> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/3d-secure/implement-3ds/implement-sms-otp-flow.md).

# Implement SMS OTP flow

## Overview

When a 3DS transaction is challenged and the OOB flow is unavailable, the D1 3DS service falls back to the SMS OTP challenge.

## User experience

<figure><img src="/files/1VpTW4JwHgM3ig3SwFD7" alt="End‑user journey for the SMS OTP challenge flow"><figcaption></figcaption></figure>

## Flow

The following diagrams summarize the SMS OTP flow when OOB is not available.

<figure><img src="/files/Q0VR2T06UQfn1yXnZ7Wa" alt="High‑level 3DS SMS OTP flow overview"><figcaption><p>High‑level flow overview - step 1.</p></figcaption></figure>

<figure><img src="/files/ZBIRuzVw8WWMDhlDd9Km" alt="Detailed message flow for key steps"><figcaption><p>High‑level flow overview - step 2.</p></figcaption></figure>

## Sequence diagram

### Prerequisites

* Card products are configured in D1 and in the payment network directory server.
* The end user and card are registered in D1.

### 1 - AReq/ARes

<figure><img src="/files/WJQqHoorVOSgjt6mVlUI" alt="AReq/ARes sequence for the challenge flow"><figcaption><p>Authentication request/response (AReq/ARes).</p></figcaption></figure>

### 2 - OTP challenge

<figure><img src="/files/RN7OMsgyYkCCKt6RqAqO" alt="OTP generation, delivery, and validation sequence"><figcaption><p>OTP generation, delivery, and validation.</p></figcaption></figure>

### 3 - Final CReq/CRes and notification

<figure><img src="/files/SgI8xtzLSD3mw1ppnDVS" alt="Final CReq/CRes and notifications"><figcaption><p>Final challenge request/response (CReq/CRes) and outcome notification.</p></figcaption></figure>

## Backend integration

There are two ways to deliver the OTP:

1. D1 sends the SMS to the end user
   * The D1 backend uses the end user’s phone number provided by the issuer backend during registration.
   * D1 generates the OTP and delivers it by SMS.
2. Issuer backend sends the SMS to the end user
   * D1 generates the OTP and delivers it to the issuer backend via the `DeliverOTP` operation.
   * The issuer backend is responsible for sending the SMS to the end user.
   * For request/response details, see the [D1 API reference](/3d-secure/integrate-d1-api/d1-api-reference.md).

{% hint style="info" %}
Operational considerations:

* OTP format and TTL (expiry), maximum attempts, resend limits
* Localization of SMS content and sender ID
* Delivery provider retries/fallbacks and delivery status tracking
* Avoid logging OTP values and sanitize PII
* Rate‑limit OTP requests to mitigate abuse
  {% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.payments.thalescloud.io/3d-secure/implement-3ds/implement-sms-otp-flow.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.