Verify Transactions for PSD2
Twilio Verify already allows you to quickly verify phone number ownership with one-time passwords (OTP) over SMS. In a few steps, you can extend these capabilities to help comply with PSD2 by verifying transactions using dynamic linking and Strong Customer Authentication (SCA).
Next, create a new Service with PSD2 mode enabled, as shown in the code sample below.
Once enabled, requests to start and/or complete verifications require the Payee
and Amount
parameters.
_10// Download the helper library from https://www.twilio.com/docs/node/install
_10// Find your Account SID and Auth Token at twilio.com/console
_10// and set the environment variables. See http://twil.io/secure
_10const accountSid = process.env.TWILIO_ACCOUNT_SID;
_10const authToken = process.env.TWILIO_AUTH_TOKEN;
_10const client = require('twilio')(accountSid, authToken);
_10client.verify.v2.services
_10 .create({psd2Enabled: true, friendlyName: 'My PSD2 Service'})
_10 .then(service => console.log(service.psd2Enabled));
_42 "sid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_42 "account_sid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_42 "friendly_name": "My PSD2 Service",
_42 "lookup_enabled": false,
_42 "psd2_enabled": true,
_42 "skip_sms_to_landlines": false,
_42 "dtmf_input_required": false,
_42 "do_not_share_warning_enabled": false,
_42 "custom_code_enabled": true,
_42 "include_date": false,
_42 "apn_credential_sid": "CRXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_42 "fcm_credential_sid": null
_42 "issuer": "test-issuer",
_42 "msg_service_sid": "MGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_42 "from": "whatsapp:+1234567890"
_42 "default_template_sid": "HJXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_42 "verify_event_subscription_enabled": false,
_42 "date_created": "2015-07-30T20:00:00Z",
_42 "date_updated": "2015-07-30T20:00:00Z",
_42 "url": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_42 "verification_checks": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/VerificationCheck",
_42 "verifications": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Verifications",
_42 "rate_limits": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RateLimits",
_42 "messaging_configurations": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/MessagingConfigurations",
_42 "entities": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Entities",
_42 "webhooks": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Webhooks",
_42 "access_tokens": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/AccessTokens"
To start a transaction verification, send an HTTP POST
request to your PSD2-enabled Service's Verifications resource. This request must contain the Amount
, Payee
, To
, and Channel
parameters.
This HTTP request causes Twilio to send a verification code to the user. Each verification code is dynamically-linked to the Amount
and Payee
of each transaction. The code is unique to the To
(e.g., the recipient's phone number), Amount
, and Payee
combination. This ensures that verification fails in the event of code interception or transaction mutations.
Each verification code is valid for 10 minutes. Within that ten-minute time frame, any subsequent HTTP POST
requests to the Verifications resource for the transaction cause Twilio send the same verification code.
_16// Download the helper library from https://www.twilio.com/docs/node/install
_16// Find your Account SID and Auth Token at twilio.com/console
_16// and set the environment variables. See http://twil.io/secure
_16const accountSid = process.env.TWILIO_ACCOUNT_SID;
_16const authToken = process.env.TWILIO_AUTH_TOKEN;
_16const client = require('twilio')(accountSid, authToken);
_16client.verify.v2.services('VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
_16 .then(verification => console.log(verification.sid));
_23 "sid": "VEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_23 "service_sid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_23 "account_sid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_23 "to": "+15017122661",
_23 "date_created": "2015-07-30T20:00:00Z",
_23 "date_updated": "2015-07-30T20:00:00Z",
_23 "payee": "Acme Inc.",
_23 "send_code_attempts": [
_23 "time": "2015-07-30T20:00:00Z",
_23 "attempt_sid": "VLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
_23 "url": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Verifications/VEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
To check if a verification code is correct, send an HTTP POST
request to your PSD2-enabled Service's Verification Check resource. This request must contain the Code
, To
(e.g., the user's phone number), Amount
, and Payee
parameters. A sample request is shown in the example below.
_16// Download the helper library from https://www.twilio.com/docs/node/install
_16// Find your Account SID and Auth Token at twilio.com/console
_16// and set the environment variables. See http://twil.io/secure
_16const accountSid = process.env.TWILIO_ACCOUNT_SID;
_16const authToken = process.env.TWILIO_AUTH_TOKEN;
_16const client = require('twilio')(accountSid, authToken);
_16client.verify.v2.services('VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
_16 .then(verification_check => console.log(verification_check.status));
_14 "sid": "VEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_14 "service_sid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_14 "account_sid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_14 "to": "+15017122661",
_14 "status": "approved",
_14 "payee": "Acme Inc.",
_14 "sna_attempts_error_codes": [],
_14 "date_created": "2015-07-30T20:00:00Z",
_14 "date_updated": "2015-07-30T20:00:00Z"
In some instances, the details of a transaction may change before it can be completed. When that occurs, you can cancel an in-progress transaction verification by updating the Status
of the Verification resource. An example of this request is shown below.
This prevents a user from verifying an out-of-date transaction.
That transactions that have been successfully verified cannot be canceled.
_11// Download the helper library from https://www.twilio.com/docs/node/install
_11// Find your Account SID and Auth Token at twilio.com/console
_11// and set the environment variables. See http://twil.io/secure
_11const accountSid = process.env.TWILIO_ACCOUNT_SID;
_11const authToken = process.env.TWILIO_AUTH_TOKEN;
_11const client = require('twilio')(accountSid, authToken);
_11client.verify.v2.services('VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
_11 .verifications('VEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
_11 .update({status: 'canceled'})
_11 .then(verification => console.log(verification.to));
_23 "sid": "VEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_23 "service_sid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_23 "account_sid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_23 "to": "+15017122661",
_23 "status": "canceled",
_23 "date_created": "2015-07-30T20:00:00Z",
_23 "date_updated": "2015-07-30T20:00:00Z",
_23 "send_code_attempts": [
_23 "time": "2015-07-30T20:00:00Z",
_23 "attempt_sid": "VLXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
_23 "url": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Verifications/VEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"