Skip to contentSkip to navigationSkip to topbar
Twilio Docs
On this page

PSD2 Compliant Authentication with Authy

(warning)

Warning

As of November 2022, Twilio no longer provides support for Authy SMS/Voice-only customers. Customers who were also using Authy TOTP or Push prior to March 1, 2023 are still supported. The Authy API is now closed to new customers and will be fully deprecated in the future.

For new development, we encourage you to use the Verify v2 API.

Existing customers will not be impacted at this time until Authy API has reached End of Life. For more information about migration, see Migrating from Authy to Verify for SMS(link takes you to an external page).

The European Payment Services Directive (PSD2) regulation(link takes you to an external page) requires Strong Customer Authentication (SCA) for all transactions over €30 by 31 December 2020 (14 September 2021 for the UK(link takes you to an external page)). This page will show you how to implement a compliant solution for your application using the Authy API. For more detail on PSD2, SCA, and dynamic linking, check out this post(link takes you to an external page).

The Authy API supports 3 channels for PSD2 compliant authorization.

SMS Authorization for PSD2

sms-authorization-for-psd2 page anchor

Use the action and action_message parameter to tie the verification to a specific transaction. The same values are required to verify the token.

Resources:

action_message for psd2 sms.
SMS Authorization - PSD2 CompliantLink to code sample: SMS Authorization - PSD2 Compliant
1
curl -X GET \

2
  'https://api.authy.com/protected/json/sms/123?action=hermione@hogwarts.ac.uk713.00&action_message=Verify%20payment%20to%20hermione@hogwarts.ac.uk%20for%20713.00%20Galleons&force=true' \

3
  -H 'X-Authy-Api-Key: d57d919d11e6b221c9bf6f7c882028f9'

Output

1
{

2
  "success": true,

3
  "message": "SMS token was sent",

4
  "cellphone": "+1-XXX-XXX-XX77"

5
}

Push Authorization for PSD2

push-authorization-for-psd2 page anchor

Display transaction details in the Authy App. Each authorization is signed by the end user's device and linked to that specific transaction.

Resources:

psd2 push auth.
Authy Push Authorization - PSD2 CompliantLink to code sample: Authy Push Authorization - PSD2 Compliant
1
curl -X POST \

2
  https://api.authy.com/onetouch/json/users/123/approval_requests \

3
  -H 'X-Authy-Api-Key: d57d919d11e6b221c9bf6f7c882028f9' \

4
  --data-urlencode 'message=Please approve the following payment.' \

5
  --data-urlencode 'details[Account Number]=8230985' \

6
  --data-urlencode 'details[Payee]=Hermione Granger' \

7
  --data-urlencode 'details[Amount]=713.00' \

8
  --data-urlencode 'details[Currency]=Galleons' \

9
  --data-urlencode seconds_to_expire=120

Output

1
{

2
  "approval_request": {

3
    "uuid": "8ee3aa70-4567-1234-9876-0a3cd2a2f8ba"

4
  },

5
  "success": true

6
}

Soft Token (TOTP) Authorization for PSD2

soft-token-totp-authorization-for-psd2 page anchor

Offline support with transactional TOTP codes in the Authy app. Transaction details are mixed with the application secret to create a unique code tied to the transaction.

Resources:

Scan transactional TOTP QR code.