# Authenticating Entity source: https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/authenticating-entity/index.md An authenticating entity (AE) is a merchant, service provider, or digital wallet that uses a multi-factor authentication (MFA) method to authenticate cardholders in remote commerce token transactions. The Authenticating Entity performs the following actions: * Onboards an MFA method by undergoing the required certification process outlined in the [Mastercard Token Authentication Framework Guide](https://trc-techresource.mastercard.com/r/bundle/m_mc_taf_g_en-us/page/d/en-US/kof1745837091084.html). Contact a Mastercard representative for more details. * Generates the assertionJWT to pass to the Integrator: * To initiate the [Bind](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#bindMfaMethod) API call. See [Generate assertionJWT during Bind](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/authenticating-entity/index.md#generate-assertionjwt-during-bind). * To initiate the [Checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#checkout) API call and pass it within the `assuranceData` object. See [Generate assertionJWT during Checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/authenticating-entity/index.md#generate-assertionjwt-during-checkout). Tip: You can disregard any additional fields identified in Requests or Responses or API specs that are not defined as part of documentation. ## Generate assertionJWT during Bind {#generate-assertionjwt-during-bind} The binding assertion is a JWT, signed using the key pair provided during the MFA method onboarding. On successful cardholder enrollment into the MFA method, the Authenticating Entity must: 1. Create the assertionJWT during the Bind flow 2. Sign it using the MFA private key An Integrator provides the assertion information to Mastercard Checkout Solutions in the [Bind](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#bindMfaMethod) request via the `authenticator.credentials.assertion.client` object. Mastercard Checkout Solutions decrypts using the MFA public key (provided during the MFA method onboarding) and validates the information for binding. Steps to generate the `assertionJWT`: * Cardholder performs enroll in MFA, managed by AE. * After successful enrollment, AE provides the following details to Integrator. * Provide assertionJWT in the `authenticator.credentials.assertion.client` object. ### Signed JWT Detail {#signed-jwt-detail} A Signed JWT with the private key. An Integrator needs to pass the JWT in [Bind](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#bindMfaMethod) API request. Below is the Assertion JWT for binding in assurance data that needs to be signed with private keys. | Name | Type | Mandate | Description | Example | |--------------------------|--------|-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------| | **aud** | String | Required | Audience of the JWT. | "" | | **iss** | String | Required | Issuer of the JWT. | "merchant.com" | | **sub** | String | Optional | Subject of the JWT. Must be value of `certifiedSolutionId`. | "43SA5" | | **exp** | String | Required | Expiration Time Claim.The exp (expiration time) claim identifies the expiration time on or after which the JWT must **not** be accepted for processing. | "1767225599" | | **iat** | String | Required | Issued At Claim.The iat (issued at) claim identifies the time at which the JWT was issued. | "1761782399" | | **jti** | String | Required | A unique identifier for the JWT. | "f2cca1ba-73cb-412c-8ab4-321a247b1488" | | **externalCredentialId** | String | Conditional | Client generated unique identifier identifying the MFA Method Instance. *Conditionality:* required if `credentialId` is not present. | "bf8c5b2b-28ce-48d8-acbc-cc82f51478c6" | | **credentialId** | String | Conditional | Mastercard generated unique identifier identifying the MFA Method Instance. *Conditionality:* required if `externalCredentialId` is not present or if binding a card to an existing MFA Method instance. | "f4122d1b-e0cf-43fa-b41b-eeb16d9410b3" | | **certifiedSolutionId** | String | Required | Unique identifier for the certified MFA method. Generated by Mastercard after the successful certification of the MFA Method. | "43SA5" | | **mfaMethodConsentAt** | String | Required | The timestamp for which the consumer consented to enroll in the MFA method. | "1683007122" | #### Example - Signed JWT {#example---signed-jwt} ```json "Header" { "typ": "JWT+ext.binding_assertion_token", "alg": "RS256", "kid": "Public_key_id_onboarded_with_certified_solution" } "Payload" { //"sub": "43SA5", //certifiedSolutionId "certifiedSolutionId": "43SA5", "aud": "https://mastercard.com", "iss": "merchant.com", "externalCredentialId": "bf8c5b2b-28ce-48d8-acbc-cc82f51478c6", "mfaMethodConsentAt": 1683007122, "exp": 1683007723, "iat": 1683006823, "jti": "f2cca1ba-73cb-412c-8ab4-321a247b1488" } ``` ## Generate assertionJWT during Checkout {#generate-assertionjwt-during-checkout} An Integrator provides the assertion information to Mastercard Checkout Solutions in the [Checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#checkout) request. Mastercard Checkout Solutions decrypts using the MFA public key (provided during the MFA method onboarding) and validates the information. Below are the required steps for an Authenticating Entity: 1. Create the assertionJWT. 2. Provide signed JWT. This JWT is signed using the MFA private key. 3. Provide base64 encoded assertionJWT in `assertion.client` object. ### Signed JWT Detail {#signed-jwt-detail-1} Signed Assertion JWT with AE's private key | Name | Type | Mandate | Description | Example | |-----------------------------|--------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------| | **authenticationResult** | String | Required | The result of the authentication. | "01" | | **aud** | String | Required | Audience of the JWT. | "" | | **sub** | String | Required | Subject of the JWT. Must be the `srcDigitalCardId` value. | "b0a44b59-b709-46d5-b6f6-42d2f31ad6de" | | **srcDigitalCardId** | String | Required | The `srcDigitalCardId` value. Warning: Please note, this field will be deprecated starting **January 2026** | "b0a44b59-b709-46d5-b6f6-42d2f31ad6de " | | **iss** | String | Required | Issuer of the JWT. | "merchant.com" | | **authenticationMethod** | String | Required | The method of verification. | "06" - Proprietary "07"- FIDO2 | | **authenticationReasons** | Array | Required | List of reasons for authentication. | `TRANSACTION_AUTHENTICATION` | | **transactionAmount** | String | Required | The transaction amount. | "100.00" | | **transactionCurrencyCode** | String | Required | ISO 4217 three-digit currency code for the transaction. | "USD" | | **externalCredentialId** | String | Conditional | Client generated unique identifier identifying the MFA Method Instance. *Conditionality* : required if `credentialId` is not present. | "bf8c5b2b-28ce-48d8-acbc-cc82f51478c6" | | **credentialId** | String | Conditional | Mastercard generated unique identifier identifying the MFA Method Instance. *Conditionality* : required if `externalCredentialId` is not present. | "f4122d1b-e0cf-43fa-b41b-eeb16d9410b3" | | **certifiedSolutionId** | String | Required | Unique identifier for the certified MFA method. Generated by Mastercard after the successful certification of the MFA Method. | "43SA5" | | **authenticationFactors** | String | Required | Authentication factors used for a given MFA. When an MFA method is used on a transaction, it contains the authentication factor 1 and 2 that was used to authenticate the cardholder during the transaction. The authentication factors should be the same or a subset of what was certified for that MFA. For a list of authentication factors, see the [TAF Program Guide](https://trc-techresource.mastercard.com/r/bundle/m_an6787_en-us/page/z/nhd1668804048469.html). | "020A" | | **appInstanceId** | String | Optional | UUID identifying the device. | "05c666b6-c833-46c2-a4ab-6321fc3cfe8c" | | **exp** | String | Required | Expiration Time Claim. The exp (expiration time) claim identifies the expiration time on or after which the JWT must **not** be accepted for processing. The JWT is valid for 5 minutes. | "1709806259" | | **iat** | String | Required | Issued At Claim. The iat (issued at) claim identifies the time at which the JWT was issued. | "1709805359" | | **jti** | String | Required | A unique identifier for the JWT. | "ff573bd5-0357-4c22-be5f-03dd9102f7ac" | | **completedAt** | String | Required | The time when authentication was completed. | "1709806259" | ### Example - Signed JWT {#example---signed-jwt-1} ```json "Header" { "typ": "JWT+ext.assertion_token", "alg": "RS256", "kid": "Public_key_id_onboarded_with_certified_solution" } "Payload" { "sub": "51a977f3-bda4-498b-901d-b48ad4d97abv", //srcDigitalCardId  "aud": "https://mastercard.com", "iss": "merchant.com", "authenticationResult": "01", "authenticationMethod": "06", "authenticationReasons": ["TRANSACTION_AUTHENTICATION"], "transactionAmount": "100.00", "transactionCurrencyCode": "USD", "externalCredentialId": "bf8c5b2b-28ce-48d8-acbc-cc82f51478c6", "credentialId": "f4122d1b-e0cf-43fa-b41b-eeb16d9410b3", //Optional "certifiedSolutionId": "43SA5", "appInstanceId": "05c666b6-c833-46c2-a4ab-6321fc3cfe8c ", //Optional "authenticationFactors": "020A ", "iat": 1709805359, "exp": 1709806259, "completedAt": 1709806259 } ```