SCA Widget


The SCA widget is a NewDay-hosted feature enabling your customers to confirm their identity with higher security authentication. Embed the SCA widget into your checkout journey.


Easy to implement

Embed the provided iFrame code into your UI to verify your customer identity before they spend.


The widget securely connects to NewDay’s SCA servers to identify your users via a range of possible methods (e.g. OTP).


The styling can be configured as required, including: fonts, primary and secondary colours, input field border radius, button borders and border radius.

Embed the SCA Widget

The SCA widget is embedded onto your site using an iFrame when you want 2-step authentication for your customer before they complete a payment.

Below is an example of how to add the widget to your website:


1  <iframe src="[brand]/identity?redirect_uri=<scaToken>"></iframe>

The widget accepts the following parameters in the iFrame source URL:

redirect_uriRequired. Specifies where the user is redirected in some scenarios (more details below). You choose the page the user is redirected to.
scaTokenRequired. An encrypted JWT token that contains all the information needed by the SCA widget to initilaise and complete the authentication.

For example after the user has successfully confirmed their identity, the widget posts serialized data back to the redirect_uri provided in the query string.

The src of the iFrame, including the scaToken, will be in the payload of the response from Order Processing on the first authentication attempt.

Data returned by the widget must be deserialized before usage.

The following is a C# example on how to deserialize the data:

var payload = JsonConvert.DeserializeObject<Object>(formData["payload"])

Successful authentication

When a user has successfully authenticated, the widget posts back the following data to the redirect_uri provided in the query string:

  scaToken: '<scaToken>',
  success: true,
  status: 'authenticated',
  message: 'User successfully authenticated',

Not my number

If the mobile number that the OTP would be sent on is not the user's number, the user can click on "That's not my number". The SCA widget will send this payload to redirect_uri:

  scaToken: '<scaToken>',
  status: 'notMyNumber',
  errorMessage: 'User number incorrect.',

401 - Customer cannot be authenticated

At any point in the journey, an API call can return a 401 with a authenticationFailed type. This means that the authentication failed and the user is locked out. The SCA widget doesn't handle this directly but sends a payload to redirect_uri:

  scaToken: '<scaToken>',
  success: false,
  status: 'authenticationFailed',
  errorMessage: 'User account locked.',

401 - Token expired

If the access token expires at any point during the journey, the next API call will return a 401 with an accessTokenInvalid type. The SCA widget doesn't handle this directly but sends a payload to redirect_uri:

  scaToken: '<scaToken>',
  success: false,
  status: 'accessTokenInvalid',
  errorMessage: 'Access token expired.',

500 - Technical error

If an API call returns an unexpected response at any point in the journey (anything above a 403), the widget will show an error page. The user can decide to try again or close the widget. In the latter case they will be redirected to redirect_uri with this payload:

  scaToken: '<scaToken>',
  status: '500',
  errorMessage: 'Technical Error.',


The following elements can be configured by NewDay to match your site:

  • Page titles (can either be displayed or hidden)
  • Fonts
  • Font size
  • Font colour
  • Background colours
  • Input fields border width
  • Input fields border radius
  • Input fields border colour
  • CTA colour
  • CTA copy
  • CTA border-radius
  • CTA border
  • CTA border width
  • CTA border-colour

Still have questions

Can’t find the answer to your question? Our friendly team are more than happy to help

Was this page helpful?

© NewDay 2022. All rights reserved.

Cookie PolicyPrivacy PolicyTerms of UseSupport