Respond to authorization requests

• Contact your Airwallex Account Manager to enable Issuing APIs, Cards, Remote Authorization for your Airwallex account.
• If you have a Scale platform account, enabling remote authorization on the platform account also enables remote authorization for connected accounts.
• Obtain your access token API by authenticating to Airwallex using your unique Client ID and API key. You will need the access token to make API calls.
• Configure remote authorization, including HTTPS endpoint, default action, etc., using Update issuing config API. For more information, see Configure remote authorization.

If you are enabled and configured for remote authorization, Airwallex sends a JSON payload on your configured HTTPS endpoint when an authorization transaction is initiated on the card associated with your Airwallex account. The authorization transaction can be part of a single message or a dual message. See Remote authorization scenarios for more information.

In addition to the request body, Airwallex attaches a digital signature to each request to allow you to verify that the remote authorization request was sent by Airwallex.

The signature and the nonce are sent using the following request headers:

• x-signature : Contains the signature sent as a base-64 string.
• x-nonce: Contains a HMAC-SHA256 encoding of a randomly generated nonce. Prepended to the nonce is an epoch timestamp in milliseconds, which can be used to validate the timeliness of the received message.

Follow these steps to validate that the remote authorization request received is legitimate and authentic:

1. Extract the x-nonce from the request header.
2. Compute an HMAC with the SHA-256 hash function on the x-nonce, using your configured shared_secret as the key.
3. Compare the x-signature in the header to the expected signature. Additionally, the timestamp prepended on the x-nonce before the ‘.’ delimiter can be used to validate the timeliness of the received message.
4. If a signature matches, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.

Once Airwallex sends the remote authorization request, you have up to two seconds to send a response, either authorizing or declining the request.

You must send the corresponding transaction ID as well as a reason pertaining to the status of the response in the response body. This will be stored along with the transaction in our logs. In the case of a request timeout, Airwallex ignores any received responses and the configured default action will be performed.

Once your remote authorization endpoint has been configured, remote authorization data will be included as a field in webhook notification payloads and transaction API responses to allow you to better understand how your decision has affected the overall authorization process. This field will only be returned for transactions that require remote authorization. Shown below is an example of this field in the transaction response:

You can retrieve the status of all authorizations (single message and dual message) processed against your cards. For information, see Retrieve authorizations.