> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/3d-secure/implement-3ds/implement-oob-flow-issuer-authentication.md). # Implement OOB flow (issuer authentication) ## Overview The 3DS OOB flow with issuer authentication is used when your rules decide to challenge a transaction and your issuer backend is configured to authenticate the end user in the issuer application. {% hint style="info" %} To control when OOB challenges are triggered, configure thresholds and conditions in [Configure rulesets for 3DS decisioning](/3d-secure/implement-3ds/configure-rulesets-for-3ds-decisioning.md). {% endhint %} ## User experience

## Flow

## Sequence diagram ### Prerequisites * Card products are configured in the D1 backend and in the payment network directory server. * The end user and the card are registered in the D1 backend . ### 1 - AReq/ARes

Authentication request and response flow.

### 2 - CReq/CRes and OOB challenge from issuer

D1 triggers the issuer authentication by API.

### 3 - Final CReq/CRes and notification

D1 gets the authentication result and ends the 3DS flow.

## Backend integration When the 3DS decision requires an OOB challenge, your issuer backend is asked to authenticate the end user: 1. Receive the authentication request: the D1 backend calls your backend via the [Authenticate ](/3d-secure/integrate-d1-api/d1-api-reference/outbound-api-from-d1/consumer-api.md#post-banking-d1-v1-issuers-issuerid-consumers-consumerid-authentication)request. 2. Trigger issuer authentication: start your ID\&V flow in the issuer application (for example, push notification + CDCVM/biometrics, or any supported SCA method). 3. Expose the result: provide the outcome through [Get Authentication Result](/3d-secure/integrate-d1-api/d1-api-reference/outbound-api-from-d1/consumer-api.md#get-banking-d1-v1-issuers-issuerid-consumers-consumerid-authentication-authenticationid) so the 3DS challenge can complete. 4. Receive the final notification: at the end of the flow, you are informed about the authentication details via [Notify 3DS Card Operation](/3d-secure/integrate-d1-api/d1-api-reference/outbound-api-from-d1/3ds-api.md#post-notifications-d1-v1-issuers-issuerid-cards-cardid-3ds-notifications). {% hint style="info" %} Best practices * Keep the OOB authentication responsive (push within seconds) to minimize challenge timeouts. * Surface clear approve/deny choices in the issuer application and map them deterministically to the result you return. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.payments.thalescloud.io/3d-secure/implement-3ds/implement-oob-flow-issuer-authentication.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.