You can specify which method to use via the X-Qonto-2fa-Preference header. The possible values are paired-device, passkey, and sms-otp. If no header is present, the default becomes paired-device.

If paired-device is selected and the user has not paired a device yet, you’ll get a 428 Precondition Required response with a message encouraging you to its enablement.

• With paired-device, the user will get a push notification on his device to authorise the action, and you’ll receive a 428 Precondition Required response containing, among other fields, a “SCA required” message and a sca_session_token that you will need to reuse after. You have 15 minutes to use this token before it expires.
• If passkey is used as a method, the user will receive a text message with a link to setup or use an existing passkey, and you’ll receive a 428 Precondition Required response containing, among other fields, a “Passkey verification required” message and a sca_session_token that you will need to reuse after. You have 15 minutes to use this token before it expires.

At this point, you can poll GET thirdparty.qonto.com/v2/sca_sessions/<sca-session-token>" each second (at most) which will generate three possible outcomes:

• waiting: if the user has not authorized the action yet;
• deny: if the user refused the action (or more than 15 minutes passed);
• allow: if the user has authorised the action.

Once the user has authorized the action, you can use the sca_session_token value from the previous response to set the X-Qonto-Sca-Session-Token header and repeat the original sensitive action request with no other change than the new header. Note: It’s important that you replay the same request including the X-Qonto-2fa-Preference header if it was added to the original request.

• If the token has expired or is invalid, you will receive a 412 Precondition Failed with a message providing more information.
• If the token is valid, the action will be effectively processed by the API.

If sms-otp is used as a method, you’ll receive a 428 Precondition Required response with the following payload:

{
    "code": "thirdparty_sms_otp_required",
    "message": "Thirdparty SMS OTP required"
}

At this point, the user will receive an SMS containing a one-time passcode (OTP).

You should implement a form to capture this OTP from the user, as shown in the image below. The recommended approach is to build a simple form where the user can enter the code they received via SMS.

You might also want to include an option for users to request a new OTP if they haven’t received the first one. To resend an OTP, simply repeat the original sensitive action request with the same parameters. There’s no separate API endpoint for resending - the same request will trigger a new SMS to be sent.

Once you have the OTP from the user, include it in the X-Qonto-MFA header and repeat the original request with no other changes. Make sure to include the X-Qonto-2fa-Preference header with the value sms-otp.

Note: The SMS OTP option is only available to Embed Partners. SMS OTP should be considered a fallback option and not one of the primary authentication methods as it’s less secure than paired devices or passkeys. Qonto may review usage patterns and could apply limitations if SMS OTP is consistently used as the primary SCA method.

When you initiate a sensitive action, set the X-Qonto-2fa-Preference header to mock. This tells the system to simulate the authentication process.

Use the following endpoint to check the status of your mocked SCA session: GET https://thirdparty-sandbox.staging.qonto.co/v2/mocked_sca_sessions/<sca-session-token>.
This endpoint functions similarly to the production polling endpoint, providing real-time updates on the session status.

You can simulate the approval or denial of the action using these endpoints:

• To approve the action: POST https://thirdparty-sandbox.staging.qonto.co/v2/mocked_sca_sessions/<sca-session-token>/allow
• To deny the action: POST https://thirdparty-sandbox.staging.qonto.co/v2/mocked_sca_sessions/<sca-session-token>/deny

Set the X-Qonto-2fa-Preference header to mock