Sent when a card authorisation needs a decision (e.g. a 3-D Secure challenge) and again as the authorisation is resolved. Carries a trimmed cardAuthentication object. All deliveries share the common envelope (eventId, eventName, timestamp, programId, sandbox, customerId).

cardAuthentication fields

Only id, customerId and status are guaranteed. Every other field is included only when known, so absent fields are omitted rather than sent as null.
FieldTypeNotes
idstringAuthorisation record identifier.
customerIdstringThe cardholder.
statusstringAuthorisation lifecycle — e.g. pending, customer-accepted, customer-canceled, provider approval/decline states.
accountIdstringOptional. Account the card belongs to.
cardIdstringOptional. The card identifier.
currencystringOptional. Transaction currency.
amountnumberOptional. Transaction amount, minor units.
maskedPanstringOptional. Masked card number.
merchantNamestringOptional. Acquirer/merchant name.
createdAtstringOptional. When the authorisation was raised.
requestExpiresAtnumberOptional. Challenge expiry (epoch seconds).

Example

{
  "eventId": "d3a8…",
  "eventName": "CARD_AUTH_STATUS_UPDATE",
  "timestamp": "2026-06-23T12:34:56.789Z",
  "programId": "yourprogram",
  "sandbox": false,
  "customerId": "cust_123",
  "cardAuthentication": {
    "id": "auth_abc",
    "customerId": "cust_123",
    "accountId": "acc_456",
    "cardId": "card_789",
    "status": "pending",
    "currency": "EUR",
    "amount": 1999,
    "maskedPan": "528211******1234",
    "merchantName": "ACME Store",
    "createdAt": "2026-06-23T12:34:50.000Z",
    "requestExpiresAt": 1750000000
  }
}