For discussing the development and integration of subscription-enabled shops using Shopify's Subscription APIs.
The billing_attempt/challenged webhook is described as follows
Emitted when the financial institution challenges the subscription billing attempt charge as per 3D Secure.
And according to the blurb and diagram on the same page, one might expect the webhook to be emitted when the 3D Secure email is sent out to the customer.
Shopify handles 3D Secure authentication by emailing the customer when the financial institution requires a challenge. This flow is demonstrated in the diagram below:
But while trying to test the webhook, it only triggers when the link in the 3D secure email is visited, NOT when the email is sent. Is this a bug with the test card, Shopify Payments, or is the description of the webhook wrong?
https://shopify.dev/apps/subscriptions/contracts#subscription-related-webhooks
https://shopify.dev/apps/subscriptions/contracts#about-3d-secure
Solved! Go to the solution
This is an accepted solution.
Hi @lemonsenpai,
Thank you for your question!
When the link on the email is visited it triggers the flow where the financial institution will request a 3DS authentication and the webhook is fired in that flow.
Also, the 3DS challenge webhook is only triggered when the buyer is in session. When the email link is visited the buyer is in session and the 3DS is triggered, which fires the webhook.
Thank you,
Pranab
To learn more visit the Shopify Help Center or the Community Blog.
This is an accepted solution.
Hi @lemonsenpai,
Thank you for your question!
When the link on the email is visited it triggers the flow where the financial institution will request a 3DS authentication and the webhook is fired in that flow.
Also, the 3DS challenge webhook is only triggered when the buyer is in session. When the email link is visited the buyer is in session and the 3DS is triggered, which fires the webhook.
Thank you,
Pranab
To learn more visit the Shopify Help Center or the Community Blog.
Hi @pranab,
What is recommended workflow when SCA is required then?
Currently, the only way to retrieve the SCA URL is making regular requests. For example:
How the application should retrieve the information that this billing attempt requires SCA? The only way I can see here is making regular requests and reading information about this billing attempt. But it's not a good practice.