POST /v2/my-sca-action
only for illustrative purposes.X-Qonto-2fa-Preference
header. The possible values are paired-device
, passkey
, and sms-otp
. If no header is present, the default becomes paired-device
.If paired-device
is selected and the user has not paired a device yet, you’ll get a 428 Precondition Required
response with a message
encouraging you to its enablement.paired-device
, the user will get a push notification on his device to authorize the action, and you’ll receive a 428 Precondition Required
response containing, among other fields, a “SCA required” message
and a sca_session_token
that you will need to reuse after. You have 15 minutes to use this token before it expires.passkey
is used as a method, the user will receive a text message with a link to setup or use an existing passkey, and you’ll receive a 428 Precondition Required
response containing, among other fields, a “Passkey verification required” message
and a sca_session_token
that you will need to reuse after. You have 15 minutes to use this token before it expires.GET thirdparty.qonto.com/v2/sca_sessions/<sca-session-token>"
each second (at most) which will generate three possible outcomes:waiting
: if the user has not authorized the action yet;deny
: if the user refused the action (or more than 15 minutes passed);allow
: if the user has authorised the action.sca_session_token
value from the previous response to set the X-Qonto-Sca-Session-Token
header and repeat the original sensitive action request with no other change than the new header. Note: It’s important that you replay the same request including the X-Qonto-2fa-Preference
header if it was added to the original request.412 Precondition Failed
with a message
providing more information.Initiate the sensitive action
sms-otp
is used as a method, you’ll receive a 428 Precondition Required
response with the following payload:Capture and submit the OTP
Call your action with the OTP
X-Qonto-MFA
header and repeat the original request with no other changes. Make sure to include the X-Qonto-2fa-Preference
header with the value sms-otp
.Note: The SMS OTP option is only available to Embed Partners. SMS OTP should be considered a fallback option and not one of the primary authentication methods as it’s less secure than paired devices or passkeys. Qonto may review usage patterns and could apply limitations if SMS OTP is consistently used as the primary SCA method.mock
option for the X-Qonto-2fa-Preference
header, allowing you to simulate these actions without the need for physical devices or messages.
X-Qonto-2fa-Preference
header to mock
. This tells the system to simulate the authentication process.GET https://thirdparty-sandbox.staging.qonto.co/v2/mocked_sca_sessions/<sca-session-token>
.
POST https://thirdparty-sandbox.staging.qonto.co/v2/mocked_sca_sessions/<sca-session-token>/allow
POST https://thirdparty-sandbox.staging.qonto.co/v2/mocked_sca_sessions/<sca-session-token>/deny
sca_session_token
value from the previous response to set the X-Qonto-Sca-Session-Token
header and repeat the original sensitive action request with no other change than the new header.412 Precondition Failed
with a message
providing more information.mock
option and these endpoints, you can efficiently test and QA sensitive actions in a controlled environment. This approach ensures that your application is well-prepared to handle sensitive actions securely and reliably when deployed to production.
This method not only simplifies the testing process but also enhances the reliability of your application, providing a seamless experience for users.
X-Qonto-2fa-Preference
set to sms-otp
, any 6-character code will be accepted as a valid OTP since no actual SMS messages are sent. This allows for easy testing of the SMS OTP flow without needing to wait for or simulate actual SMS delivery.