Guides
Status Page
Start typing to search…

3DS with Tokenization Form

3D Secure integration using Bamboo’s Tokenization Form. Learn required fields, initialization flow, authentication steps, and how to include 3DS data in the purchase request.

Suggest Edit

Bamboo provides a Bamboo-managed 3DS flow through the Tokenization Form, where Bamboo executes the full 3DS2 process, including frictionless and challenge flows.


📘

This method requires no PCI scope. Card data is captured securely by Bamboo.


Flow Overview

The 3DS flow handled by Bamboo’s Tokenization Form consists of 17 steps, grouped into the following four stages:

  • 3DS Initialization
  • Tokenization
  • 3DS Authentication
  • Purchase Authorization

3DS Initialization

  1. Merchant prepares payment info
  2. 3DS session is initialized using amount and billing address.
  3. Bamboo returns AuthenticationId to bind the session to the Tokenization Form.

Tokenization

  1. Merchant loads the Tokenization Form
  2. Form is displayed to the payer.
  3. Payer enters card data
  4. Bamboo tokenizes the card
  5. Card token is generated

3DS Authentication

  1. Bamboo initiates 3DS authentication
  2. Issuer evaluates the transaction
  3. Challenge shown if required
  4. Payer completes the challenge
  5. Authentication approved
  6. Form returns Token + Auth3DSId to the merchant

Purchase Authorization

  1. Merchant creates the purchase including TrxToken and Auth3DSId
  2. Bamboo processes the authorization with the acquirer
  3. Purchase result is returned


3DS Initialization

When using the Tokenization Form, Bamboo requires specific fields to initialize the 3DS session. These parameters are evaluated by the issuer during risk-based authentication and must always be provided.


Required Parameters

PropertyTypeMandatory?Description
Amountint64YesTotal purchase amount used for issuer risk evaluation.
CurrencystringYesCurrency of the transaction.
CustomerEmailstringYesCardholder email required for 3DS authentication.
CustomerFirstNamestringYesCardholder first name.
CustomerLastNamestringYesCardholder last name.
CustomerBillingAddressobjectYesFull billing address of the cardholder. All fields below are required.

BillingAddress object (all fields required)

PropertyTypeMandatory?Description
CustomerBillingAddressCountrystringYesISO 3166-1 alpha-2 country code.
CustomerBillingAddressPostalCodestringYesZIP or postal code.
CustomerBillingAddressAddressDetailstringYesStreet name and number.
CustomerBillingAddressLocalitystringNoCity or locality.

Request Example

{
    "Currency": "USD",
    "Amount": "160",
    "Customer": {
        "Email": "[email protected]",
        "FirstName": "Juan Felipe",
        "LastName": "García",
        "PhoneNumber": "+59899999999",
        "BillingAddress": {
            "Country": "UY",
            "PostalCode": "11100",
            "AddressDetail": "Sarmiento 1234",
            "AdministrativeArea": "Montevideo"
        }
    }
}

Response

PropertyTypeDescription
AuthenticationIdstringUnique identifier of the 3DS authentication session.
AuthenticationTokenstringToken used to bind the 3DS session to the form flow.

Example Response

{
    "AuthenticationId": "503a4368-8f39-4b28-a17f-8a5dd2afb90d",
    "AuthenticationToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoZW50aWNhdGlvbklkIjoiNTAzYTQzNjgtOGYzOS00YjI4LWExN2YtOGE1ZGQyYWZiOTBkIiwic2VydmljZVR5cGUiOiJjeWJlcnNvdXJjZSIsImlhdCI6MTc2NDYwOTEyOH0.jwH-F-Vt6ukBFwEDPZ3V7nKf1cI1upnZQyHbnHNx3eA"
}



3DS Fields Required in the Purchase Request

When the 3DS flow is handled through the Tokenization Form, Bamboo returns an AuthenticationId during the initialization step. This identifier must be included in the purchase request so the acquirer can validate the 3DS result associated with the transaction.

To send this information, the purchase request must contain:

  • ThreeDSAuthMethod set to INTERNAL, indicating that Bamboo performed the authentication.
  • A ThreeDS object with the ThreeDSId field, whose value must match the AuthenticationId returned during 3DS initialization.

Required Parameters

PropertyTypeMandatory?Description
ThreeDSAuthMethodstringYesMust be set to "INTERNAL" when using Bamboo’s Tokenization Form.
ThreeDSobjectYesContainer for 3DS data returned during initialization.
ThreeDSThreeDSIdstringYesThe AuthenticationId returned from the 3DS initialization step.

Example (Purchase Request)

{
    "CardData": {
        "CardHolderName": "John Doe",
        "Pan": "4507990000004905",
        "CVV": "123",
        "Expiration": "08/30",
        "Email": "[email protected]",
        "Document": "74857601"
    },
    "Capture": true,
    "TargetCountryISO": "BR",
    "Currency": "BRL",
    "Amount": 25000,
    "Installments": 2,
    "Order": "CH2023-001",
    "Description": "Compra de teste",
    "Customer": {
        "FirstName": "João",
        "LastName": "Silva",
        "ReferenceCode": "JS-001",
        "PhoneNumber": "11987654321",
        "DocumentNumber": "12345678901",
        "DocumentType": "CPF.BR",
        "Email": "[email protected]",
        "Address": {
            "Country": "BR",
            "City": "São Paulo",
            "State": "SP",
            "PostalCode": "01310-200",
            "AddressDetail": "Avenida Paulista 1000"
        }
    },
    "ThreeDSAuthMethod": "INTERNAL",
    "ThreeDS": {
        "ThreeDSId": "962b91dd-59d9-427c-951d-245eb9561c1a"
    }
}



Next Steps

3DS Initialization API

Initialize the 3DS session and retrieve the AuthenticationId.

Create Purchase

Complete the purchase using TrxToken and Auth3DSId.

Tokenization Form

Capture card data securely and receive 3DS authentication values.

3DS External Authentication

Submit ECI, CAVV, XID, and version from an external 3DS provider.

Updated about 23 hours ago