> ## Documentation Index > Fetch the complete documentation index at: https://docs.mangopay.com/llms.txt > Use this file to discover all available pages before exploring further. # SCA session redirection > Learn how to redirect a user for their hosted SCA session Mangopay's SCA feature relies on Mangopay-hosted webpage where the individual can complete all necessary steps for all authentication factors, whether that's first-time SCA enrollment or authenticating actions. To deliver this hosted SCA session, Mangopay provides a unique URL in the `RedirectUrl` response parameter on relevant actions across its API. The `RedirectUrl` is returned as part of the `PendingUserAction` response object. This guide describes how to redirect users for the SCA session. For more details about the factors, how they work, their integration, and the experience for users, see the [factors](/guides/sca/factors) guide. ## Overview of the flow The following diagram provides an overview of how the Mangopay-hosted SCA session works. See the [how-to guide](#how-to-redirect-a-user-for-sca) below for step-by-step guidance.

## How to redirect a user for SCA This section describes how to handle the SCA redirection when required by an SCA enrollment or authentication scenario. ### Differences between scenarios While the redirection mechanism is the same in all cases, there are the following differences: * The redirect URL is returned in a response header for wallet access, whereas the others are in the response body ([Step 2](#2-retrieve-the-sca-redirect-url)) * There is no webhook for a failed enrollment outcome, nor for wallet access outcomes ([Step 7](#7-confirm-the-session-outcome-and-retry-if-required)) ### 1. Call an endpoint that triggers SCA redirection Your platform needs to redirect the user for an SCA session when your platform calls one of several endpoints to initiate an SCA-triggering action. The following actions and endpoints trigger SCA redirection (see the linked guides for details). **Note – SCA only triggered for Natural and Soletrader users** SCA is not triggered for Legal users whose `LegalPersonType` is `BUSINESS`, `PARTNERSHIP`, or `ORGANIZATION`, but the endpoints can still be integrated for them. For more details, see the section about [legal user integration](/guides/sca/users#legal-user-integration). See [Users – SCA triggers in Sandbox](/guides/sca/users#sca-triggers-in-sandbox) for current testing information.

Action	Endpoints	Criteria
[Register a Owner user for the first time](/guides/sca/users#register-an-owner-for-the-first-time)	[POST Create a Natural User (SCA)](/api-reference/users/create-natural-user-sca) or [POST Create a Legal User (SCA)](/api-reference/users/create-legal-user-sca)	If `UserCategory` is `OWNER`
[Transition an existing Payer to Owner](/guides/sca/users#transition-an-existing-payer-to-owner)	[PUT Categorize a Natural User](/api-reference/users/categorize-natural-user) or [PUT Categorize a Legal User](/api-reference/users/categorize-legal-user)	None (always returned)
[Enroll an existing Owner](/guides/sca/users#enroll-an-existing-owner)	[POST Enroll a User in SCA](/api-reference/users/enroll-user)	None (always returned)
[Re-enroll a User](/guides/sca/users#re-enroll-a-owner-user)	[PUT Update a Natural User (SCA)](/api-reference/users/update-natural-user-sca) or [PUT Update a Legal User (SCA)](/api-reference/users/update-legal-user-sca)	If `UserCategory` is `OWNER` and any of these are changed: * Natural * `PhoneNumber` * `PhoneNumberCountry` * `Email` * Legal * `LegalRepresentative.PhoneNumber` * `LegalRepresentative.PhoneNumberCountry` * `LegalRepresentative.Email`

See [Recipients – SCA triggers in Sandbox](/guides/sca/recipients#sca-triggers-in-sandbox) for current testing information.

Action	Endpoints	Criteria
[Register a bank account for an Owner](/guides/sca/recipients#how-to-register-a-recipient-for-payouts)	[POST Create a Recipient](/api-reference/recipients/create-recipient)	If the user's `UserCategory` is `OWNER` and the recipient's `RecipientScope` is `PAYOUT` (or not sent)

See [Transfers – SCA triggers in Sandbox](/guides/sca/transfers#sca-triggers-in-sandbox) for current testing information.

Action	Endpoints	Criteria
[Initiate a transfer between two Owners](/guides/sca/transfers)	[POST Create a Transfer](/api-reference/transfers/create-transfer)	If `DebitedWalletId` and `CreditedWalletId` belong to two different users whose `UserCategory` is `OWNER` and an [exemption](/guides/sca#exemptions-on-actions) can't be applied by Mangopay

See [Wallet access – SCA triggers in Sandbox](/guides/sca/wallets#sca-triggers-in-sandbox) for current testing information.

Action	Endpoints	Criteria
Access a specific wallet balance	[GET View a Wallet](/api-reference/wallets/view-wallet)	If a successful SCA session using one of these 4 endpoints has not been completed in the last 180 days
List a user's wallets	[GET List Wallets for a User](/api-reference/wallets/list-wallets-user)
List transactions for a wallet	[GET List Transactions for a Wallet](/api-reference/transactions/list-transactions-wallet)
List transactions for a user	[GET List Transactions for a User](/api-reference/transactions/list-transactions-user)

### 2. Retrieve the SCA redirect URL The API response contains the redirect URL containing a unique token query parameter. You need to retrieve the full value dynamically, meaning the host and the query, for the next step. For example, in the API response for user endpoints, recipient creation, and transfer initiation: ```json 200 response body theme={null} { ... "PendingUserAction": { "RedirectUrl": "https://sca.mangopay.com?token=0193d02f30df7a188c51cf890a191d21" }, ... } ``` For example, in the API response for wallet access: ```HTTP 401 response header theme={null} WWW-Authenticate: PendingUserAction redirectUrl=https://sca.mangopay.com?token=0193d02f30df7a188c51cf890a191d21 ``` The URL of the unique SCA session is:

https://sca.mangopay.com?⁠token=0193d02f30df7a188c51cf890a191d21

### 3. Encode and add your returnUrl Define a `returnUrl` to which the user will be returned after they authenticate on the Mangopay-hosted page, regardless of the outcome. Append your URL to the `RedirectUrl` response value as the `returnUrl` query parameter, being sure to percent-encode any non-ASCII characters. Continuing the previous example, if your `returnUrl` is https://example.com, the full URL you will need to redirect the user on is:

https://sca.mangopay.com?⁠token=0193d02f30df7a188c51cf890a191d21\&returnUrl=https%3A%2F%2Fexample.com

**Caution – Add your return URL before redirection** You must add your `returnUrl` before you redirect the user on the `RedirectUrl` value. If you don't, the hosted web page displays an error because it cannot return the user upon completion. The `returnUrl` parameter name is case-sensitive. Note that the concatenation of Mangopay's `RedirectUrl` and your encoded `returnUrl` must be less than 2,000 characters, which is the limit of most web browsers. ### 4. Use your defined branding colors (optional) By default, the SCA session users your platform's trading name and logo (if provided). At the point of redirection, you can add two query parameters to your encoded `returnUrl` to further customize the colors of the SCA session: * Add `&primary=true` to use the `PrimaryThemeColour` * Add `&cta=true` to use the `PrimaryButtonColour` You must set the `PrimaryThemeColour` and `PrimaryButtonColour` hex values using the [PUT Update a Client](/api-reference/client/update-client) endpoint in order for them to be usable (for example, using Postman). Note that you need to wait about an hour for the API colors to appear in the SCA session. You can also force dark mode or light mode for the user, but note that if the user changes it in the session then that preference is stored as a local cookie and takes precedence for 30 days: * Add `&theme=dark` for dark mode * Add `&theme=light` for light mode Read more about [SCA customization options](/guides/sca/factors#customization) **→** ### 5. Set the session language (optional) By default, the SCA session detects the user's browser language if it is one of those listed in the table below. Regional variants for the same language resolve to the single translation supported by Mangopay: e.g. `es-419` (Latin American Spanish) resolves to `es`, `en-US` (American English) resolves to `en`. If the user's browser is in a language (or variant) not listed below, the session is in English by default. You can override the default localization behavior by manually setting the language of the session using the `lang` query parameter, with one of the values below. For example, to set the session to Spanish, regardless of the user's browser language, you can add `&lang=es` to your URL. If the OTP passcode factor is used, then the [wording of the SMS](/guides/sca/factors#sms-wording) is also localized based on the browser language or your override. Supported `lang` values:

Language	`lang` value
Bulgarian	`bg`
Dutch	`nl`
English	`en`
French	`fr`
German	`de`
Greek	`el`
Italian	`it `
Polish	`pl`
Portuguese	`pt`
Spanish	`es`
Swedish	`sv`

### 6. Redirect the user to the hosted webpage The final string to use to redirect the user includes: * Mangopay's full `RedirectUrl` API response value, including host, path, and the unique `token` query parameter * Your URL-encoded `returnUrl` value, for example `&returnUrl=https%3A%2F%2Fexample.com` – **mandatory**, so the session can return the user upon completion * Color [customization options](/guides/sca/factors#customization): `&primary=true` and `&cta=true` – both optional, otherwise defaults used * Language override, for example `&lang=en` – optional, otherwise the user's browser language, if supported, or else English Example of the final URL on which to redirect the user, with all elements added:

https://sca.mangopay.com?⁠token=0193d02f30df7a188c51cf890a191d21\&returnUrl=https%3A%2F%2Fexample.com\&primary=true\&cta=true\&lang=en

### 7. Let the user complete the session Once on the session URL, the user can perform the necessary actions for the SCA session. This includes enrollment or authentication, as well as all required authentication factors. **Note – Session timeout after 10 minutes** The session of the `RedirectUrl` is valid for 10 minutes. If the user does not complete the necessary steps during this time, the session can no longer be used and they are returned on your return URL. If this happens, you need to retry the SCA session using the relevant endpoint (see [Step 7](#7-confirm-the-session-outcome-and-retry-if-required) below) to obtain a new `RedirectUrl`. To test the OTP factor in Sandbox, you can use the `PhoneNumber` `+33611111111` (or `0611111111` and `FR`) and the passcode **702100** to simulate a successful flow. You can also use a real phone number to receive the SMS OTP. ### 8. Receive the user on return Once the user completes authentication (successfully or not) they are redirected to your `returnUrl` to continue their experience on your platform. On redirection, Mangopay adds an indicative query parameter to your `returnUrl`: `controlStatus`. For example:

https://example.com/?controlStatus=VALIDATED

The `controlStatus` parameter indicates the outcome of the SCA session itself: * `VALIDATED` - The SCA session was successful. * `FAILED` - The SCA session was unsuccessful and cannot be reused. **Best practice – Rely on webhooks** Your integration should asynchronously rely on webhooks for event status changes as far as possible, as described below. The `controlStatus` query parameter is only indicative of the SCA session, not the enrollment or authentication attempt. When Mangopay introduced SCA, there was a second query parameter, `actionStatus`, that was added to the `returnUrl` on redirection. This was subsequently removed for consistency across all SCA redirection scenarios, and to encourage reliance on webhooks. ### 9. Confirm the session outcome and retry if required The query parameters appended to the `returnUrl` are indicative. You should listen for the [webhooks events](/webhooks) listed below, and confirm the outcome of the action that triggered the SCA session by calling the relevant endpoint of the Mangopay API.

	Status change	Webhook event
Success	`UserStatus` changed from `PENDING_USER_ACTION` to `ACTIVE`	`USER_ACCOUNT_ACTIVATED`, `SCA_ENROLLMENT_SUCCEEDED`
Failure	None, `UserStatus` stayed as `PENDING_USER_ACTION`	None for user account status; `SCA_ENROLLMENT_FAILED` or `SCA_ENROLLMENT_EXPIRED` for SCA enrollment

Confirm	[GET View a User (SCA)](/api-reference/users/view-user-sca)
Retry	[POST Enroll a User](/api-reference/users/enroll-user)

	Status change	Webhook event
Success	`Status` changed from `PENDING` to `ACTIVE`	`RECIPIENT_ACTIVE`
Failure	`Status` changed from `PENDING` to `CANCELED`	`RECIPIENT_CANCELED`

Confirm	[GET View a Recipient](/api-reference/recipients/view-recipient)
Retry	[POST Create a Recipient](/api-reference/recipients/create-recipient)

	Status change	Webhook event
Success	`Status` changed from `CREATED` to `SUCCEEDED`	`TRANSFER_NORMAL_SUCCEEDED`
Failure	`Status` changed from `CREATED` to `FAILED`	`TRANSFER_NORMAL_FAILED`

Confirm	[GET View a Transfer](/api-reference/transfers/view-transfer)
Retry	[POST Create a Transfer](/api-reference/transfers/create-transfer)

	Status change	Webhook event
Success	None	None
Failure	None	None

Confirm or retry	[GET View a Wallet](/api-reference/wallets/view-wallet)
[GET List Wallets for a User](/api-reference/wallets/list-wallets-user)
[GET List Transactions for a User](/api-reference/transactions/list-transactions-user)
[GET List Transactions for a Wallet](/api-reference/transactions/list-transactions-wallet)

## Related resources Read about enrollment scenarios in the user lifecycle See the SCA-enabled user endpoints