# Getting Started source: https://developer.mastercard.com/authentication-facilitator/documentation/getting-started/index.md ## Before You Start {#before-you-start} Card Issuers must integrate with the Authentication Facilitator API to facilitate the authentication of their cardholders. The API provides a Mastercard-generated authentication code to the issuer in a Deliver Authentication Code message when a MDES Token Requestor triggers the authentication workflow. ### Onboarding to Authentication Facilitator API {#onboarding-to-authentication-facilitator-api} For onboarding to the Authentication Facilitator API be prepared to provide your Mastercard Customer Implementation Services (CIS) representative with the following information. * Your contact details: Project Manager/Project Lead, Development Lead,Test Lead and Network Engineer/Technician * Account ranges that can be authenticated so that Deliver Authentication Code messages can be opted in for the account ranges * Your Client ID * Your Client Name * Whether you'd like to enable BIN-based client authorization * Your Customer ID (a.k.a. Company ID or Issuer CID) * Your Endpoint Live Date * Your URL, TCP Port and Context Root or of you Processor's Application Server Host * The Wrapped Encrypt Hashing Algorithm you'd like Mastercard to use ## Good to Know {#good-to-know} ### Processing Deliver Authentication Code messages {#processing-deliver-authentication-code-messages} Issuers are required to process every Deliver Authentication Code notification they receive. Essentially Issuers have full responsibility for * identifying a cardholder using the funding account information rom the message * retrieving the cardholder information such as a mobile phone number when the issuer chooses to send the code via SMS * sending the authentication code to the cardholder
How an authentication code is sent to a cardholder is at the Issuer's discretion. It is recommended that Issuer informs their cardholder of the authentication capability, the underlying process and expectations before they start sending codes. An authentication code is valid for a limited validity period only, after which the code expires. The issuer is informed of each authentication code expiration date. All codes are assigned a default validity date of 15 minutes. Issuers must support extension or reduction of authentication code lifetime without pre-warning notice. The Authentication Service is configured to support three attempts to enter a valid code, after which the code becomes invalid. Issuers must support a change in the number of attempts to enter a valid authentication code without pre-warning notice. Issuers receive Deliver Authentication Code messages only for tokens mapped in the MDES Token Vault, regardless of their status. An authentication performed by the Authentication Service does not affect a Token Assurance. Each Deliver Authentication Code message contains an authentication flow identifier, unique across Token Requestors, so that different authentications for the same token can be triggered and processed independently. From an Issuer standpoint the authentication flow identifier must be used as an identifier correlating messages associated to the same authentication request. Only one valid authentication code can exist at a time for a given token and a given authentication flow identifier. Multiple valid codes can exist for the same token when a Token Requestor submits multiple authentication requests for the same token to the Authentication Service. A cardholder could loose a code or never receive it. To resolve the situation Token Requestors may allow the cardholder to request a re-send from the user interface. When a Token Requestor requests the Authentication Service to re-send an authentication code, the code with the same expiration date and time is re-sent to the Issuer in a new Deliver Authentication Code message, unless the code has expired or if the attempts have been exceeded, in which case a new code is generated with a new expiration date and time, and sent to the issuer. Therefore Issuers must be prepared to process multiple identical Deliver Authentication Code messages, meaning containing the same Authentication Code for the same token and same authentication flow identifier. Issuers must also be prepared to process multiple Deliver Authentication Code messages where different authentication codes are sent for the same token and same authentication flow identifier. A card issuer does not have the option to request a new code. Issuer should process Deliver Authentication Code messages regardless of the Token Requestor requesting authentication. Issuers must not be impacted while new Token Requestors are onboarding to the service. Issuers won't be notified when a Token Requestor starts requesting authentications. Issuers are receiving a Deliver Authentication Code message for every authentication request introduced by a Token Requestor integrated to the Authentication Service. ## Next Steps {#next-steps} Ready to integrate and start using this API? Then please contact your Mastercard Customer Implementation Services (CIS) representative. **NOTE: In order to use this API you must have a project opened with CIS to coordinate the setup and testing.**