# Passkeys source: https://developer.mastercard.com/issuer-enrollment/documentation/testing/passkeys/index.md As a prerequisite, familiarize yourself with [Getting Started With Passkey Use Case](https://developer.mastercard.com/issuer-enrollment/documentation/use-cases/passkeys/index.md). | Scenarios | Description | |---------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------| | [Scenario 1](https://developer.mastercard.com/issuer-enrollment/documentation/testing/passkeys/index.md#scenario-1) | Cardholder successfully creates a new Mastercard payment passkey. | | [Scenario 2](https://developer.mastercard.com/issuer-enrollment/documentation/testing/passkeys/index.md#scenario-2) | Cardholder fails to create a Mastercard payment passkey. | | [Scenario 3](https://developer.mastercard.com/issuer-enrollment/documentation/testing/passkeys/index.md#scenario-3) | Integrator requests binding an existing passkey on cardholder's device. | ## Scenario 1 {#scenario-1} **Assumptions** * The Issuer is [onboarded](https://developer.mastercard.com/issuer-enrollment/tutorial/issuer-onboarding-click2pay/index.md) with the Click to Pay program on the Mastercard Checkout Solutions application to make API calls. * Issuer account ranges are enabled for passkey authentication. In other words, Issuer has been configured for using passkeys. * Test card country and Issuer are configured to be eligible for FIDO as an MFA method. * Issuer has verified the `accountReference` (PAN, email address, phone number) information supplied by the cardholder. * Issuer has captured the cardholder's consent (on behalf of Mastercard) to enroll for a Mastercard payment passkey. **When** > Issuer calls [Sessions](https://developer.mastercard.com/issuer-enrollment/documentation/api-reference/apis/index.md#authentication-apis) API with cardholder details, such as email address, phone number, card details, along with the `callbackUri` to initiate Mastercard payment passkey registration. ```json { "srcClientId": "43c3630f-882c-4341-8868-0f73a5fd14d5", "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "assuranceData": { "verificationData": [ { "verificationType": "CARDHOLDER", "verificationEntity": "03", "verificationMethod": "06", "verificationResults": "01", "verificationTimestamp": "1678294563", "verificationEvents": [ "04" ], "additionalData": { "accountReference": { "card": { "primaryAccountNumber": "5299920971401623001", "panExpirationMonth": "08", "panExpirationYear": "2031" } } } }] }, "authenticationMethod": { "authenticationMethodType": "FIDO2", "authenticationSubject": "CONSUMER", "authenticator": { "certifiedSolutionId": "20001", "metadata": { "fido2": { "displayName": "k*****c@mastercard.com" } } } }, "authenticationContext": { "uriData": { "uri": "https://stage.demos.verify.mastercard.com/das-sdk-test/", "uriType": "WEB_URI" } }, "locale": "en-AU" } ``` **Then:** > **Step 1** : > Mastercard responds with a registration `uri` for the Issuer to invoke Mastercard payment passkey registration. ```json { "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "authenticationSessionId": "fcjUcwg1QfiHKDbZF3vSdg000000000010US", "authenticationMethod": { "authenticationMethodType": "FIDO2", "authenticationSubject": "CONSUMER", "uriData": { "uri": "https://stage.verify.mastercard.com/auth/passkeys?authSessionId=fcjUcwg1QfiHKDbZF3vSdg000000000010US&clientId=43c3630f-882c-4341-8868-0f73a5fd14d5&clientSessionId=86bd4a91-46ba-4b2c-9b4a-59eea3812f01&locale=en-AU&accessToken=eyJraWQiOiIyMDI0MDkwMjExMTAzOC1zdGctbWMtZGFzLWZlZHJhdGVkLXRva2VuLXNyYy1tYXN0ZXJjYXJkLWludCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJhdWQiOiJkaWdpdGFsYXV0aGVudGljYXRpb25zZXJ2aWNlIiwic3ViIjoiNjNkNGNiZWYtOGYwZC00NzRkLTk0ZTItN2IyY2ExZjg2ZjhmIiwibmJmIjoxNzU3NDg2NzY1LCJpc3MiOiJodHRwczpcL1wvc3RhZ2UudmVyaWZ5Lm1hc3RlcmNhcmQuY29tIiwiZXhwIjoxNzU3NDg3NjY1LCJpYXQiOjE3NTc0ODY3NjUsImNpZCI6IjYzZDRjYmVmLThmMGQtNDc0ZC05NGUyLTdiMmNhMWY4NmY4ZiJ9.BMZltny8mz8cLav05zkmZfaBz8ijTv0SrIkYPfDn_ki0ToOElmmc8fdB5MYHicx8KdDosYYTuWDUev5KywMEgUUn-EQDRCH6aYoy_Paa5A1SrChWaC8wxsPyNtLSPiuff0z7ScHiEYMZ6U7Py1h0njUswQ01haiIMwcN-p9731rvmbg7FYD3zDf1a8DKbMW2bDvGNb0sPDL95trptl3uu2QD8ajQLy12HY_IKUxBvB0RELcgJ56cJhCdWmxM8JyaSWPKq1jzppKe7DcC7bATic-TgIYiHu6R2HrbaRwl7QOtr6kzS2EOxPWiCa-lAQ9ADVcB8ug3eE_Rqk3BBy-fuQ", "uriType": "WEB_URL" } } } ``` > **Step 2** > > Issuer launches the Mastercard URL in a browser where Mastercard prompts the cardholder to perform verification. > > Once the cardholder successfully creates the Mastercard payment passkey, Mastercard provides the proof of authentication (POA) to the Issuer, and redirects to the `callbackUri` provided by the Issuer. > **Step 3** > > Issuer calls the [Authenticators](https://developer.mastercard.com/issuer-enrollment/documentation/api-reference/apis/index.md#authentication-apis) API to bind the newly created payment passkey to a device and the `accountReference` (PAN, email address, phone number) information. ```json { "srcClientId": "43c3630f-882c-4341-8868-0f73a5fd14d5", "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "authenticationSessionId": "mJfiO_sKSJ-_DfsdHjkJqw000000000010US", "assuranceData": { "verificationData": [ { "verificationType": "CONSUMER", "verificationEntity": "02", "verificationMethod": "12", "verificationResults": "04", "verificationEvents": [ "64" ], "verificationTimestamp": "1678294563", "additionalData": { "proofOfAuthentication": "eyJraWQiOiIyMDI1MDMyNDE3MTgwNy1kYXMtbWFjLXNpZ24tc3RnIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJpc0NoYWxsZW5nZVBlcmZvcm1lZCI6dHJ1ZSwiY29tcGxldGVkQXQiOjE3NTY5Njk1NTcsImFzc2VydGlvblR5cGUiOiJvd25lcnNoaXAiLCJjZXJ0aWZpZWRNRkFNZXRob2RJZCI6IjIwMDAxIiwiaXNzIjoiaHR0cHM6XC9cL3N0YWdlLnZlcmlmeS5tYXN0ZXJjYXJkLmNvbSIsImF1dGhlbnRpY2F0aW9uRmFjdG9ycyI6IjAyMEEiLCJhcHBJbnN0YW5jZUlkIjoiTEtzWlZSWW5ReGFaeVVSQjNHVFVNQTAwMDAwMDAwMDAxMFVTIiwiYXVkIjoiaHR0cHM6XC9cL21hc3RlcmNhcmQuY29tIiwiY2xpZW50U2Vzc2lvbklkIjoiODZiZDRhOTEtNDZiYS00YjJjLTliNGEtNTllZWEzODEyZjAxIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJGSURPMiIsImRhc0F1dGhlbnRpY2F0b3JJbnN0YW5jZUlkIjoiMk1qZ2xLZ0hSMFM1b2lVaFpqZm9PQTAwMDAwMDAwMDAxMFVTIiwiZXhwIjoxNzU2OTcwNDU3LCJpYXQiOjE3NTY5Njk1NTcsImF1dGhlbnRpY2F0aW9uUmVhc29ucyI6WyJCSU5EX0FVVEhFTlRJQ0FUT1IiXX0.quUB8YtICXtmUOsQb8b_gJwyjvvYjzMpgPeY_VzGsn14deonZBnuj4ACUaRss7O6zNyGmArfm4O6g_p7Wr36vbM0SJ1wDUT-s7d4EJcHwaLDHxZw24wfCtqtt_TGwr-DImHLj1q-Ib70tbMQbO7AqPWSsL5Xgd8kZotF8oBTcxQ8W_G8vlT7xxesqqbmG0J-F2Pak3DY5wa6tn3fiAMndc9b6PchJSCrCZNyYGI8gJsenOlPSXKOC-hbS__tOiWIxsp9GaxQoyfzEWNAcMz8r47nThKHqXVdQlwrItzQKIxGvbncHvjm8SVIZHWPe5aiziWDV8moGaaw8xRqCETh9Q" } } ] } } ``` > **Step 4** > > On successful bind, Mastercard responds back with `credentialId` and `bindingId`. > > The Issuer informs the cardholder that a Mastercard payment passkey has been successfully created. ```json { "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "authenticationSessionId": "mJfiO_sKSJ-_DfsdHjkJqw000000000010US", "credentialId": "2MjglKgHR0S5oiUhZjfoOA000000000010US", "bindingId": "LKsZVRYnQxaZyURB3GTUMA000000000010US" } ``` ## Scenario 2 {#scenario-2} **Assumptions** * The Issuer is [onboarded](https://developer.mastercard.com/issuer-enrollment/tutorial/issuer-onboarding-click2pay/index.md) with Click to Pay program on Mastercard Checkout Solutions application to make API calls. * Issuer account ranges are enabled for passkey authentication. In other words, Issuer has been configured for using passkeys. * Test card country and Issuer are configured to be eligible for FIDO as an MFA method. * Issuer has verified the `accountReference` (PAN, email address, phone number) information supplied by the cardholder. * Issuer has captured the cardholder's consent (on behalf of Mastercard) to enroll for a Mastercard payment passkey. **When** > Issuer calls [Sessions](https://developer.mastercard.com/issuer-enrollment/documentation/api-reference/apis/index.md#authentication-apis) API with cardholder details, such as email address, phone number, card details, along with the `callbackUri` to initiate Mastercard payment passkey registration. ```json { "srcClientId": "43c3630f-882c-4341-8868-0f73a5fd14d5", "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "assuranceData": { "verificationData": [ { "verificationType": "CARDHOLDER", "verificationEntity": "03", "verificationMethod": "06", "verificationResults": "01", "verificationTimestamp": "1678294563", "verificationEvents": [ "04" ], "additionalData": { "accountReference": { "card": { "primaryAccountNumber": "5299920971401623001", "panExpirationMonth": "08", "panExpirationYear": "2031" } } } }] }, "authenticationMethod": { "authenticationMethodType": "FIDO2", "authenticationSubject": "CONSUMER", "authenticator": { "certifiedSolutionId": "20001", "metadata": { "fido2": { "displayName": "k*****c@mastercard.com" } } } }, "authenticationContext": { "uriData": { "uri": "https://stage.demos.verify.mastercard.com/das-sdk-test/", "uriType": "WEB_URI" } }, "locale": "en-AU" } ``` **Then:** > **Step 1** : > Mastercard responds with a registration `uri` for the Issuer to invoke Mastercard payment passkey registration. ```json { "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "authenticationSessionId": "fcjUcwg1QfiHKDbZF3vSdg000000000010US", "authenticationMethod": { "authenticationMethodType": "FIDO2", "authenticationSubject": "CONSUMER", "uriData": { "uri": "https://stage.verify.mastercard.com/auth/passkeys?authSessionId=fcjUcwg1QfiHKDbZF3vSdg000000000010US&clientId=43c3630f-882c-4341-8868-0f73a5fd14d5&clientSessionId=86bd4a91-46ba-4b2c-9b4a-59eea3812f01&locale=en-AU&accessToken=eyJraWQiOiIyMDI0MDkwMjExMTAzOC1zdGctbWMtZGFzLWZlZHJhdGVkLXRva2VuLXNyYy1tYXN0ZXJjYXJkLWludCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJhdWQiOiJkaWdpdGFsYXV0aGVudGljYXRpb25zZXJ2aWNlIiwic3ViIjoiNjNkNGNiZWYtOGYwZC00NzRkLTk0ZTItN2IyY2ExZjg2ZjhmIiwibmJmIjoxNzU3NDg2NzY1LCJpc3MiOiJodHRwczpcL1wvc3RhZ2UudmVyaWZ5Lm1hc3RlcmNhcmQuY29tIiwiZXhwIjoxNzU3NDg3NjY1LCJpYXQiOjE3NTc0ODY3NjUsImNpZCI6IjYzZDRjYmVmLThmMGQtNDc0ZC05NGUyLTdiMmNhMWY4NmY4ZiJ9.BMZltny8mz8cLav05zkmZfaBz8ijTv0SrIkYPfDn_ki0ToOElmmc8fdB5MYHicx8KdDosYYTuWDUev5KywMEgUUn-EQDRCH6aYoy_Paa5A1SrChWaC8wxsPyNtLSPiuff0z7ScHiEYMZ6U7Py1h0njUswQ01haiIMwcN-p9731rvmbg7FYD3zDf1a8DKbMW2bDvGNb0sPDL95trptl3uu2QD8ajQLy12HY_IKUxBvB0RELcgJ56cJhCdWmxM8JyaSWPKq1jzppKe7DcC7bATic-TgIYiHu6R2HrbaRwl7QOtr6kzS2EOxPWiCa-lAQ9ADVcB8ug3eE_Rqk3BBy-fuQ", "uriType": "WEB_URL" } } } ``` > **Step 2** > > Issuer launches the Mastercard URL in a browser where Mastercard prompts the cardholder to perform verification. > > The cardholder fails to provide correct biometrics and does not authenticate the device. > Mastercard redirects to the `callbackUri` provided by the Issuer with the following error code and error message. ```json https://callback_uri?status=ERROR&reason=CREDENTIALS_CREATION_NOT_ALLOWED ``` > **Step 3** > > The Issuer displays the error message on their app/website to notify the cardholder that Mastercard payment passkey creation has failed. ## Scenario 3 {#scenario-3} **Assumptions** * The Issuer is [onboarded](https://developer.mastercard.com/issuer-enrollment/tutorial/issuer-onboarding-click2pay/index.md) with Click to Pay program on Mastercard Checkout Solutions application to make API calls. * Issuer account ranges are enabled for passkey authentication. In other words, Issuer has been configured for using passkeys. * Test card country and Issuer are configured to be eligible for FIDO as an MFA method. * Issuer has verified the `accountReference` (PAN, email address, phone number) information supplied by the cardholder. * Issuer has captured the cardholder's consent (on behalf of Mastercard) to enroll for a Mastercard payment passkey. **When** > Issuer calls [Sessions](https://developer.mastercard.com/issuer-enrollment/documentation/api-reference/apis/index.md#authentication-apis) API with cardholder details, such as email address, phone number, card details, along with the `callbackUri` to initiate Mastercard payment passkey registration. ```json { "srcClientId": "43c3630f-882c-4341-8868-0f73a5fd14d5", "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "assuranceData": { "verificationData": [ { "verificationType": "CARDHOLDER", "verificationEntity": "03", "verificationMethod": "06", "verificationResults": "01", "verificationTimestamp": "1678294563", "verificationEvents": [ "04" ], "additionalData": { "accountReference": { "card": { "primaryAccountNumber": "5299920971401623001", "panExpirationMonth": "08", "panExpirationYear": "2031" } } } }] }, "authenticationMethod": { "authenticationMethodType": "FIDO2", "authenticationSubject": "CONSUMER", "authenticator": { "certifiedSolutionId": "20001", "metadata": { "fido2": { "displayName": "k*****c@mastercard.com" } } } }, "authenticationContext": { "uriData": { "uri": "https://stage.demos.verify.mastercard.com/das-sdk-test/", "uriType": "WEB_URI" } }, "locale": "en-AU" } ``` **Then:** > **Step 1** : > Mastercard responds with a registration `uri` for the Issuer to invoke Mastercard payment passkey registration/validation. ```json { "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "authenticationSessionId": "fcjUcwg1QfiHKDbZF3vSdg000000000010US", "authenticationMethod": { "authenticationMethodType": "FIDO2", "authenticationSubject": "CONSUMER", "uriData": { "uri": "https://stage.verify.mastercard.com/auth/passkeys?authSessionId=fcjUcwg1QfiHKDbZF3vSdg000000000010US&clientId=43c3630f-882c-4341-8868-0f73a5fd14d5&clientSessionId=86bd4a91-46ba-4b2c-9b4a-59eea3812f01&locale=en-AU&accessToken=eyJraWQiOiIyMDI0MDkwMjExMTAzOC1zdGctbWMtZGFzLWZlZHJhdGVkLXRva2VuLXNyYy1tYXN0ZXJjYXJkLWludCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJhdWQiOiJkaWdpdGFsYXV0aGVudGljYXRpb25zZXJ2aWNlIiwic3ViIjoiNjNkNGNiZWYtOGYwZC00NzRkLTk0ZTItN2IyY2ExZjg2ZjhmIiwibmJmIjoxNzU3NDg2NzY1LCJpc3MiOiJodHRwczpcL1wvc3RhZ2UudmVyaWZ5Lm1hc3RlcmNhcmQuY29tIiwiZXhwIjoxNzU3NDg3NjY1LCJpYXQiOjE3NTc0ODY3NjUsImNpZCI6IjYzZDRjYmVmLThmMGQtNDc0ZC05NGUyLTdiMmNhMWY4NmY4ZiJ9.BMZltny8mz8cLav05zkmZfaBz8ijTv0SrIkYPfDn_ki0ToOElmmc8fdB5MYHicx8KdDosYYTuWDUev5KywMEgUUn-EQDRCH6aYoy_Paa5A1SrChWaC8wxsPyNtLSPiuff0z7ScHiEYMZ6U7Py1h0njUswQ01haiIMwcN-p9731rvmbg7FYD3zDf1a8DKbMW2bDvGNb0sPDL95trptl3uu2QD8ajQLy12HY_IKUxBvB0RELcgJ56cJhCdWmxM8JyaSWPKq1jzppKe7DcC7bATic-TgIYiHu6R2HrbaRwl7QOtr6kzS2EOxPWiCa-lAQ9ADVcB8ug3eE_Rqk3BBy-fuQ", "uriType": "WEB_URL" } } } ``` > **Step 2** > > Issuer launches the Mastercard URL in a browser where Mastercard prompts the cardholder to perform verification. > > The cardholder successfully authenticates with an existing Mastercard payment passkey. > > Mastercard provides the proof of authentication (POA) to the Issuer, and redirects to the `callbackUri` provided by the Issuer. > **Step 3** > > Issuer calls the [Authenticators](https://developer.mastercard.com/issuer-enrollment/documentation/api-reference/apis/index.md#authentication-apis) API to bind the existing payment passkey to a device and the `accountReference` (PAN, email address, phone number) information. ```json { "srcClientId": "43c3630f-882c-4341-8868-0f73a5fd14d5", "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "authenticationSessionId": "mJfiO_sKSJ-_DfsdHjkJqw000000000010US", "assuranceData": { "verificationData": [ { "verificationType": "CONSUMER", "verificationEntity": "02", "verificationMethod": "12", "verificationResults": "04", "verificationEvents": [ "64" ], "verificationTimestamp": "1678294563", "additionalData": { "proofOfAuthentication": "eyJraWQiOiIyMDI1MDMyNDE3MTgwNy1kYXMtbWFjLXNpZ24tc3RnIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJpc0NoYWxsZW5nZVBlcmZvcm1lZCI6dHJ1ZSwiY29tcGxldGVkQXQiOjE3NTY5Njk1NTcsImFzc2VydGlvblR5cGUiOiJvd25lcnNoaXAiLCJjZXJ0aWZpZWRNRkFNZXRob2RJZCI6IjIwMDAxIiwiaXNzIjoiaHR0cHM6XC9cL3N0YWdlLnZlcmlmeS5tYXN0ZXJjYXJkLmNvbSIsImF1dGhlbnRpY2F0aW9uRmFjdG9ycyI6IjAyMEEiLCJhcHBJbnN0YW5jZUlkIjoiTEtzWlZSWW5ReGFaeVVSQjNHVFVNQTAwMDAwMDAwMDAxMFVTIiwiYXVkIjoiaHR0cHM6XC9cL21hc3RlcmNhcmQuY29tIiwiY2xpZW50U2Vzc2lvbklkIjoiODZiZDRhOTEtNDZiYS00YjJjLTliNGEtNTllZWEzODEyZjAxIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJGSURPMiIsImRhc0F1dGhlbnRpY2F0b3JJbnN0YW5jZUlkIjoiMk1qZ2xLZ0hSMFM1b2lVaFpqZm9PQTAwMDAwMDAwMDAxMFVTIiwiZXhwIjoxNzU2OTcwNDU3LCJpYXQiOjE3NTY5Njk1NTcsImF1dGhlbnRpY2F0aW9uUmVhc29ucyI6WyJCSU5EX0FVVEhFTlRJQ0FUT1IiXX0.quUB8YtICXtmUOsQb8b_gJwyjvvYjzMpgPeY_VzGsn14deonZBnuj4ACUaRss7O6zNyGmArfm4O6g_p7Wr36vbM0SJ1wDUT-s7d4EJcHwaLDHxZw24wfCtqtt_TGwr-DImHLj1q-Ib70tbMQbO7AqPWSsL5Xgd8kZotF8oBTcxQ8W_G8vlT7xxesqqbmG0J-F2Pak3DY5wa6tn3fiAMndc9b6PchJSCrCZNyYGI8gJsenOlPSXKOC-hbS__tOiWIxsp9GaxQoyfzEWNAcMz8r47nThKHqXVdQlwrItzQKIxGvbncHvjm8SVIZHWPe5aiziWDV8moGaaw8xRqCETh9Q" } } ] } } ``` > **Step 4** > > On successful bind, Mastercard responds back with `credentialId` and `bindingId`. The Issuer informs the cardholder that the Mastercard payment passkey has been successfully validated. ```json { "srcCorrelationId": "d7ff0bc2-6486-4be5-a0b9-2938bb7b378e", "srciTransactionId": "86bd4a91-46ba-4b2c-9b4a-59eea3812f01", "authenticationSessionId": "mJfiO_sKSJ-_DfsdHjkJqw000000000010US", "credentialId": "2MjglKgHR0S5oiUhZjfoOA000000000010US", "bindingId": "LKsZVRYnQxaZyURB3GTUMA000000000010US" } ```