#jonah11

1. Don't test with real cards, ever.

It's against card network rules

2. Can you share an API request ID for this? It will start with req_

Here's how you can find a request ID: https://support.stripe.com/questions/finding-the-id-for-an-api-request

That link says:

You can find a log of API requests in your dashboard by navigating to Developers >> Logs (note: this will link to your dashboard in test mode),

Note that I was doing this in production. When I say "test" I was using my real card doing a real purchase. We weren't breaking any rules.

So perhaps I should have phrased it as "I was making a purchase today, and ...."

I just happen to also be a developer on the product in question.

I can give you a paymentIntentId, would that help?

Sure

pi_3NgZnQJGX8SkE3XN04PrjHBM

Okay

1. Payment intent created: https://dashboard.stripe.com/logs/req_XofVYUUNHbgXN8
2. Confirmation triggers 3DS: https://dashboard.stripe.com/logs/req_BLH9C7MmJxQjl4
3. 3DS Fails: https://dashboard.stripe.com/events/evt_3NgZnQJGX8SkE3XN0To8KG3y

Right. But I never saw any popup. That's what I am confused by.

That is up to the issuing bank. They may have decided to decline it without allowing you to authenticate.

Ok, I didn't know this was a possibility and haven't seen it before. Also, as a counter argument to consider, I did the get popup on the same account, same phone, same card, both 2 times before and once after.

So while I don't rule out your hypothesis, is it possible something went wrong internal to the SDK. We have low level info on all network requests made by the app via our analyitcs lib embrace, let me show two screenshots that are relevant:

Image of trace for my transaction with no popup:

Image of trace for typical transaction that shows popup. Notice how in this case we enter a web view right after the GET to q.stripe.com:

Hi, stepping in and catching up

ty

Yeah, the issuing banks decide if they need 3DS authentication for that transaction. Stripe does not control this.

Also, as my teammate stated it's prohibited to test live card to test things, https://stripe.com/docs/testing#use-test-cards

Do not use real card details. Testing in live mode using real payment method details is prohibited by the Stripe Services Agreement, which permits business use only. Use your test API keys and the card numbers below.

Instead, I recommend that you use these cards, https://stripe.com/docs/testing#regulatory-cards to test

Yeah, the issuing banks decide if they need 3DS authentication for that transaction. Stripe does not control this.
Again, I understand that stripe does not control the 3ds decision. That is not my question.

My question is, how can I fail 3ds secure without even seeing a challenge?

Let me test this

From looking at the payment intent you shared, it does look like you were directed to compelete authetntication: https://dashboard.stripe.com/logs/req_94X0rbxl0KMqni

and if you look at the response of the request, you can see the 'state: failed'

Was there another example that I might have missed?

did you look at the screenshots?

the server logs are not reflecting what i experienced as an end user on the app. that is the whole issue.

What do you expect? Instead of the screenshot, can you clearly lay it out?

i expect to see a 3ds popup. sometimes they have a direct challenge (like a 2fa via email or text). sometimes they just open and say "authentication complete" and you close them. but if you are in the challenge flow, whether you pass or fail, you see something. Up until now, that has been the case for me over many real transactions, and the case for everyone at the company. We probably have data on hundreds of transactions in production from people we know reporting on their 3ds experience, and no one has ever reported this before.

what does 'but if you are in the challenge flow, whether you pass or fail, you see something. ' mean?

you see a popup