Strong Customer Authentication (SCA) is a regulatory requirement introduced under the Second Payment Services Directive (PSD2) in the European Economic Area (EEA). It aims to enhance the security and reduce fraud risks.
These endpoints allow your customers to comply with SCA, ensuring seamless integration over API while meeting security requirements.
Please read this guide to understand how SCA integration works.
SCA is required for high-risk and low-risk operations. On low-risk operations, clearing SCA once allows a 5 minutes window where SCA won't be requested again.
A One-Time Token is generated when accessing an endpoint secured by SCA. This token includes a list of all available challenges to complete. To view the challenges and their statuses linked to the token, please use the status endpoint.
Alternatively, you can use create SCA session to manually trigger SCA and return a One-Time Token.
At least two challenges must be completed to access an SCA-secured endpoint. For low-risk operations, access to these endpoints is valid for 5 minutes before the One-Time Token expires.
A One-Time Token unique identifier.
An array of challenges.
A type of challenge.
The status of a challenge.
The One-Time Token expiration in seconds.
{
"oneTimeToken": "5932d5b5-ec13-452f-8688-308feade7834",
"challenges": [
{
"primaryChallenge": {
"type": "PIN",
},
"passed": false
}
],
"validity": 3600
}Set the One-Time Token property in the request headers to return challenges associated to it.
Returns a One-Time Token
curl -X GET \
'https://api.sandbox.transferwise.tech/v1/one-time-token/status' \
-H 'Authorization: Bearer <your api token>' \
-H 'One-Time-Token: <one time token>'Creates a new PIN factor used to resolve a SCA knowledge challenge type.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
A four digits string.
The PIN has been successfully created.
A PIN has already been created for this profile.
curl -X POST \
'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/pin' \
-H 'Authorization: Bearer <your api token>' \
-H 'Accept: application/jose+json' \
-H 'Accept-Encoding: identity' \
-H 'Content-Type: application/jose+json' \
-H 'Content-Encoding: identity' \
-H 'X-tw-jose-method: jwe' \
-d '
{
"pin" : "1234"
}'Verifies a PIN challenge when calling a SCA-secured endpoint. Please make sure to create a PIN before using this endpoint.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
A One-Time Token unique identifier.
A 4 digits string.
Returns an One-Time Token resource
The PIN has been successfully verified.
The PIN verification failed.
curl -X POST \
https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/pin/verify \
-H 'Authorization: Bearer <your api token>' \
-H 'Accept: application/jose+json' \
-H 'Accept-Encoding: identity' \
-H 'Content-Type: application/jose+json' \
-H 'Content-Encoding: identity' \
-H 'X-tw-jose-method: jwe' \
-H 'One-Time-Token: <one time token>' \
-d '
{
"pin" : "1234"
}'Deletes a PIN associated to a profile.
To update a PIN for a profile, please use this endpoint followed by create a PIN.
The PIN has been deleted.
No PIN has been setup for this profile.
curl -X DELETE \
'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/pin' \
-H 'Authorization: Bearer <your api token>'Creates a new device fingerprint factor used to resolve a SCA possession challenge type.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
A string value used as a device fingerprint.
The identifier of the device fingerprint
The device fingerprint creation timestamp
The device fingerprint has been successfully created.
The device fingerprint has already been created.
Maximum number of device fingerprints reached (default is 3).
curl -X POST \
'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/device-fingerprints' \
-H 'Authorization: Bearer <your api token>' \
-H 'Accept: application/jose+json' \
-H 'Accept-Encoding: identity' \
-H 'Content-Type: application/jose+json' \
-H 'Content-Encoding: identity' \
-H 'X-tw-jose-method: jwe' \
-d '
{
"deviceFingerprint": "3207da22-a0d3-4b6b-a591-6297e646fe32"
}'{
"deviceFingerprintId": "636a5514-aa86-4719-8700-e9a9a0ae7ea7",
"createdAt": "2025-05-24T07:27:58.273205554Z"
}Verifies a device fingerprint challenge when calling a SCA-secured endpoint. Please make sure to create a device fingerprint before using this endpoint.
Note that the request and response are encrypted using JOSE framework. Please refer to this guide to understand how encryption and decryption work.
A One-Time Token unique identifier.
A device fingerprint value.
Returns an One-Time Token resource
The device fingerprint has been successfully verified.
The device fingerprint verification failed.
curl -X POST \
'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/device-fingerprints/verify' \
-H 'Authorization: Bearer <your api token>' \
-H 'Accept: application/jose+json' \
-H 'Accept-Encoding: identity' \
-H 'Content-Type: application/jose+json' \
-H 'Content-Encoding: identity' \
-H 'X-tw-jose-method: jwe' \
-H 'One-Time-Token: <one time token>' \
-d '
{
"deviceFingerprint": "3207da22-a0d3-4b6b-a591-6297e646fe32"
}'Deletes a device fingerprint associated to a profile. Include the deviceFingerprintId in the URL to delete a device fingerprint. This ID is provided in the response when the device fingerprint is created.
The device fingerprint has been deleted.
The deviceFingerprintId does not exist.
curl -X DELETE \
'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/device-fingerprints/{{deviceFingerprintId}}' \
-H 'Authorization: Bearer <your api token>' \Creates a new facemap factor used to resolve a SCA inherence challenge type.
A facemap should be exported from your FaceTec server using the SDK's export API. Please use Wise's FaceTec public key to encrypt the facemap during the export process.
A base64 encoded string.
The facemap has been successfully created.
A facemap has already been created for this profile.
curl -X POST \
https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/facemaps \
-H 'Authorization: Bearer <your api token>' \
-d '{
"faceMap": "<base64 encrypted facemap>"
}'Verifies a facemap challenge when calling a SCA-secured endpoint. Please make sure to create a facemap before using this endpoint.
A facemap should be exported from your FaceTec server using the SDK's export API. Please use Wise's FaceTec public key to encrypt a facemap during the export process.
A One-Time Token unique identifier.
A base64 encoded string.
Returns an One-Time Token resource
The facemap has been successfully verified.
The facemap verification failed.
curl -X POST \
https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/facemaps/verify \
-H 'Authorization: Bearer <your api token>' \
-H 'One-Time-Token: <one time token>' \
-d '{
"faceMap": "<base64 encoded string>"
}'Deletes a facemap associated to a profile.
To update a facemap for a profile, please use this endpoint followed by create a facemap.
The facemap has been deleted.
No facemap has been setup for this profile.
curl -X DELETE \
'https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/facemaps' \
-H 'Authorization: Bearer <your api token>'SCA can be triggered manually allowing more control when integrating with our APIs. The endpoint returns a One-Time Token along with a list of associated challenges. These challenges can be cleared with verify endpoints.
Returns a list of challenges to clear SCA.
Properties of OneTimeToken
curl -X POST \
https://api.sandbox.transferwise.tech/v2/profiles/{{profileId}}/sca-sessions/authorise \
-H 'Authorization: Bearer <your api token>'{
"oneTimeTokenProperties": {
"oneTimeToken": "9f5f5812-2609-4e48-8418-b64437c0c7cd",
"challenges": [
{
"primaryChallenge": {
"type": "PIN",
},
"passed": false
}
],
"validity": 3600,
}
}