🔐  3DS challenge

3D Secure with a challenge — the issuer shows the customer an OTP page (or banking-app push) to confirm the transaction. This is what most fraud-prone or first-time charges trigger.

Sandbox limitation. NMI's test gateway sometimes doesn't return the post-challenge callback, so the flow can hang. This is a sandbox issue, not a code bug — verify the challenge flow on a real card with a small live charge in production. The frictionless path (above) reliably works end-to-end in test mode.

What to do

  1. Click Run scenario.
  2. On the hosted page, enter 4000 0000 0000 2420, any future expiry, any CVV.
  3. Click Pay. After a few seconds an iframe-modal appears with NMI's simulated issuer page.
  4. If the sandbox cooperates, complete the challenge → success. If it hangs, that's the test-mode issue noted above.

The code (same as Standard)

// Node.js
const r = await fetch('https://app.sknpay.com/api/v1/payments', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer ' + process.env.SKNPAY_API_KEY,
    'Content-Type': 'application/json',
    'Idempotency-Key': 'order-' + Date.now(),
  },
  body: JSON.stringify({
    amount: 2000,                 // minor units — 20.00 USD
    currency: 'USD',
    description: '3DS challenge test',
    customer_email: 'test@example.com',
    success_url: 'https://yoursite.com/thanks',
    cancel_url:  'https://yoursite.com/cart',
  }),
})
const payment = await r.json()
res.redirect(303, payment.url)        // → customer pays on hosted page
<?php
$ch = curl_init('https://app.sknpay.com/api/v1/payments');
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST           => true,
  CURLOPT_HTTPHEADER     => [
    'Authorization: Bearer ' . getenv('SKNPAY_API_KEY'),
    'Content-Type: application/json',
    'Idempotency-Key: order-' . time(),
  ],
  CURLOPT_POSTFIELDS => json_encode([
    'amount'         => 2000,
    'currency'       => 'USD',
    'description'    => '3DS challenge test',
    'customer_email' => 'test@example.com',
    'success_url'    => 'https://yoursite.com/thanks',
    'cancel_url'     => 'https://yoursite.com/cart',
  ]),
]);
$payment = json_decode(curl_exec($ch), true);
header('Location: ' . $payment['url'], true, 303);
# Python (Flask + requests)
r = requests.post(
    'https://app.sknpay.com/api/v1/payments',
    headers={
        'Authorization':   f'Bearer {os.environ["SKNPAY_API_KEY"]}',
        'Content-Type':    'application/json',
        'Idempotency-Key': f'order-{int(time.time())}',
    },
    json={
        'amount':         2000,
        'currency':       'USD',
        'description':    '3DS challenge test',
        'customer_email': 'test@example.com',
        'success_url':    'https://yoursite.com/thanks',
        'cancel_url':     'https://yoursite.com/cart',
    },
)
return redirect(r.json()['url'], code=303)
curl -X POST https://app.sknpay.com/api/v1/payments \
  -H "Authorization: Bearer $SKNPAY_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: order-$(date +%s)" \
  -d '{
    "amount": 2000,
    "currency": "USD",
    "description": "3DS challenge test",
    "customer_email": "test@example.com",
    "success_url": "https://yoursite.com/thanks",
    "cancel_url":  "https://yoursite.com/cart"
  }'