Auth API Webhook 2.0

post

https://example.client.domain.com/basepath/Authorization

With the Auth API 2.0 webhook, you can participate in authorization decisions. For this webhook there is only one verb: POST. Galileo sends information about the authorization request in the body of the HTTP request, in JSON. Your decision should be in the body of the HTTP response.

In the authorization information that Galileo sends, the response_code is the current response code to be returned to the merchant, unless you override it. Use the response_code field in the HTTP response body to override the authorization response code, as desired.

See the Authorization Controller API guide for more information.

📘
About the field properties
Galileo initializes the webhook payload by setting all fields to null. As values come in with the ISO 8583 authorization request, Galileo populates the respective payload fields with the data the network sends, which can include empty strings (" "). This documentation shows the field properties (data type, nullability, required) that are most likely. However, variations by network and transaction type mean that a few of the values passed in the webhook payload can vary from what is shown here.

{
  "auth_type": "Auth",
  "merchant": {
    "merchant_id": "111111111111",
    "acquirer_id": "33333",
    "terminal_network": null,
    "merchant_description": "APPLE.COM/BILL         866-712-7753  CA ",
    "merchant_country": "840",
    "terminal_id": "222222",
    "merchant_state": "CA",
    "merchant_postal_code": "95014"
  },
  "risk_code": "39",
  "ecommerce": {
    "raw_eci": "210",
    "merchant_asserts_data_protection": true,
    "is_ecommerce": true,
    "merchant_asserts_authenticated": false,
    "merchant_asserts_authentication_attempted": false,
    "merchant_authentication_assertions_validated": null
  },
  "pin_entry_capability": "Other",
  "advanced_auth_api_fields": null,
  "service_processing_type": null,
  "timestamp": "20250702:172327MST",
  "mcc": 5818,
  "avs_data": {
    "zip": "999999999",
    "address": "*****"
  },
  "original_id": 0,
  "international": false,
  "id": "obiFh9L8ioy4_rZB_AQ12A",
  "eligible_for_balance_return": false,
  "validation_results": {
    "arqc": "N",
    "cvv3": "N",
    "pin": "N",
    "avs_result": "Y",
    "aav": "N",
    "cvv1": "N",
    "offline_pin": "N",
    "cvv2": "N"
  },
  "auth_id": 5555555,
  "account": {
    "track_expiration_date": null,
    "xid": 4444444,
    "merchant_supplied_expiration_date": "2712",
    "account_status": "N",
    "expiration_date": "2712",
    "prn": "999101661602",
    "card_status": "N",
    "pan": "3293",
    "cad": 55555
  },
  "transaction": {
    "transaction_initiator_code": "M101",
    "cardholder_present": "N",
    "recurring": "Y"
  },
  "network": "Mastercard",
  "amounts": {
    "cashback_amount": "0.0",
    "local_currency_amount": "1.99",
    "upcharge_amount": "0.0",
    "billing_currency_amount": "1.99",
    "trans_amount": "1.99",
    "available_funds": "3.75",
    "billing_currency": "840",
    "currency": "840",
    "amt_til_limit": "2500",
    "local_currency": "840",
    "exchange_rate": "61000000",
    "fee_amount": "0.00"
  },
  "entry_type": "Card On File",
  "response_code": "00",
  "response_code_list": [],
  "emv": {
    "is_emv": false
  },
  "transaction_type": "Auth",
  "risk_score": "1",
  "version": "2.0",
  "partial_supported": false,
  "subnetwork": "Mastercard Banknet",
  "mti": "0100",
  "bai": null
}

{
  "auth_type": "Auth",
  "merchant": {
    "merchant_id": "MMMMMMMMM",
    "acquirer_id": "777777",
    "terminal_network": null,
    "merchant_description": "LYFT   *XD RENTAL FEE  SAN FRANCISCO CA ",
    "merchant_country": "840",
    "terminal_id": "ZZZZZZ",
    "merchant_state": "CA",
    "merchant_postal_code": "94104"
  },
  "risk_code": "43",
  "ecommerce": {
    "raw_eci": "210",
    "merchant_asserts_data_protection": true,
    "is_ecommerce": true,
    "merchant_asserts_authenticated": false,
    "merchant_asserts_authentication_attempted": false,
    "merchant_authentication_assertions_validated": null
  },
  "pin_entry_capability": "Other",
  "advanced_auth_api_fields": {
    "7": "0703002327",
    "12": "172327",
    "13": "0702",
    "48": {
      "subfield 75": "01036510202430303651040243050200",
      "subfield 33": "",
      "subfield 71": "18C ",
      "subfield 61": "00001",
      "subfield 95": ""
    },
    "22": {
      "subfield 2": "0"
    },
    "61": {
      "subfield 8": "0",
      "subfield 1": "1",
      "subfield 3": "2",
      "subfield 4": "5",
      "subfield 5": "1",
      "subfield 6": "1",
      "subfield 7": "0",
      "subfield 12": "00",
      "subfield 10": "6"
    },
    "63": {
      "subfield 2": "MAOMKH"
    "
    }
  },
  "service_processing_type": null,
  "timestamp": "20250702:172327MST",
  "mcc": 4121,
  "avs_data": {
    "zip": "22222",
    "address": "*****"
  },
  "original_id": 0,
  "international": false,
  "id": "vDD2EvC0RUSwe_VRyzQbD0",
  "eligible_for_balance_return": false,
  "validation_results": {
    "arqc": "N",
    "cvv3": "N",
    "pin": "N",
    "avs_result": "Z",
    "aav": "N",
    "cvv1": "N",
    "offline_pin": "N",
    "cvv2": "N"
  },
  "auth_id": 22222222,
  "account": {
    "track_expiration_date": null,
    "xid": 4444444,
    "merchant_supplied_expiration_date": "3006",
    "account_status": "N",
    "expiration_date": "3006",
    "prn": "999166760171",
    "card_status": "N",
    "pan": "0854",
    "cad": 7777777
  },
  "transaction": {
    "transaction_initiator_code": "C101",
    "cardholder_present": "N",
    "recurring": "N"
  },
  "network": "Mastercard",
  "amounts": {
    "cashback_amount": "0.0",
    "local_currency_amount": "44.60",
    "upcharge_amount": "0.0",
    "billing_currency_amount": "44.60",
    "trans_amount": "44.60",
    "available_funds": "-52133.25",
    "billing_currency": "840",
    "currency": "840",
    "amt_til_limit": "14934.07",
    "local_currency": "840",
    "exchange_rate": "61000000",
    "fee_amount": "0.00"
  },
  "entry_type": "Card On File",
  "response_code": "51",
  "response_code_list": [
    "51"
  ],
  "emv": {
    "is_emv": false
  },
  "transaction_type": "Auth",
  "risk_score": "651",
  "version": "2.0",
  "partial_supported": false,
  "subnetwork": "Mastercard Banknet",
  "mti": "0100",
  "bai": null
}

Body Params

Information about the authorization request.

auth_type

string

enum

required

All transactions are grouped into three basic message types:

Auth — Authorization request. MTI x1xx (authorization or preauthorization over credit rails or preauthorization over debit rails) or x2xx (authorization over debit rails).
Advice — Notification of a completed transaction. MTI xx2x. Only a 00 response code is permitted.
Reversal — A reversal of a previous authorization. MTI x4xx. May or may not reference the previous authorization.

Allowed:

transaction_type

string

enum

required

The transaction type indicates at a lower level what kind of transaction this is. This field is used to differentiate merchant credits, ATMs, balance inquiries, etc.

Preauth — A preauthorization for an estimated amount. Often followed by a completion advice.
Auth — Conventional authorization request. Also used with advices and reversals.
ATM — ATM withdrawal.
Cash Advance — Cash advance from a teller.
Balance Inquiry — Balance inquiry from an ATM.
Merchant Credit — A credited amount from a merchant. Usually does not reference a previous authorization.
Adjustment — Debit adjustment, unrelated to a previous authorization. The merchant is adjusting a cardholder balance.
Payment — Loading funds onto a card.
Tokenization — A request to tokenize a card for use in a mobile wallet or a request from a merchant to validate a tokenized card for payment.

string

required

Unique identifier for this authorization.

Example: "DHWJtI8zRjuDcgF8hru3oQ"

timestamp

string

required

Date and time when the webhook was sent by Galileo.

Format is <timestamp><timezone>, where timestamp is YYYYMMDD:HHMMSS and timezone is always MST, which is Arizona time (GMT -0700).

Example: "20250315:121504MST"

network

string

enum

required

Card network name. Possible values:

Visa
Allpoint
Discover
Mastercard
Star
Pulse

Allowed:

subnetwork

string

enum

required

The subnetwork name. This is the same as network if there is no subnetwork. Possible values:

Visa
Visa Interlink
Visa PLUS
Mastercard Banknet
Mastercard Debit Switch
Discover
Allpoint
Star
Star MoneyPass
Star Presto
Pulse

account

object

required

amounts

object

required

The amounts are always unsigned. To calculate the sign for an amount, start with a factor of –1, and then apply another factor of –1 for each of the following criteria:

"auth_type": "Reversal"
"transaction_type": "Merchant Credit"
"transaction_type": "Payment"

Amount fields may not display a numeric value for non-active cards. Instead, the string "none" could be displayed.

mcc

integer

required

Merchant category code. This value does not include leading zeros.

Example: 5992

digital_commerce_data

object

Mastercard only. Contains data regarding a digital commerce transaction. Derived from DE048SE48. See Digital Commerce Solutions Indicators for more information.

merchant

object

required

mti

string

required

Message-type indicator, as defined by ISO 8583. See Message types in the Authorization Controller API guide.

Example: "0200"

transaction

object

required

Information about the transaction

validation_results

object

required

avs_data

object

When the authorization includes an AVS request, this object contains the data that Galileo used to calculate the AVS response.

international

boolean

required

Whether this is an international transaction.

response_code

string

required

Authorization response code, which specifies whether a transaction is approved or denied. See the Authorization Response Codes enumeration for possible values.

Example: "05"

auth_id

integer

required

Galileo-generated ID for the authorization. Use this ID to track the transaction throughout the Galileo system. For an explanation of how these IDs are generated, see Authorization identifiers in the Transaction IDs guide.

Example: 13371854

partial_supported

boolean

required

Whether the merchant supports partial authorizations.

stip

object

This object is present when a STIP transaction is processed by the network. See Stand-in processing in the Authorization Controller API guide for more information.

incremental_auth

boolean

If this authorization is part of an an incremental sequence, this field is true and original_id contains the auth_id of the previous authorization in the sequence.

entry_type

string

enum

required

Method of entering the PAN, also known as POS entry mode. See DE022 Codes to correlate with the numerical values. Possible values:

Card Not Present — Online, mail order or telephone order
Card On File — Mastercard only. Card number is kept on file
E-Commerce — Mastercard only. The card was used on an ecommerce site
EMV Chip — The card has an EMV chip that was inserted in an EMV slot
EMV Contactless — Contactless transaction with EMV chip card
EMV Fallback — Unable to use the EMV chip: fallback to magstripe
Magnetic Stripe — The magnetic stripe was read
Contactless — Contactless transaction with magstripe card
Manual — Manually entered information
Other — None of the above

pin_entry_capability

string

enum

Condition of the PIN pad at the point of sale. See DE022 Codes to correlate with the numerical values. Possible values:

Capable — Terminal has PIN-entry capability
Incapable — Terminal has no PIN-entry capability
Inoperative — Terminal has PIN-entry capability but it is not working
Other — Unknown PIN-entry capability, or not applicable.

Allowed:

payment_info

object

When transaction_type is Payment, the name of the sender and fund source, if provided in the request.

original_id

integer

The auth_id of a previous authorization that is linked to this authorization. For reversals or completions, this is the auth_id of the authorization that is being reversed or completed. For incremental sequences, this is the auth_id of the previous authorization in the sequence.

Example: 13663253

risk_score

string

The risk score provided by the network. Mastercard range: 0–999, Visa range: 01–99. Higher values indicate higher risk. Product settings determine whether the threshold was exceeded.

Example: "23"

token_type

string | null

enum

If this is a tokenized transaction, its type. Possible values:

Apple Inc
Google Inc.
Masterpass
Merchant
Microsoft
Samsung Corporation
Visa Checkout

Allowed:

rules_denied

array of strings

Valid only when using Galileo's fraud-rules engine. List of fraud rules that caused a decline. Set the RULAP product parameter to receive these rules.

Example: ["hr_crypto:DENY", "intl_cnp_ecom:DENY"]

rules_denied

rules_warned

array of strings

Valid only when using Galileo's fraud-rules engine. List of fraud rules that caused a warning. Set the RULAP product parameter to receive these rules.

Example: ["dom_cp:WARN"]

rules_warned

response_code_list

array of strings

required

List of response codes that Galileo has computed. This list does not contain "00". May be empty.

Example: ["05", "51"].

response_code_list*

bai

string

Business application identifier. Visa only. See the Business Application Identifier enumeration for possible values.

Example: "FD"

risk_code

string

Mastercard only. Fraud reason code. Indicates the key factors that influenced the value in risk_score.

Example: "58"

ecommerce

object

required

This object contains information related to 3DS authentication, if the website supported 3DS. Included in this information is the result of validating the AAV for Mastercard or the CAVV for Visa. For detailed information about these fields, refer to The ecommerce object in the 3-D Secure Access Control Server guide.

eligible_for_balance_return

boolean

required

Whether the cardholder's balance can be returned. This field is always true when transaction_type: Balance Inquiry. See Balance-inquiry responses in the Authorization Controller API guide for information on returning balances in the response to this message.

emv

object

required

Additional EMV information. Also see EMV entry types under entry_type and EMV-related fields under validation_results.

version

string

required

Auth API version of this webhook.

Example: "2.0"

iias_info

object

Visa only. Indicates whether the item or service being purchased is an eligible medical expense. Data from Field 54 and Field 62. This object is present only when IIAS information is included with the authorization request. For more information, see IIAS fields in the API Field Detail guide.

advanced_auth_api_fields

object

Selected subfields parsed from the ISO 8583 message. These fields are sent only when ADVAF is set and only by arrangement with Galileo. See Advanced Auth API Fields for more information.

Example: "advanced_auth_api_fields": {"61": {"subfield 1": <raw subfield contents>, "subfield 2": <raw subfield contents>}}

tar_info

object

Tokenization authorization request (TAR) data is provided by the network during mobile wallet provisioning. The following are the subfields in a tokenization authorization request. Note the distinctions between Mastercard and Visa networks.

For enhanced provisioning security based on some of these fields, see Enhanced provisioning security in Setup for Mobile Wallets.

If you do not receive this data for provisioning approved BINs, contact Galileo for assistance.

fleet_info

object

Information that is provided for cards with fleet-card BINs, which are Mastercard only. See Fleet Cards for more information.

aifi_fields

object

Colombia only. Information related to ATM issuer-fee inquiries.

merchant_advice_code

string | null

Mastercard only. Contains the supported merchant advice code (MAC), if applicable: 03, 40, 41, or 43. The GMACD parameter must be set to Y to enable MAC decisioning.

fraud_results

object

Mastercard only. Contains the results from the Mastercard Fraud Rule Management Service. If you subscribe to this service, ask Galileo to enable this object. Consult the documentation from Mastercard for DE048SE56 to interpret the values.

fraud_scoring_data

object

Mastercard only. DE048SE75. Contains the results from Mastercard's Expert Monitoring, Fraud Scoring Service, or Decision Intelligence (DI) service. If you subscribe to any of these services, ask Galileo to enable this object. Consult the documentation from Mastercard for your service to interpret the values.

digital_payment_data

object

Mastercard only. DE104SE4. Contains the results from Mastercard's Token Authentication Framework (TAF) program. If you subscribe to Mastercard's Expert Monitoring, Fraud Scoring Service, or Decision Intelligence (DI) service, ask Galileo to enable this object to use for decisioning. Consult the documentation from Mastercard on DE104 Subelement 004 to interpret the values.

latest_incremental_id

integer

The auth_id of the previous authorization in an incremental sequence when incremental_auth: true. This field contains the same information as original_id and is present only by request.

Example: 13371854

original_incremental_id

integer

The auth_id of the first authorization in an incremental sequence when incremental_auth: true. This field is present only by request.

Example: 13369203

account_attack_intelligence_score

string | null

Visa only. A score for CNP transactions to evaluate risk of enumeration attacks. Field 104, Dataset 5B, Tag 85. Valid values are 01-99 or null. Lower scores mean less risk.

Example: "24"

relay_resistance_protocol_data

object

Mastercard only. DE048SE71. For tokenized (mobile wallet), contactless transactions, this is information captured at the terminal related to the possibility of relay attacks. For valid values, see Relay Resistance Protocol Data.

service_processing_type

string | null

Visa only. Service processing type for scheduled, deferred OCTs. See Service Processing Types for valid values. Field 104 Dataset 57 Tag 80.

Example: "03"

visa_atm_managed_services

object

Visa only. Managed-service information. Field 111 Dataset 02.

is_in_person_tap_transaction

boolean

Visa only. Whether this is a direct in-person tap transaction. Applies only to OCTs and AFTs. Field 34.

vdcap_info

object

Visa only. VDCAP information from Field 34, Field 56, and Field 111.

credit_info

object

Contains information related to credit accounts.

mastercard_transaction_id_data

object

Mastercard only. Derived from DE105, Multi-Use Transaction Identification Data. Contains the TLID, which is globally unique in a distributed environment and used as a single unique reference to perform matching and linking of all message activity

Headers

X-Request-ID

uuid

required

A unique identifier for the HTTP request.

Response

Language

Credentials

Bearer

JWT

Response

Choose an example:

application/json

200Use the fields in this schema to respond with your decision plus any instructions for Galileo.