📑 Summary of Strong Auth Endpoints

Here is the list of all endpoints used in the Strong Customer Authentication (SCA) workflow:

1. 🔎 Status Check

GET /platforms/{platformUUID}/users/{userUUID}/strong_auth/status
Checks the current state of a user's Strong Customer Authentication workflow.

2. 🔐 OTP Generation

POST /strong_auth/otp/generate/{process}
Generates an OTP for email, phone, or secret code verification. To do before each verification.

3. ✅ OTP Verification

POST /strong_auth/otp/verify/{process}
Verifies the OTP for the corresponding process. To do after the generation of the OTP.

4. 🛠️ Secret Code Setup

POST /strong_auth/secret_code/setup
Initializes a new secret code for the user. To do after you verified the email and phone number of the user, and before generating a secret_code OTP.

5. 🔑 Secret Code Verify

POST /strong_auth/secret_code/verify
Verifies the secret code and returns a JWT token for authenticated operations. To do only when the whole workflow is complete.

6. ♻️ State Reset

POST /strong_auth/reset/{source}
Resets the validation state of a factor (email, phone, or secret code). After a reset, the user must redo the verification only for that factor.

🔐 Strong Authentication — Why & When

Strong authentication (SCA) is mandatory to:

✅ Authorize sensitive operations (payments, personal data changes, access to regulated features).
✅ Ensure compliance with DSP2 regulations (ACPR & RTS).
✅ Guarantee secure onboarding and prevent fraudulent access.

📌 In practice, you should check SCA status:

During user onboarding, before activating the account.
Before sensitive operations, to confirm authentication is enforced.
In backoffice supervision, to investigate issues or blocking points.

SCA in MPS relies on three factors:

📧 Email – possession/knowledge factor
📱 Phone number – possession factor
🔑 Secret code – knowledge factor

⚠️
All three steps must be validated for workflow_completed = true.

🧩 Key Concepts

Platform (`platformUUID`)

A unique identifier for each platform, containing all associated users.

User (`userUUID`)

A unique identifier for a user across API requests (managers, project owners, investors, etc.).

Strong Customer Authentication (SCA)

A regulatory-compliant mechanism using multiple factors:
📧 email → 📱 phone → 🔑 secret code

Workflow

A sequential set of validations, accessible via GET strong_auth/status.

JWT (JSON Web Token)

A short-lived token proving SCA is passed.
The backend should store and reuse it while valid.

Session vs Operation Authentication

Per session → Access granted for a given time.
Per operation → SCA required for each sensitive operation.

🛠️ Typical Workflow

After creating a user, the Strong Authentication workflow runs as follows:

📧 Email verification
- Generate OTP → Verify OTP
- For a new user, only email-based OTP is required.
- If the email source is reset later but phone number is already validated, validation will require both email + SMS.
📱 Phone number verification
- Always requires two steps:
  1. Verification by email
  2. Verification by SMS
- Each step uses: POST OTP generate → POST OTP verify
🔑 Secret code setup
- User sets a code with POST secret_code/setup.
- Verification then requires:
  - By email
  - By SMS
- Once fully validated → Retrieve a JWT with POST secret_code/verify.

ℹ️
Note
At workflow initiation, all fields in GET status are false or pending. Each successful step updates the workflow status accordingly.

♻️ Resetting a Source

If POST strong_auth/reset/{source} is called:

You must redo the verification for the specific source (email, phone, or secret_code).
✅ Other validated factors remain intact.
Example: Resetting phone → Only phone OTPs need to be regenerated & verified.

API Call Example

Check SCA Status

GET https://sandbox.mipisepaymentservices.com/api/platforms/{platformUUID}/users/{userUUID}/strong_auth/status
Authorization: Bearer {access_token}
Content-Type: application/json

Response (200 OK):

{
  "workflow_completed": true,
  "email": {
    "state": "validated",
    "verified_at": "2025-07-10T14:32:00Z"
  },
  "phone_number": {
    "state": "validated",
    "verified_at": "2025-07-10T14:35:00Z"
  },
  "secret_code": {
    "state": "validated",
    "verified_at": "2025-07-10T14:40:00Z"
  }
}

Field Descriptions

Field	Type	Description	Possible Values
workflow_completed	boolean	Indicates if the SCA workflow is fully validated	true / false
email.state	string	Email validation status	pending_email_validation, pending_sms_validation, validated
email.verified_at	date-time	Email validation timestamp	ISO 8601 format or null
phone_number.state	string	Phone validation status	pending_email_validation, pending_sms_validation, validated
phone_number.verified_at	date-time	Phone validation timestamp	ISO 8601 format or null
secret_code.state	string	Secret code configuration/validation status	pending_configuration, pending_email_validation, pending_sms_validation, validated
secret_code.verified_at	date-time	Secret code validation timestamp	ISO 8601 format or null

🚨 Error Codes

ℹ️
Note> The following error codes are common to all Strong Auth endpoints.

They indicate issues with the request, authentication, or data consistency.

Code	Meaning	Possible Causes
400	Bad Request	Missing or badly formatted parameters
401	Unauthorized	Invalid or expired token
404	Resource Not Found	`platformUUID` or `userUUID` does not exist
422	Unprocessable Entity	Inconsistent data or invalid state for the operation

✅ This workflow ensures that all users go through a multi-factor authentication process (email, phone, secret code) in full compliance with DSP2 regulations, while providing:

Enhanced security for sensitive operations
Traceability of each validation
JWT tokens for secure session management

SCA Workflow and usage

📑 Summary of Strong Auth Endpoints

1. 🔎 Status Check

2. 🔐 OTP Generation

3. ✅ OTP Verification

4. 🛠️ Secret Code Setup

5. 🔑 Secret Code Verify

6. ♻️ State Reset

🔐 Strong Authentication — Why & When

All three steps must be validated for `workflow_completed = true`.

🧩 Key Concepts

Platform (`platformUUID`)

User (`userUUID`)

Strong Customer Authentication (SCA)

Workflow

JWT (JSON Web Token)

Session vs Operation Authentication

🛠️ Typical Workflow

Note
At workflow initiation, all fields in `GET status` are `false` or `pending`. Each successful step updates the workflow status accordingly.

♻️ Resetting a Source

API Call Example

Check SCA Status

🚨 Error Codes

📑 Summary of Strong Auth Endpoints

1. 🔎 Status Check

2. 🔐 OTP Generation

3. ✅ OTP Verification

4. 🛠️ Secret Code Setup

5. 🔑 Secret Code Verify

6. ♻️ State Reset

🔐 Strong Authentication — Why & When

All three steps must be validated for workflow_completed = true.

🧩 Key Concepts

Platform (platformUUID)

User (userUUID)

Strong Customer Authentication (SCA)

Workflow

JWT (JSON Web Token)

Session vs Operation Authentication

🛠️ Typical Workflow

Note At workflow initiation, all fields in GET status are false or pending. Each successful step updates the workflow status accordingly.

♻️ Resetting a Source

API Call Example

Check SCA Status

🚨 Error Codes

All three steps must be validated for `workflow_completed = true`.

Platform (`platformUUID`)

User (`userUUID`)

Note
At workflow initiation, all fields in `GET status` are `false` or `pending`. Each successful step updates the workflow status accordingly.