With the Authorization Controller API (Auth API) Galileo clients have the ability to participate in the approval process for authorization requests that arrive over card-network rails. This guide explains how to use the Auth API and how to interpret the webhook.
You can view the full reference guide for the Auth API webhook fields here:
This guide assumes that you are familiar with the concepts explained in these guides:
To see how specific transaction types are represented in the Events API, Program API and RDF data alongside Auth API data, ask for the Card Transactions Scenarios PDF from Galileo. For actual Auth API webhooks, see Auth API v3 webhook examples on this page.
All new clients are set up on version 3. For clients on version 2 who want to upgrade to version 3, these are the differences between the versions of the Auth API:
- Version 3 includes this field:
response_code_objects— An object that contains a list of response codes and textual descriptions that Galileo calculated when determining the value in
- Version 3 does not include this field:
response_code_list— A list of response codes that Galileo calculated when determining the value in
Version 3 is a breaking change from version 2.
The specifics of your setup will be particular to your use case and to the types of systems you are using. Whatever you construct to handle the Auth API, your endpoint must be able to handle what Galileo sends:
- Authentication uses a JWT with a shared secret. See Security in the Auth API reference for details.
- The webhook payload is sent as an HTTP POST using HTTP/1.1 over TLS.
- You must respond within 2 seconds of the value in the webhook's
timestampfield, which is when Galileo sent the webhook.
- Galileo initiates multiple, simultaneous TCP sessions and sends webhooks in parallel on those connections.
- For efficiency, Galileo uses the keep-alive function instead of terminating each connection.
- How many connections per second depends on how many cardholders you have and how often they perform card transactions. You must use your own business logic to obtain this sizing information.
When designing your implementation of the Auth API, you will need to address issues such as these, as well as others:
- Whether you or Galileo will be the system of record. This decision affects funds flow, how parameters are set on the back end, how you respond to the webhooks, and other considerations.
- How to respond to balance inquiries.
- When to override the Galileo response code, if permitted.
- Whether to implement a real-time funding strategy to transfer funds into a cardholder account to cover the amount of an authorization.
- How to deal with edge cases. Consult the Card Transaction Scenarios PDF for detailed examples of some of the transaction types you will encounter:
- Completions and settlements
- Incremental authorizations
- Reversals and their expiry
This is the general sequence of events for an authorization:
- The merchant sends an authorization request to its acquirer.
- The acquirer forwards the request to the network.
- The network forwards the request to Galileo.
- Gaileo forwards the request to you.
- You return a response to Galileo.
- Galileo forwards the response to the network.
- The network forwards the response to the acquirer.
- The acquirer forwards the response to the merchant, who completes the transaction.
Messages sent between acquirers and issuers over card-network rails conform to the ISO 8583 standard. The standard defines message type indicators (MTIs), which specify the type of message being sent and indicate what kind of response is expected. MTIs are four-digit codes that are broken out as follows, with the values that are most likely to be included with Auth API webhooks:
- First digit — Version of ISO 8583 used
- 0 — 1987 version
- 1 — 1993 version
- Second digit — General purpose of the message
- 1 — Authorization message
- 2 — Financial message
- 4 — Reversals and chargebacks
- Third digit — Message function
- 0 — Request
- 1 — Request response
- 2 — Advice
- 3 — Advice response
- Fourth digit — Session initiator
- 0 — Acquirer
- 2 — Issuer
The typical flow of messages between acquirer and issuer follows this pattern:
- The merchant sends a message to its acquirer.
- The acquirer converts the message into ISO 8583 format and sends the message to the card network with a request or notification-type MTI.
- The network forwards the message to the issuer.
- The issuer processes the message information and then sends a response message to the network with a response-type MTI.
- The network forwards the response to the acquirer.
- The acquirer processes the message and sends the response to the merchant.
For example, when an acquirer sends an authorization request over credit rails, the MTI is 0100, and when the issuer responds it's MTI 0110.
These are the most common MTI request/response combinations that you will encounter with the Auth API.
|Description||From acquirer||Issuer response|
|Authorization or preauthorization request over credit rails or preauthorization request over debit rails||0100||0110|
|Authorization request over debit rails||0200||0210|
|Advice over credit rails||0120||0130|
|Advice over debit rails||0220||0230|
|Authorization reversal over credit or debit rails||0420||0430|
When you send your response to Galileo, you are not required to provide the MTI: Galileo will convert your response into ISO 8583 format and include the appropriate MTI to send to the network.
When the third digit is
2, the message is an advice, which you cannot reject: only a
00response code is permitted.
Alongside the MTI in the webhook, Galileo further breaks down message types based on other information that it receives in the message to provide you with more detail. This information is provided in the
transaction_type fields. These are the combinations you will most likely encounter.
|Authorization request||Auth||Auth||0100 (credit rails)|
0200 (debit rails)
|ATM withdrawal request||Auth||ATM||0200|
|Request for a cash advance from a teller||Auth||Cash Advance||0200|
|Balance inquiry from an ATM or other vendor||Auth||Balance Inquiry||0200|
|Request to apply credit from a merchant||Auth||Merchant Credit||0200|
|Request to load a card||Auth||Payment||0200|
|Request to convert a card into a token for a mobile wallet||Auth||Tokenization||0100|
|Notification of a completion||Advice||Auth||0120 (credit rails)|
0220 (debit rails)
|Notification of a reversal||Reversal||Auth||0420|
The ISO 8583 standard defines data elements (DEs) that contain details about the transaction, such as transaction amounts, card-reader identifier and PIN capabilities, merchant name and identifier, and currency codes and conversion rates. Galileo extracts information from the DEs and converts it into the human-readable field names and values of the Auth API webhook. Because each network uses the DEs differently, the documentation does not indicate which DE corresponds to which Auth API field. Refer to the documentation from each network to see how they use the DEs.
This is the sequence of events between Galileo and you for a typical authorization request.
- Galileo receives an authorization request over a card network's rails in ISO 8583 format.
- Galileo performs validation checks and calculates response codes.
- Galileo converts its response codes and selected elements of the network message into webhook format and sends it to you.
- You apply logic to decide whether to override Galileo's response code, if permitted.
- You send your response to Galileo within two seconds.
- Galileo converts your response into ISO 8583 format and forwards it to the network.
Galileo performs these checks on all incoming authorization requests. The actual order of the checks may vary from what is shown here.
Consult the Authorization Response Codes enumeration to see codes that Galileo supports. You may also arrange with Galileo to send custom response codes, depending on your use case and business requirements.
The PAN must exist in the Galileo system. If the PAN does not exist, Galileo returns
14 (invalid card number) to the network and performs no further checks. When Galileo returns a
14, you do not receive a webhook.
The card-validation checks help ensure that the card used at the point of sale is an authentic card and that an authorized cardholder is presenting it. The summary of card-validation results is in the
See AVS-only checks in the Authorization guide for an explanation of these checks.
Galileo returns the result of an AVSAVS - Address verification service. An authentication method whereby the merchant submits a card's billing address in an authorization request. check in the
avs_result field. In the
avs_data object, Galileo provides the information that it used to perform the check. If you have reason to believe that Galileo is not using the correct address for the account, you can perform AVS yourself and override Galileo's result. See AVS override for more information.
Galileo does not use AVS results to calculate a response code: Merchants decide how to handle each result. It is therefore possible for Galileo to return
avs_result: N with
response_code: 00, which means that there was no AVS match but the transaction is otherwise approved, because the account supports it.
If you do not want AVS checks for your product, such as for gift cards, set the NOAVS product parameter to return a "gift" value for
avs_result. Merchants can decide whether to accept the result as success or failure and then proceed according to their business policies.
When a PIN is not provided, the transaction usually arrives at Galileo over credit rails and
When a PIN is provided, the transaction usually arrives at Galileo over debit rails. These are the steps for validating the PIN. The actual order of the steps may vary from what is shown here:
- Galileo checks whether a PIN has been set for the card. If it has not been set, Galileo returns
55(incorrect PIN) and
- If a PIN has been set, Galileo checks whether PBLOK permits this type of PIN transaction. If it does not, Galileo returns
57(transaction not permitted to cardholder) and
- If this type of PIN transaction is permitted, Galileo checks whether the PIN has been locked after exceeding the number of failed PIN attempts. If it has, Galileo returns
75(allowable number of PIN tries exceeded) and
pin: L(locked). (The failed PIN count will reset to zero after the time specified in PBTIM.)
- If the PIN has not been locked, Galileo compares the provided PIN to the hashed PIN that Galileo has on record. If the PINs do not match, Galileo returns
55(incorrect PIN) and
- If all checks are passed, the
Some implementations of EMV chips permit card readers to validate PINs without contacting the issuer. With offline PIN validation, the chip contains a PIN block (encrypted PIN) that the card reader compares to the PIN provided on the keypad. The card reader includes the result in the authorization request message.
Galileo passes the summary of the result in the
offline_pin field. This table shows which other fields will be populated according to the result.
|Offline PIN attempts exceeded|
|Ignored, because the transaction amount is less than a specified threshold||None|
terminal_verification_results (TMV) object inside the
emv object contains the results of the PIN verification. The
raw field contains a value provided by the network, and the meaning of the value is different for each network. Galileo provides the interpretation of the
raw field in the rest of the fields inside the TMV object.
When a cardholder changes the PIN for an offline-PIN-enabled card, the PIN in the chip must be updated the next time the cardholder inserts the card into a reader. By default, the update process rejects the first three PIN-verification attempts, because the new PIN that the cardholder enters and the embedded PIN are not the same. After the three failed attempts, the card reader then goes online to retrieve the new PIN from the issuer, and then it writes the new PIN on the chip. When the card reader is requesting online PIN verification from Galileo, then
To avoid a negative cardholder experience with multiple failed PIN attempts, you can set the FTPDY and FTPAM parameters so that the PIN block is updated on the chip after the first failed PIN attempt following a PIN change.
Galileo checks whether the CVV matches the hashed CVV in the Galileo system. There are three possible CVV values to match, depending on how the card information was acquired:
- CVV1 — Embedded in tracks 1 and 2 of a magnetic stripe, it verifies that merchants have the physical card in their possession for card-present transactions. When this CVV does not match, Galileo returns
05(do not honor).
- CVV2 — Printed on a card, this three-digit number is used for card-not-present transactions. When this CVV does not match, Galileo returns
N7(CVV2 error) for Visa or
05(do not honor) for Mastercard.
- CVV3 — This code is cryptographically generated by a contactless transaction and verified by the issuer. When this CVV does not match, Galileo returns
05(do not honor) and
Some e-commerce sites add another layer of cardholder verification using the 3-D Secure protocol (3DS), which is a two-step authentication process that cardholders must pass at the time they attempt to make a purchase on a 3DS-enabled web site. The standard in general is facilitated by EMVco, and each card network has a branded implementation of 3DS:
- Visa — Visa Secure
- Mastercard — SecureCode
- Discover — ProtectBuy
Galileo recommends that you obtain documentation from the networks to better understand how they implement 3DS.
This table shows country-by-country requirements for 3DS as of October 2021.
|Countries with regulation requiring a service like 3DS||Countries that strongly recommend having 3DS||No current requirements for 3DS|
|All European countries|
For 3DS to be successful, three entities must be participating in 3DS:
- The merchant
- The issuer
- The cardholder
When a cardholder attempts to make a purchase on a 3DS-enabled site, the results of the authentication are passed in the authorization request, and Galileo includes them in the
aav field and the
ecommerce object. When the e-commerce site does not implement 3DS,
is_ecommerce: false and the remaining fields in the
ecommerce object are not sent.
Galileo does not currently perform 3DS validation. You may integrate with a third-party 3DS provider, called an access control server (ACS), if you want to support 3DS, or you may use the networks' on-behalf services. The 3DS-related fields that Galileo relays in the Auth API webhook show the results of 3DS validation after it has been performed by the ACS or network. Galileo approves or denies transactions based on the validation results, and so these fields are provided for your information, not for decisioning.
As you parse the
ecommerce object, remember that some combinations of values result in a liability shift from the merchant to the issuer. Consult the documentation from each network to see which results trigger a liability shift.
The AAVPV product parameter controls whether Galileo uses the validation results that it receives from the ACS or network when deciding whether to approve a transaction. Set this value to
Y for Galileo to use the validation results. When this parameter is not set, Galileo does not use 3DS validation results for decisioning.
Galileo checks product and account settings to determine whether the transaction type is permitted to the cardholder. When any of the following items is true, Galileo returns
- The card is frozen.
- ATM withdrawals are blocked by account feature 9 or PBLOK.
- Point-of-sale (POS) transactions are blocked by PBLOK.
- Recurring transactions are blocked by BLKRI.
- Non-mobile-wallet transactions are blocked by account feature 20.
- Card-present transactions (except mobile wallet) are blocked by account feature 21.
- Mobile wallet transactions are blocked by account feature 22.
- Card-not-present transactions are blocked by account feature 6.
- Cash transactions are blocked by product settings.
- Cashback transactions are blocked by CASHB.
- Cash advances are blocked by account feature 10.
- Cash and POS transactions are blocked in this country.
- International transactions are blocked by account feature 8.
- Transactions with this MCC are blocked.
- Card loads are not allowed by product settings.
Where there is an account feature blocking the transaction, you can call Set Account Feature to unblock the transaction type for that account. Where a product parameter or product settings block the transaction, you can ask Galileo to change the setting for the product.
Galileo verifies that the account can support the transaction.
Galileo verifies that the card and account statuses are both
N (normal, active). If the card status is
S (stolen), Galileo returns
43 (stolen card, pick up), or if the card status is
L (lost), Galileo returns
41 (lost card). For any other account statuses besides
L, Galileo returns
05 (do not honor).
For card-not-present transactions, the expiry date that the cardholder entered is in
merchant_supplied_expiration_date. For card-present transactions the expiry data in the magnetic stripe is in
Galileo checks the expiry date against the expiry date in the Galileo system to ensure that the values match. Galileo provides the date that it has on file in
expiration_date. If the dates do not match, Galileo returns
54 (card expiration date mismatch). If the expiration date has passed, Galileo also returns
If Galileo holds the account balance, Galileo checks the available funds in the cardholder account against the amount in
trans_amount. The available funds do not include any holds, such as from previous unsettled authorizations. Galileo populates the available funds in the
available_funds field in the
amounts object. This value represents the account balance before the transaction is applied.
If you hold the account balance, you must determine whether the account can support the amount in
trans_amount, based on your records.
If the account does not contain sufficient funds, the standard response code is
51 (insufficient funds). However, there are several ways to address insufficient funds without returning
- Partial authorization — If the merchant accepts partial authorizations (
partial_supported: true), you or Galileo can return the amount of the authorization in
partial_amountwith response code
- Overdraft — If you have set up overdraft, your account settings determine whether an ATM withdrawal can use overdraft (ODATM) and also whether the overdraft funds are moved at the time of authorization or settlement (ODTOR).
- Real-time funding — You move funds from a dedicated account into the cardholder account to cover the authorization amounts.
Galileo checks whether the transaction violates velocity limits—whether the amount or number of transactions exceeds a threshold. These velocity limits are determined at the time you set up your products. If
trans_amount is too high Galileo returns
61 (exceeds withdrawal amount limit) or if the number of transactions is too high within a specified period Galileo returns
65 (exceeds withdrawal frequency limit).
These other checks validate characteristics of the transaction not included in the previous categories.
According to your product settings you can prohibit transactions with certain merchant types (per MCC) or by country. For ATM withdrawals in specified countries you can prohibit transactions at certain times of day. If the MCC or country is prohibited, Galileo returns
05 (do not honor).
Galileo compares the value that the network provides in
risk_score with the value set in product parameters (BRSGE, BRSMC or BRSPU). If the risk score exceeds the threshold, Galileo returns
59 (suspected fraud).
If you are using Galileo's dynamic fraud rules engine, any rule violations are reported in the
rules_warned fields, provided you have the RULAP product parameter set. When the rule violations are sufficient to deny a transaction, Galileo returns
Networks send tokenization requests when the card is first provisioned to a mobile wallet, either with manual provisioning or push-provisioning. (See About Mobile Wallets for the Galileo provisioning procedures.) A tokenization request for an initial provisioning has the name of the wallet provider for
Merchants also send tokenization requests to perform AVS checks on tokenized cards before accepting the cards as payment in an app or on a website. In this case,
The network relays provisioning requests that it receives from wallet providers and merchants. The requests are MTI 0100 and contain the PAN and cardholder identifiers.
- If the card was push-provisioned through your app or web site, the cardholder's identity and card information have already been verified. Galileo responds with
- If the card was manually provisioned, the wallet provider is requesting additional verification checks such as AVS, CVV2, and the last four digits of the cardholder's phone number. Galileo responds with the AVS result plus
00, depending on which checks were passed. For initial provisioning requests, see the Manual provisioning workflow in the About Mobile Wallets guide for details.
- For merchant AVS requests, Galileo responds to a successful check with code
85(AVS requested to verify account) or with
05(do not honor) to an unsuccessful check.
Based on the checks Galileo performs, Galileo populates
response_code_list (version 2) or
response_code_objects (version 3). From these lists, Galileo selects the response code to return in the
response_code field. Galileo chooses the
response_code from among multiple codes according to a proprietary algorithm.
00 (success) if no other response codes were generated or if the authorization message is an advice. When the response code is
response_code_list is empty.
Your response must be in JSON format. Sample responses are in the reference (Version 2, Version 3). The response must arrive at Galileo within two seconds of the time Galileo sent the webhook to you. If you do not respond in time, Galileo may perform fallback processing, depending on your arrangements with Galileo. See Fallback processing for more information.
You are permitted to override Galileo's responses only under certain circumstances.
Galileo recommends that you build logic to override these response codes only:
10— Approved for partial amount
51— Insufficient funds
59— Suspected fraud
Overriding these response codes requires bank approval. To add more response codes to override after initial setup, you will need additional bank approval and a legal addendum to the Master Service Agreement.
When Galileo performs AVS checks, the verdict is in the
avs_result field and the values used to perform the check are in the
avs_data object. If you have reason to believe that Galileo does not have the latest address information, you can perform AVS yourself on the updated address and populate
avs_response to override Galileo's result.
When Galileo returns
51 (insufficient funds), you can override it in one of two ways: partial authorization or real-time funding. Alternatively, Galileo can provide partial authorizations.
Merchants determine whether they will accept partial authorizations. If the merchant accepts partial authorization, then
If you hold the balance, populate
partial_amount with the amount to authorize for the transaction and return
response_code: 10 (approved for partial amount) or
response_code: 87 (approved for partial purchase amount but not cash back).
If Galileo holds the balance, the
partial_amount field is already populated with the amount to authorize—which will be the available balance—and
response_code: 10. If you do not want to authorize the partial amount, return
response_code: 51 to override Galileo's code.
If you never want to support partial authorizations, set the PAPPR parameter.
As desired, you can put in place a rule to transfer funds into a cardholder account to cover the amount of an authorization when the cardholder account has insufficient funds. In that case, you populate these fields:
transfer_prn— The PRNPRN - Payment reference number (pmt_ref_no). The 12-digit Galileo-generated account identifier, which exists independently of the PAN or other identifiers. of the account to provide funds.
transfer_amount— The amount of the transfer.
source_transfer_type— Transaction type code for the account in
dest_transfer_type— Transaction type code for the cardholder account.
The activity type will be
AD (adjustment) for both the source account and cardholder account. Use the transfer type codes that Galileo provided in a specially curated list of codes.
For example, if the cardholder has $25.00 in their account and the amount of the authorization is $30.00, you could transfer $5.00 into the cardholder account and return
override_limit field you can override velocity limits that are set for the product. Exercise caution with this type of override, however. Confirm with your bank that you are able to override limits and ensure that you have clearly defined which circumstances permit an override.
A typical balance inquiry is a separate transaction with
trans_amount: 0.00 and
transaction_type: Balance Inquiry. For these standalone inquiries,
eligible_for_balance_return is always
true. When Galileo holds the balance, Galileo returns
00 (success) and provides the balance that it has in
available_funds. If you hold the account balance, populate
available_balance with the current available balance and return
response_code: 00. If you do not populate
available_balance, Galileo will return the balance that it has on record.
If you have a Mastercard program, your product parameters control which merchant category codes (MCCs) can receive the account balance in the U.S., Canada, Mexico, and Colombia. For Visa programs, product parameters specify only whether balance inquiries are permitted. In the case of Visa transactions, balance inquiries are permitted only at ATMs. For both networks, balance inquiries are permitted only for card-present transactions.
With Mastercard, a "courtesy balance" request might also be included in a conventional authorization request, such as at a retail merchant where the merchant wants to print the balance on the receipt. In that case,
eligible_for_balance_return: true and
transaction_type contains a value other than
Balance Inquiry. You may provide the balance in
available_balance or Galileo will provide it.
When Galileo receives a balance inquiry, and product settings indicate that merchant is not eligible to receive the balance, Galileo responds with
05 (do not honor).
In the Authorized Transactions RDF, balance inquiries are identified by
TRANSACTION CODE 10. These inquiries are not included in the Posted Transactions RDF, Program API responses, or the CSTCST - Customer Service Tool. Software that the Galileo customer service team uses, which is also available to providers, to view and manage customers and their accounts..
When you do not respond to Galileo in time, Galileo can perform "fallback" processing, meaning that Galileo either responds with
05 (do not honor) for all transactions, or it returns the response that it has calculated, depending on how the APIFB product parameter is set. When this parameter is not set, Galileo returns
05 (do not honor) for all transactions that you do not respond to. When APIFB is set to
Y, Galileo returns the response that it has calculated.
If Galileo will provide fallback processing and you are the system of record, you must devise a way to keep Galileo updated on your account balances so that Galileo can determine whether accounts have sufficient balance. You could send a batch file every few hours, for example.
When Galileo does not receive your response in time, it sends the
OATO: Auth_API_Timeout event, and then Galileo sends you the
AUFB: auth_fallback Authorization Event to notify of both approved and denied fallback authorizations.
In some cases, the network must make a decision on Galileo's behalf, such as when Galileo does not respond to an authorization request from the network in time. The network may also process a transaction instead of sending it to Galileo first, for a variety of reasons. When you set up your relationship with the card network, you specify how and when the network will perform this stand-in processing (STIP).
When the network stands in to deny a transaction it notifies Galileo, and Galileo sends you the
STPD: denied_auth_stip Authorization Event API webhook, provided that the STIPD parameter has been enabled. These denied transactions are not sent as Auth API webhooks to avoid confusion regarding pre-denied advices, and are purely informational.
When the network stands in to approve a transaction it sends an advice to Galileo, which Galileo relays to you as an MTI 0120 or 0220 message. Galileo also sends you the
BAUT: auth Authorization Event webhook.
Galileo not responding to the network is only one reason why the network performs STIP. The
stip object in the request payload is populated with the advice reason code in the
detail field, which Galileo relays from the network. This detail is currently only supported for Mastercard and Visa.
These are some of the advice reason codes that may populate the STIP
detail field. Consult the documentation from each network for more possible codes: the SMS POS Technical Specification for field 63.4 for Visa, and the Single Message System Specifications and Customer Interface Specification for field DE 60 for Mastercard.
|Mastercard||4000000||Late response from issuer|
|Visa||9020||The response from issuer timed out|
|Visa||9054||Online CAM validation failed|
|Visa||9061||Internal system error or other switch-detected error condition|
Because it is not possible to test the Auth API in CVCV - Client Validation. A test environment where you can test your implementation before moving it to Production., use these code samples (called Recipes) to test your system. These samples come from actual Auth API v3 webhooks. You can also find these Recipes by clicking Recipes in the top navigation bar.
For common Authorization Events sequences, see Authorization events in the Events API Scenarios guide. Also see the examples in the Card Transaction Scenarios PDF.
These are some of the parameters that control the behavior of the Auth API. Also see Galileo setup in the Authorization guide for parameters that affect authorization behavior.
|APIFB||Controls whether to perform fallback processing when your response to the webhook times out. When this parameter is |
|APPOL||Controls whether you review all transactions via the Auth API or only transactions that pass Galileo’s initial check.|
|AUAPR||Controls whether Galileo waits for a response to an advice. When set to |
|MLAPI||Contains the |
|RULAP||Controls whether to send a comma-separated list of rule names that caused a DENY or WARN for an authorization in the Auth API request payload. The DENY rules are in the |
Updated 3 months ago