Strong Customer Authentication
Strong Customer Authentication (SCA) is a regulatory requirement introduced under the Second Payment Services Directive (PSD2) in the European Economic Area (EEA). It aims to enhance the security and reduce fraud risks.
These endpoints allow your customers to comply with SCA, ensuring seamless integration over API while meeting security requirements.
Please read this guide to understand how SCA integration works.
SCA is required for high-risk and low-risk operations. On low-risk operations, clearing SCA once allows a 5 minutes window where SCA won't be requested again.
A One-Time Token is generated when accessing an endpoint secured by SCA. This token includes a list of all available challenges to complete. To view the challenges and their statuses linked to the token, please use the status endpoint.
Alternatively, you can use create SCA session to manually trigger SCA and return a One-Time Token.
At least two challenges must be completed to access an SCA-secured endpoint. For low-risk operations, access to these endpoints is valid for 5 minutes before the One-Time Token expires.
A One-Time Token unique identifier.
An array of challenges.
A type of challenge.
The status of a challenge.
The One-Time Token expiration in seconds.
{"oneTimeToken": "5932d5b5-ec13-452f-8688-308feade7834","challenges": [{"primaryChallenge": {"type": "PIN",},"passed": false}],"validity": 3600}
Request
Set the One-Time Token property in the request headers to return challenges associated to it.
curl -X GET 'https://api.sandbox.transferwise.tech/v1/one-time-token/status' \-H 'Authorization: Bearer <your api token>' \-H 'One-Time-Token: <one time token>'
Response
Returns a One-Time Token
Creates a new PIN factor used to resolve a SCA knowledge challenge type.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
Request
A four digits string.
curl -X POST 'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/pin' \-H 'Authorization: Bearer <your api token>' \-H 'Accept: application/jose+json' \-H 'Accept-Encoding: identity' \-H 'Content-Type: application/jose+json' \-H 'Content-Encoding: identity' \-H 'X-tw-jose-method: jwe'-d '{"pin" : "1234"}'
Response
The PIN has been successfully created.
A PIN has already been created for this profile.
Verifies a PIN challenge when calling a SCA-secured endpoint. Please make sure to create a PIN before using this endpoint.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
Request
A One-Time Token unique identifier.
A 4 digits string.
curl -X POST https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/pin/verify \-H 'Authorization: Bearer <your api token>' \-H 'Accept: application/jose+json' \-H 'Accept-Encoding: identity' \-H 'Content-Type: application/jose+json' \-H 'Content-Encoding: identity' \-H 'X-tw-jose-method: jwe' \-H 'One-Time-Token: <one time token>'-d '{"pin" : "1234"}'
Response
Returns an One-Time Token resource
The PIN has been successfully verified.
The PIN verification failed.
Deletes a PIN associated to a profile.
To update a PIN for a profile, please use this endpoint followed by create a PIN.
curl -X DELETE 'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/pin' \-H 'Authorization: Bearer <your api token>' \
Response
The PIN has been deleted.
No PIN has been setup for this profile.
Creates a new device fingerprint factor used to resolve a SCA possession challenge type.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
Request
A string value used as a device fingerprint.
curl -X POST 'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/device-fingerprints' \-H 'Authorization: Bearer <your api token>' \-H 'Accept: application/jose+json' \-H 'Accept-Encoding: identity' \-H 'Content-Type: application/jose+json' \-H 'Content-Encoding: identity' \-H 'X-tw-jose-method: jwe'-d '{"deviceFingerprint": "3207da22-a0d3-4b6b-a591-6297e646fe32"}'
Response
The identifier of the device fingerprint
The device fingerprint creation timestamp
The device fingerprint has been successfully created.
The device fingerprint has already been created.
Maximum number of device fingerprints reached (default is 3).
{"deviceFingerprintId": "636a5514-aa86-4719-8700-e9a9a0ae7ea7","createdAt": "2025-05-24T07:27:58.273205554Z"}
Verifies a device fingerprint challenge when calling a SCA-secured endpoint. Please make sure to create a device fingerprint before using this endpoint.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
Request
A One-Time Token unique identifier.
A device fingerprint value.
curl -X POST 'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/device-fingerprints/verify' \-H 'Authorization: Bearer <your api token>' \-H 'Accept: application/jose+json' \-H 'Accept-Encoding: identity' \-H 'Content-Type: application/jose+json' \-H 'Content-Encoding: identity' \-H 'X-tw-jose-method: jwe' \-H 'One-Time-Token: <one time token>'-d '{"deviceFingerprint": "3207da22-a0d3-4b6b-a591-6297e646fe32"}'
Response
Returns an One-Time Token resource
The device fingerprint has been successfully verified.
The device fingerprint verification failed.
Deletes a device fingerprint associated to a profile. Include the deviceFingerprintId in the URL to delete a device fingerprint. This ID is provided in the response when the device fingerprint is created.
curl -X DELETE 'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/device-fingerprints/{{deviceFingerprintId}}' \-H 'Authorization: Bearer <your api token>' \
Response
The device fingerprint has been deleted.
The deviceFingerprintId does not exist.
Creates a new facemap factor used to resolve a SCA inherence challenge type.
A facemap should be exported from your FaceTec server using the SDK's export API. Please use Wise's FaceTec public key to encrypt the facemap during the export process.
Request
A base64 encoded string.
curl -X POST https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/facemaps \-H 'Authorization: Bearer <your api token>' \-d '{"faceMap": "<base64 encrypted facemap>"}'
Response
The facemap has been successfully created.
A facemap has already been created for this profile.
Verifies a facemap challenge when calling a SCA-secured endpoint. Please make sure to create a facemap before using this endpoint.
A facemap should be exported from your FaceTec server using the SDK's export API. Please use Wise's FaceTec public key to encrypt a facemap during the export process.
Request
A One-Time Token unique identifier.
A base64 encoded string.
curl -X POST https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/facemaps/verify \-H 'Authorization: Bearer <your api token>'-H 'One-Time-Token: <one time token>'-d '{"faceMap": "<base64 encoded string>"}'
Response
Returns an One-Time Token resource
The facemap has been successfully verified.
The facemap verification failed.
Deletes a facemap associated to a profile.
To update a facemap for a profile, please use this endpoint followed by create a facemap.
curl -X DELETE 'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/facemaps' \-H 'Authorization: Bearer <your api token>' \
Response
The facemap has been deleted.
No facemap has been setup for this profile.
SCA can be triggered manually allowing more control when integrating with our APIs. The endpoint returns a One-Time Token along with a list of associated challenges. These challenges can be cleared with verify endpoints.
curl -X POST https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/sca-sessions/authorise \-H 'Authorization: Bearer <your api token>' \
Response
Returns a list of challenges to clear SCA.
Properties of OneTimeToken
{"oneTimeTokenProperties": {"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd","challenges": [{"primaryChallenge": {"type": "PIN",},"passed": false}],"validity": 3600,}}