> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enfuce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OOB Webhook Notification

> In Out-of-Band (OOB) authentication, a webhook notification is sent to the issuer-provided channel for cardholder's approval.




## OpenAPI

````yaml id post /v1/authenticate/{customerNumber}/{sessionId}
openapi: 3.0.3
info:
  description: >
    Endpoint for handling 3rd party authentication

    # Introduction

    Enfuce ID is used for handling authentication towards both EnfuceID's own
    authentication system and as well to 3rd party authentication systems.

    # Common

    All endpoints will respect and make use of HTTP response codes. Requests and
    respones are UTF-8 encoded and in a standardized JSON format described here
    after.

    A client must be able to handle cases where elements are added to either the
    request or response, i.e still parsing the content but not act on new
    elements.


    Authentication towards all endpoints are using basic authentication
    according to RFC 7617.


    For the outgoing webhook basic authentication according to RFC 7617 is the
    method that is supported.


    Timeout must be 150 seconds. This means that a 3rd party authentication
    system has 150 seconds to do a callback with result of authentication.
    Otherwise Enfuce will respond with timeout to ACS and end user
    authentication will fail and the callback is invalidated.

    The 3rd party authentication system can send TIMEOUT as result before the
    150 seconds, if they would want to have a shorter timeout.


    CustomerNumber in this context is equal to customerNumber in other parts of
    Enfuce API.|

    Authentication process in order to verify a 3D Secure purchase is having the
    following flow within Enfuce ID:

    ![3D Secure
    flow](https://enfuce-public-resources.s3.eu-central-1.amazonaws.com/public/3dsecure_enfuceid_acs_auth_system.png)


    1. ACS receives incoming request from payment network including merchant
    information. End user is presented with a landing page. Landing page to be
    customized with font and 1 picture

    2. ACS calls EnfuceID which is Enfuce internal authentication proxy

    3. EnfuceID will forward the request and then calling 3rd party
    authentication system
      - Request contains a unique session id (UUID) that authentication system will report back authentication result on
      - It will also contain customer number (3rd party authentication system can if needed lookup more customer information from other parts of Enfuce API
      - EnfuceID expects a HTTP 200 OK response within 2 seconds
    4. Once 3rd party authentication system has got a result they should call
    the callback endpoint with the result

    5. EnfuceID forwards the result to ACS
  version: '1'
  title: Enfuce ID
  contact:
    name: Enfuce Financial Services
    url: https://enfuce.com
    email: info@enfuce.com
  x-logo:
    url: https://developer.enfuce.com/images/enfuce.svg
    altText: Enfuce logo
servers:
  - url: https://integration-api-cat2.demo.ext.test.cia.enfuce.com/enfuceid/api
    description: Test environment
  - url: https://integration-api-cat2.live.ext.prod.cia.enfuce.com/enfuceid/api
    description: Live environment
security: []
tags:
  - name: OOB Webhook Notification
  - name: Authentication Response Callback
paths:
  /v1/authenticate/{customerNumber}/{sessionId}:
    post:
      tags:
        - OOB Webhook Notification
      summary: OOB Webhook Notification
      description: >
        In Out-of-Band (OOB) authentication, a webhook notification is sent to
        the issuer-provided channel for cardholder's approval.
      operationId: initiateAuthentication
      parameters:
        - name: customerNumber
          in: path
          description: Unique identifier of the cardholder
          required: true
          schema:
            type: string
        - name: sessionId
          in: path
          description: >-
            Unique identification number of the ensuing authentication request,
            returned in the callback request after the authentication request is
            complete.
          required: true
          schema:
            type: string
      requestBody:
        $ref: '#/components/requestBodies/initiateAuthenticationBody'
      responses:
        '200':
          description: Successful initiation of authentication
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/errorResponse'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/errorResponse'
        '404':
          description: Customer does not exist
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/errorResponse'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/errorResponse'
      deprecated: false
components:
  requestBodies:
    initiateAuthenticationBody:
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/initiateAuthenticationBody'
      description: >-
        Extra information in order to give information about why authentication
        is initiated
      required: true
  schemas:
    errorResponse:
      type: object
      properties:
        code:
          type: string
          description: An error code indicating what kind of error. I.e. HTTP error code
        message:
          type: string
          description: Error message in human-readable format
        id:
          type: string
          format: uuid
          description: Unique error identifier
        errorCode:
          type: string
          description: Enfuce code for a specific error type
        errorType:
          type: string
          description: Error type
          enum:
            - STATIC_VALIDATION_ERROR
            - DYNAMIC_VALIDATION_ERROR
            - INTEGRATION_ERROR
            - SECURITY_ERROR
            - UNEXPECTED_ERROR
        errorReason:
          type: string
          description: Free-form text explaining the error reason
        timestamp:
          type: string
          format: date-time
          description: Datetime when error occurred
    initiateAuthenticationBody:
      type: object
      properties:
        callbackUrl:
          type: string
          description: URL where the authentication result is forwarded.
          example: >-
            https://id.enfuce.com/v1/callback/mycompany/392492402/5d3a3e10-b511-42cd-b9b6-1f2a5701ba98
        transaction:
          $ref: '#/components/schemas/transaction'
        merchant:
          $ref: '#/components/schemas/merchant'
      required:
        - callbackUrl
      title: initiateAuthenticationBody
    transaction:
      type: object
      properties:
        type:
          type: string
          enum:
            - PAYMENT
            - RECURRING
          x-enum-descriptions:
            - A one-time transaction.
            - A recurring transaction (e.g., subscriptions).
          description: Type of transaction.
        amount:
          $ref: '#/components/schemas/money'
        cardId:
          type: string
          description: Unique identification number of the card.
        cardNumber:
          type: string
          description: Truncated card number.
          example: '342170______9554'
        deviceChannel:
          type: string
          description: Channel used for the transaction.
          enum:
            - APP
            - BROWSER
            - REQUESTOR_INITIATED
          x-enum-descriptions:
            - App-based.
            - Browser-based.
            - 3DS Requestor Initiated.
          example: BROWSER
        timestamp:
          type: string
          description: >-
            The date when the transaction occured at the POS; Epoch-timestamp
            format (Number of seconds since 01.01.1970 UTC).
      required:
        - cardId
        - cardNumber
        - deviceChannel
        - type
        - timestamp
    merchant:
      type: object
      properties:
        description:
          type: string
          description: Description of the merchant.
          example: Airline ticket
        name:
          type: string
          description: Merchant name
          example: Airline of the world inc.
        country:
          $ref: '#/components/schemas/country'
        url:
          type: string
          description: Merchant URL
          example: https://www.airline.com/order/64674
    money:
      description: Amount including currency
      type: object
      required:
        - amount
        - currency
      properties:
        amount:
          type: number
          example: 3.14
        currency:
          $ref: '#/components/schemas/currency'
    country:
      type: string
      description: >-
        A valid ISO 3166-1 alpha-3 country code, except for QZZ (UNMIK in
        Kosovo) and ROM for Romania.
      pattern: '[A-Z]{3}'
      example: FIN
    currency:
      type: string
      description: A valid ISO 4217 currency code
      pattern: '[A-Z]{3}'
      example: EUR

````