMS |
| Create Phone Number | Trigger WhatsApp Challenge | Verify WhatsApp | |
| VOICE | Create Phone Number | Trigger Voice Challenge | Verify Voice |
| DEVICE FINGERPRINT | Create Device Fingerprint | - | Verify Device Fingerprint |
GET /v1/one-time-token/status
Notes:
GET /v1/identity/one-time-token/statuswill be deprecated soon.- Please use the new endpoint /v1/one-time-token/status instead.
Retrieve necessary information to clear a OTT.
Request
Text value of a OTT.
Response
Properties of OneTimeToken
curl -X GET https://api.sandbox.transferwise.tech/v1/one-time-token/status \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [{"primaryChallenge": {"type": "PIN","viewData": {"attributes": {"userId": 6146956}}},"alternatives": [],"required": true,"passed": false}],"validity": 3600,"actionType": "BALANCE__GET_STATEMENT","userId": 6146956}}
POST /v1/one-time-token/pin/verify
To clear a PIN challenge listed in a OTT.
Notes:
- User is required to create pin before the verification can be successful.
- Rate limit may be applied if there are 5 continuous unsuccessful attempts and OTT creation will be blocked for 15 minutes.
Request
Text value of a OTT.
PIN that is setup using create pin endpoint.
Response
Properties of OneTimeToken.
curl -X POST https://api.sandbox.transferwise.tech/v1/one-time-token/pin/verify \-H 'Authorization: Bearer <your api token>'-H 'Content-Type: application/jose+json' \-H 'X-TW-JOSE-Method: jwe' \-H 'Accept: application/jose+json' \-H 'Accept-Encoding: *' \-H 'One-Time-Token: <one time token>'-d '{"pin": "1111"}'
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [],"validity": 3600}}
POST /v1/one-time-token/partner-device-fingerprint/verify
To clear a Device Fingerprint challenge listed in an OTT.
Notes:
- User is required to create a device fingerprint before the verification can be successful.
- Rate limit may be applied if there are 5 continuous unsuccessful attempts and OTT creation will be blocked for 15 minutes.
Request
Text value of a OTT.
Device Fingerprint previously set.
curl -X POST 'https://api.sandbox.transferwise.tech/v1/one-time-token/partner-device-fingerprint/verify' \-H 'Authorization: Bearer <your api token>' \-H 'Content-Type: application/jose+json' \-H 'X-TW-JOSE-Method: jwe' \-H 'Accept: application/jose+json' \-H 'Accept-Encoding: *' \-H 'One-Time-Token: <one time token>' \-d '{"deviceFingerprint: "3207da22-a0d3-4b6b-a591-6297e646fe32"}'
Response
Properties of OneTimeToken.
When successful, response may return the next challenge in challenges array. If challenges array is empty. You may now use the OTT to access an SCA protected endpoint.
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [],"validity": 3600}}
POST /v1/one-time-token/facemap/verify
To clear a FACE_MAP challenge listed in a OTT.
Notes:
- User is required to enrol facemap before the verification can be successful.
- Rate limit may be applied if there are 5 continuous unsuccessful attempts and OTT creation will be blocked for 15 minutes.
Request
Text value of a OTT.
Base64-encoded binary data as a string.
For more details how to get this binary, please read FaceTec's export API.
To retrieve Wise's FaceTec public key, please refer to our FaceTec's Get Public Key API.
Response
Properties of OneTimeToken.
When successful, response may return the next challenge in challenges array.
If challenges array is empty. You may now use the OTT to access an SCA protected endpoint.
curl -X GET https://api.sandbox.transferwise.tech/v1/one-time-token/facemap/verify \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'-d '{"faceMap": "<base64_encoded_string>"}'
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [],"validity": 3600}}
POST /v1/one-time-token/sms/trigger
To trigger a SMS challenge by sending SMS to user verified phone number containing a 6 digit one time password (OTP).
This OTP code can be used to clear a SMS challenge by using the verify sms endpoint.
Request
Text value of a OTT.
Response
Obfuscated phone number that can be used as a hint for the end customer regarding which phone number the SMS was sent to.
curl -X POST https://api.sandbox.transferwise.tech/v1/one-time-token/sms/trigger \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'
{"obfuscatedPhoneNo": "*********8888"}
POST /v1/one-time-token/sms/verify
To clear a SMS challenge listed in a OTT.
Notes:
- User is required have a verified phone number. See create phone number for more information.
- Trigger SMS Challenge is required to be called first.
- Since we won't be sending real SMS on sandbox, the OTP Code will always be 111111.
Request
Text value of a OTT.
6 digit OTP code in text format.
Response
Properties of OneTimeToken.
curl -X POST https://api.sandbox.transferwise.tech/v1/one-time-token/sms/verify \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'-d '{"otpCode": "111111"}'
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [],"validity": 3600}}
POST /v1/one-time-token/whatsapp/trigger
To trigger a WhatsApp challenge by sending WhatsApp message to user verified phone number containing a 6 digit one time password (OTP).
This OTP code can be used to clear a WHATSAPP challenge by using the verify whatsapp endpoint.
Request
Text value of a OTT.
Response
Obfuscated phone number that can be used as a hint for the end customer regarding which phone number the WhatsApp message was sent to.
curl -X POST https://api.sandbox.transferwise.tech/v1/one-time-token/whatsapp/trigger \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'
{"obfuscatedPhoneNo": "*********8888"}
POST /v1/one-time-token/whatsapp/verify
To clear a WHATSAPP challenge listed in a OTT.
Notes:
- User is required have a verified phone number. See create phone number for more information.
- Trigger WhatsApp Challenge is required to be called first.
- Since we won't be sending real WhatsApp message on sandbox, the OTP Code will always be 111111.
Request
Text value of a OTT.
6 digit OTP code in text format.
Response
Properties of OneTimeToken.
curl -X POST https://api.sandbox.transferwise.tech/v1/one-time-token/whatsapp/verify \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'-d '{"otpCode": "111111"}'
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [],"validity": 3600}}
POST /v1/one-time-token/voice/trigger
To trigger a WhatsApp challenge by sending voice message to user verified phone number containing a 6 digit one time password (OTP).
This OTP code can be used to clear a VOICE challenge by using the verify voice endpoint.
Request
Text value of a OTT.
Response
Obfuscated phone number that can be used as a hint for the end customer regarding which phone number the WhatsApp message was sent to.
curl -X POST https://api.sandbox.transferwise.tech/v1/one-time-token/voice/trigger \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'
{"obfuscatedPhoneNo": "*********8888"}
POST /v1/one-time-token/voice/verify
To clear a VOICE challenge listed in a OTT.
Notes:
- User is required have a verified phone number. See create phone number for more information.
- Trigger Voice Challenge is required to be called first.
- Since we won't be sending real voice message on sandbox, the OTP Code will always be 111111.
Request
Text value of a OTT.
6 digit OTP code in text format.
Response
Properties of OneTimeToken.
curl -X POST https://api.sandbox.transferwise.tech/v1/one-time-token/voice/verify \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'-d '{"otpCode": "111111"}'
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [],"validity": 3600}}