Learn how authentication factors work on the hosted webpage
PendingUserAction.RedirectUrl
is returned by the API.During this time, the individual must complete all necessary steps for all factors for the session to be considered successful.The session is identified by the unique token in the RedirectUrl
. So if the user refreshes the screen, or closes and re-opens the same link, then they can continue using the same session within 10 minutes.RedirectUrl
, the user first sees a Mangopay-branded welcome screen explaining the steps that are required from them.
LegalRepresentative.Email
(and not the Email
). For Natural users, the address used is the Email
.Factor | Required | Type | Description |
---|---|---|---|
Trusted device using WebAuthn passkey | No | Possession (of device) and inherence (if biometrics) or knowledge (if password or passcode) | The individual uses the native authentication features (biometrics, password, passcode) of their device that they set up during enrollment. |
Personal identification number (PIN) | Yes | Knowledge | The individual enters a 6-digit code they defined during enrollment. |
Phone-based one-time passcode (OTP) | If passkey not used | Possession | The individual receives a 6-digit OTP via SMS to the phone number provided during enrollment. |
RedirectUrl
is opened in a webview. The factor must be integrated natively. See the dedicated guides for details on how to do this:
PhoneNumber
was present in the API call to create or update the user)0611111111
and FR
(+33611111111
) with the passcode 702100 to simulate a successful flow. You can also send this data in the PhoneNumber
(or LegalRepresentative.PhoneNumber
) to pre-populate the field.
You can also test by using a real phone number to receive the SMS OTP.
PhoneNumber
parameter of the Natural User or the LegalRepresentative.PhoneNumber
of the Legal User.
If the phone number data is present in the user object, then the field is pre-populated for the user to confirm or modify.
PhoneNumber
or LegalRepresentative.PhoneNumber
data in the API object triggers SCA re-enrollment (read more).Email
for Natural users and the LegalRepresentative.Email
for legal users. The address cannot be changed by the user during the session; it can only be changed via API, which triggers the re-enrollment flow below.