Overview
Secure Fields supports two distinct 3-D Secure approaches: a Native implementation you build and control, and a Hosted solution managed by Gr4vy. Both support Dynamic 3-D Secure configuration via Flow rules.Choose your approach
Hosted 3DS Solution
Learn how to use the hosted 3DS solution with Secure Fields.
Native 3DS implementation
Prerequisites
Native 3DS requires merchant account-level 3-D Secure configuration to be set up. This is different from the per-connection setup and must be enabled before using the native implementation.Merchant account-level configuration
Follow the setup guide to configure 3DS at the merchant account level.
How it works
Native 3DS automatically handles all device fingerprinting requirements, including collecting the device’s IP address, user agent, and other authentication metadata needed for 3-D Secure compliance. You don’t need to manually collect or pass this data—the implementation handles it transparently.Limitations & Considerations
When you use native 3DS with Secure Fields, it is important to pass the transaction context (for example,metadata, merchant_initiated, or cart_items) when you create the Checkout Session.
As native 3DS runs before transaction creation, so this context must already be present at session creation time to find the right 3DS profile, as well as take into consideration any flow rules.
Additionally, it’s important to note that the system runs 3DS Flow rules at the time of the enrollment check, which is run at the time of submitting Secure Fields. Currently, this Flow rule check doesn’t
support anti-fraud checks as these are currently tied to a transactions, though there are plans to add this in the near future.
Initialization
There are two ways to initialize the native 3-D Secure component: as a React component or through the vanilla JavaScript API (in Node or CDN scenarios). The propertychallengeWindowSize controls the size of the challenge window and
can be set to the following values:
The examples use a
<dialog> as the container for the 3-D Secure UI,
but any container can be used.Showing the 3-D Secure UI
With the3-D Secure start callback, the 3-D Secure process start can be detected,
allowing the container UI to be displayed.
Receiving the 3-D Secure result
With the3-D Secure finish callback, the 3-D Secure process finish can be detected,
allowing any UI element that was shown during the process to be dismissed and the
outcome of the process to be received.
3-D Secure finish callback:
The
authentication object contains the following properties:
After authentication
Once you receive the 3-D Secure authentication result, you can determine whether authentication was attempted and whether it was successful. You can then proceed to create a transaction regardless of the outcome. Theauthentication object provides the following key signals:
attempted: Whether the authentication process was initiatedtimed_out: Whether the authentication timed out before completinguser_cancelled: Whether the user dismissed the challengetransaction_status: The final result ("Y"= success,"N"= failed,null= unknown)
Testing and validation
To test your Native 3DS implementation, use the 3DS Test Cards in your sandbox environment. These cards allow you to simulate various outcomes, including frictionless authentication, mandatory challenges, and specific failure states.Test cards
Visa
Mastercard
American Express
Challenge screen inputs
When a challenge is triggered, use the following values to simulate different transaction results.OTP (One-Time Password)
When the challenge screen asks for a code, enter one of the following:Selection options
Some challenges may present a list of options (for example, “Select your favorite city”). Single-select- Paris or Nice: Returns Success (Y).
- Paris & Lyon: Returns Success (Y).
- Toulouse & Lyon: Returns Success (Y).
Best practices for testing
- Verify UI transitions: Ensure your app correctly transitions from the card entry screen to the 3DS challenge modal and back.
- Test error states: Use the “Rejected” or “Failed” cards to ensure your app displays helpful messaging to the user when a card cannot be verified.
- Check authentication outcome: After a successful test, verify that the
authenticationobject in your callback reflects the expected result before attempting the final transaction.