SCA for transaction data retrieval
SCA will be enforced when a platform user attempts to access sensitive data such as the account balance or transaction data generated within the last 90 days unless SCA exemptions apply.
After the user successfully completes two-factor authentication, Airwallex will issue:
- a short-lived SCA token (expires in five minutes), which the user can use multiple times to perform one or more sensitive operations until it expires.
- a multi-use refresh token (expires in 180 days) bound to the device, which Airwallex automatically exchanges for a new SCA token if the SCA token expires.
The following Airwallex transaction data endpoints are subject to SCA.
- Get current balance
GET /api/v1/balances/current
- Get payment transactions
GET /api/v1/balances/historyGET /api/v1/financial_transactionsGET /api/v1/financial_transactions/{id}GET /api/v1/issuing/transactionsGET /api/v1/issuing/transactions/{id}GET /api/v1/transfersGET /api/v1/transfers/{transfer_id}GET /api/v1/wallet_transfersGET /api/v1/wallet_transfers/{wallet_transfer_id}GET /api/v1/batch_transfersGET /api/v1/batch_transfers/{id}GET /api/v1/connected_account_transfersGET /api/v1/connected_account_transfers/{id}
This integration guide describes how to handle SCA enforcement for account balance or transaction retrieval using Airwallex's Embedded SCA component.
Note that retrieving account balance and transaction data can be exempt from SCA if SCA has been completed within the past 180 days.
Step 1: Initialize the Components SDK
Initialize the Components SDK to handle SCA for the user. For information, see Embedded SCA component.
Step 2: Retrieve the SCA token from the SDK
Before adding the SCA component for two-factor authentication, you must check if a valid SCA token can be retrieved from the SDK from a previous SCA flow. Airwallex automatically handles the process of exchanging a refresh token for a new SCA token. The returned short-lived SCA token in the response must be used in the account balance and transaction data request to complete the action. See Step 4.
If a valid SCA token cannot be retrieved from the SDK, i.e., if it's a new device or the refresh token has expired, add the SCA component to re-authenticate the user. See Step 3.
Step 3: Add the SCA component to your page
If the SCA token is unavailable or for a first-time user, embed the SCA verify flow into your page by specifying type as scaVerify in createElement(type, options) method. For more information on how to add the component to your page, see Embedded SCA component.
After the user is successfully authenticated using two-factor authentication, the SDK will return a success event verificationSucceed.
The client side receives a short-lived SCA token and a refresh token. Retrieve the SCA token and use it in the account details and transaction data requests to complete the action.
Step 4: Retrieve account balance and transactions using SCA token
Call Get current balances API by specifying the one-time SCA token in the x-sca-token request header to view the connected account’s current balance.
Call Get balance history API by specifying the one-time SCA token in the x-sca-token request header to view the connected account’s transaction history.