> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mangopay.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SCA on transfers

> Read how SCA impacts the transfer endpoint

## Scope

When a Mangopay Account holder (`OWNER`) transfers funds to another Mangopay Account holder, they must authenticate using SCA.

This means that when an `OWNER` user initiates a transfer to a wallet held by another `OWNER` user, the first user must authenticate the request.

## Action required

On transfers between one `OWNER` user and another, your platform needs to implement SCA redirection to Mangopay's hosted webpage.

### 1. Send ScaContext on Owner-initiated transfers

On the [POST Create a Transfer](/api-reference/transfers/create-transfer) endpoint, Mangopay has introduced the body parameter `ScaContext`, which your platform needs to send on **all transfers** initiated by users whose `UserCategory` is `OWNER`.

The `ScaContext` parameter has the values:

* `USER_PRESENT` – The user is taking the SCA-triggering action of initiating a transfer. The platform must [redirect the user](/guides/sca/session) using the `PendingUserAction.RedirectUrl` returned so that the user can complete the SCA session (unless Mangopay applied an [exemption](/guides/sca#exemptions-on-actions) for low-amount and low-risk transfers, so no redirection link was returned).
* `USER_NOT_PRESENT` – The platform is taking the action under proxy from the user and the user has previously given consent to Mangopay (via the SCA hosted experience) to allow the action. If the user has not given (or has revoked) their consent, then `USER_NOT_PRESENT` returns a 403 error.

<Warning>
  **Caution - ScaContext default value changing**

  On transfers, the default value for `ScaContext` is changing to `USER_PRESENT` on **Dec 15, 2025** (Dec 1 in Sandbox).

  From this date, if the `PendingUserAction.RedirectUrl` value is returned, then you need to redirect the user to perform SCA.

  With approval from Mangopay, your platform may be able to use the `USER_NOT_PRESENT` value provided you also have a legal proxy in place with the user and the user's consent to initiate transfers on their behalf (see below).
</Warning>

The `ScaContext` parameter should be considered mandatory and the relevant value must be sent on all transfers initiated by `OWNER` users. You do not need to send `ScaContext` if the `UserCategory` is `PAYER`.

#### USER\_NOT\_PRESENT requires proxy

To use the `USER_NOT_PRESENT` value, your platform must put in place a proxy in your legal documentation, and you must obtain the User's consent. For more information, see the [proxy management](/guides/sca/proxy-management#) guide.

The introduction of Mangopay's proxy management system makes it possible to apply SCA correctly in all cases. If the proxy action is activated for your platform and you send `USER_NOT_PRESENT`, but the user hasn't given consent via the hosted SCA experience, then the request will fail.

In this case, your platform has two options:

1. Obtain consent from the user by calling [POST Manage proxy consent for a User](/api-reference/users/manage-proxy-consent), and then retry the transfer with `USER_NOT_PRESENT`
2. Retry the action with the user on session to authenticate, by setting `ScaContext` to `USER_PRESENT` and redirecting the user on the `PendingUserAction.RedirectUrl` returned

The rest of this guide describes the `USER_PRESENT` case.

#### Example API request with user present

<Accordion title="See API request example with user present">
  ```json theme={null}
  {
      "ScaContext": "USER_PRESENT", 
      "AuthorId": "user_m_01JRJM5RR5NYQDN0S6QWJJDRMR",
      "DebitedFunds": {
          "Currency": "EUR",
          "Amount": 50001 
      },
      "Fees": {
          "Currency": "EUR",
          "Amount": 0
      },   
      "DebitedWalletId": "wlt_m_01JRJM7ASZN7YP4MBDVBT0HZF1",
      "CreditedWalletId": "wlt_m_01JRHSTW2NP4MDB45WQMDNS23C",
      "Tag": "Created using Mangopay API Postman Collection"
  }
  ```
</Accordion>

### 2. Redirect the user for SCA if required

For requests made with `ScaContext` set to `USER_PRESENT`, the user is on session and can perform SCA. On a given transfer request, it is possible that Mangopay can apply an SCA exemption if the transaction is considered low risk or for a low amount.

If SCA is required for the transfer request, the API response contains `PendingUserAction.RedirectUrl`, as shown in the example below. If an exemption was applied (for `USER_PRESENT`), then the `RedirectUrl` is not returned because no redirection is necessary.

#### Example API response

In Sandbox, the Transaction Risk Analysis (TRA) [exemption](/guides/sca#exemptions-available-to-mangopay) is systematically applied for amounts of 500 EUR or less (or equivalent in other currencies). So in the examples below, setting `DebitedFunds.Amount` to more than `50000` triggers SCA (see [SCA triggers in Sandbox](#sca-triggers-in-sandbox) below for details).

<Tabs>
  <Tab title="SCA redirection required">
    ```json theme={null}
    {
        "ScaContext": "USER_PRESENT",
        "Id": "xfer_c_01JRSHQFG2337DBQ4NS8XPYCK7",
        "CreationDate": 1744614179,
        "DebitedWalletId": "wlt_m_01JRJM7ASZN7YP4MBDVBT0HZF1",
        "CreditedWalletId": "wlt_m_01JRHSTW2NP4MDB45WQMDNS23C",
        "AuthorId": "user_m_01JRJM5RR5NYQDN0S6QWJJDRMR",
        "CreditedUserId": "user_m_01JRHSS3B18H86QA0C467RVK07",
        "DebitedFunds": {
            "Currency": "EUR",
            "Amount": 50001
        },
        "CreditedFunds": {
            "Currency": "EUR",
            "Amount": 50001
        },
        "Fees": {
            "Currency": "EUR",
            "Amount": 0
        },
        "Type": "TRANSFER",
        "Nature": "REGULAR",
        "Status": "CREATED",
        "Tag": "Created using Mangopay API Postman Collection",
        "ResultCode": null,
        "ResultMessage": null,
        "ExecutionDate": null,
        "PendingUserAction": {
            "RedirectUrl": "https://sca.sandbox.mangopay.com/?token=sca_0196331bc1247e3fa33be6f9c797abd7"
        }
    }
    ```
  </Tab>

  <Tab title="Exemption applied">
    ```json theme={null}
    {
        "ScaContext": "USER_PRESENT",
        "Id": "xfer_c_01JRSHQFG2337DBQ4NS8XPYCK7",
        "CreationDate": 1744614179,
        "DebitedWalletId": "wlt_m_01JRJM7ASZN7YP4MBDVBT0HZF1",
        "CreditedWalletId": "wlt_m_01JRHSTW2NP4MDB45WQMDNS23C",
        "AuthorId": "user_m_01JRJM5RR5NYQDN0S6QWJJDRMR",
        "CreditedUserId": "user_m_01JRHSS3B18H86QA0C467RVK07",
        "DebitedFunds": {
            "Currency": "EUR",
            "Amount": 1000
        },
        "CreditedFunds": {
            "Currency": "EUR",
            "Amount": 1000
        },
        "Fees": {
            "Currency": "EUR",
            "Amount": 0
        },
        "Type": "TRANSFER",
        "Nature": "REGULAR",
        "Status": "CREATED",
        "Tag": "Created using Mangopay API Postman Collection",
        "ResultCode": null,
        "ResultMessage": null,
        "ExecutionDate": null,
        "PendingUserAction": null
    }
    ```
  </Tab>
</Tabs>

<Warning>
  **Caution – Encode and add your returnUrl before redirection**

  You must add your `returnUrl` before you redirect the user on the `RedirectUrl` value, otherwise the hosted web page cannot return them upon completion.

  For more details, see [How to redirect a user for SCA](/guides/sca/session#how-to-redirect-a-user-for-sca).
</Warning>

The individual must authenticate on the Mangopay-hosted webpage within 10 minutes of the API response. After the SCA session, the user is returned to your specified `returnUrl`, regardless of the outcome.

### 3. Ensure your integration relies on transfer status and webhooks

The introduction of SCA makes reliance on the Transfer's `Status` essential.

Whereas previously, a Transfer's `Status` would typically pass to `SUCCEEDED` quickly, with SCA it will remain in `CREATED` until the user completes SCA.

This means that your platform needs to rely on the existing webhook event types for the outcome of the transfer:

* `TRANSFER_NORMAL_SUCCEEDED`
* `TRANSFER_NORMAL_FAILED`

For more details about setting up webhooks, see the dedicated [webhook guide](/webhooks).

Once your system receives the webhook notification, call the [GET View a Transfer](/api-reference/transfers/view-transfer) endpoint to retrieve more information about the transfer.

If SCA was not successful, the `Status` changes to `FAILED` and there are two new SCA-related functional errors that may be returned in `ResultCode` and `ResultMessage`:

<table>
  <thead>
    <tr>
      <th class="header">`ResultCode`</th>
      <th class="header">`ResultMessage`</th>
      <th class="header">Description</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td class="table-content">
        `007101`
      </td>

      <td class="table-content">
        Transfer authentication failed. Please retry with a new request.
      </td>

      <td class="table-content">
        The user reached the maximum number of retries for one of the authentication factors, so the SCA session failed.
      </td>
    </tr>

    <tr>
      <td class="table-content">
        `007102`
      </td>

      <td class="table-content">
        Transfer authentication expired. Please initiate a new request.
      </td>

      <td class="table-content">
        The user did not complete all steps required within 10 minutes, so the SCA session expired.
      </td>
    </tr>
  </tbody>
</table>

A transfer can also fail for other reasons that were already applicable before the introduction of SCA.

To retry the transfer request, call the [POST Create a Transfer](/api-reference/transfers/create-transfer) endpoint again.

## Testing

### SCA triggers in Sandbox

While in Production, Mangopay will apply the exemptions for low-risk or low-amount transfers ([read more](/guides/sca#exemptions-on-actions)), the behavior in Sandbox is described below for your integration and testing.

In Sandbox, SCA is triggered on [POST Create a Transfer](/api-reference/transfers/create-transfer) when all of the following are true:

* `DebitedWalletId` and `CreditedWalletId` belong to different `OWNER` users.
* The type of user owning the wallets is Natural or Legal (all `LegalPersonType` – `BUSINESS`, `SOLETRADER`, `ORGANIZATION`, or `PARTNERSHIP`), in any combination for debited and credited user.
* `DebitedFunds.Amount` is greater than **500 EUR** or equivalent. So if `Currency` is `EUR`, this means `Amount` must be `50001` or more.
* `ScaContext` is `USER_PRESENT`

The users involved in the transfer don't have to be already enrolled in SCA.

In Sandbox, SCA is not triggered if any of the following are true:

* The amount is less than **500 EUR** or equivalent
* Until Dec 1, 2025: `ScaContext` is `USER_NOT_PRESENT` or not sent (in which case it is `null`)

#### Bypass SCA in Sandbox

In Sandbox, you can bypass SCA by including the word `accept` in the [Natural User's](/api-reference/users/natural-user-object-sca) `Email` or the [Legal User's](/api-reference/users/legal-user-object-sca) `LegalRepresentative.Email` – for example `accept@example.com` or `john.doe+accept@example.com`.

If the user has `accept` in their email, then the API does not apply SCA during [enrollment in the User endpoints](/guides/sca/users) or any of the SCA-triggering actions – ([recipient creation](/guides/sca/recipients), [transfers](/guides/sca/transfers), and [wallet access](/guides/sca/wallets)). The API proceeds with the requested action and doesn't return the `PendingUserAction.RedirectUrl` SCA redirection link.

### Postman

The Mangopay API Postman collection contains a dedicated folder for <a href="https://www.postman.com/mgp-productstars/mangopay-sandbox/folder/jk6okvt" target="_blank">SCA on transfers and wallet access</a>, has the calls needed to set up two Owner users, get funds into their wallets via a direct card pay-in, and then transfer between them using the `ScaContext` value `USER_PRESENT`.

See the [Postman](/postman) guide for details on how to fork the collection and set up your environment with your `ClientId` and API key.

## Related resources

<CardGroup cols={2}>
  <Card title="SCA session" href="/guides/sca/session">
    Read more about redirecting users for an SCA session
  </Card>

  <Card title="Proxy management" href="/guides/sca/proxy-management">
    Read more about proxy management for USER\_NOT\_PRESENT
  </Card>
</CardGroup>