# Transactions and 3D Secure

Use transaction APIs for customer-facing views and webhook events for backend synchronization. The Card Issuing API exposes transaction history, transaction details, pending 3D Secure challenges, and challenge response.

## List transactions

```bash
curl "https://issuing-stage.xmoney.com/v1/transactions?page=1&size=20" \
  -H "Authorization: Bearer CUSTOMER_ACCESS_TOKEN"
```

You can filter by `type`, `status`, `startDate`, and `endDate`.

Retrieve one transaction:

```bash
curl "https://issuing-stage.xmoney.com/v1/transactions/TRANSACTION_ID" \
  -H "Authorization: Bearer CUSTOMER_ACCESS_TOKEN"
```

## List pending 3D Secure challenges

```bash
curl "https://issuing-stage.xmoney.com/v1/transactions/3d-secure" \
  -H "Authorization: Bearer CUSTOMER_ACCESS_TOKEN"
```

## Respond to a 3D Secure challenge

```bash
curl -X PATCH "https://issuing-stage.xmoney.com/v1/transactions/3d-secure/TRANSACTION_AUTH_ID" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer CUSTOMER_ACCESS_TOKEN" \
  -d '{
    "authType": "pinCode",
    "authStatus": "success"
  }'
```

`authType` identifies the customer authentication method. Possible values are `pinCode`, `pattern`, `other`, `faceRecognition`, and `fingerprint`.

`authStatus` is the result submitted by your app. Possible values are `success`, `failed`, `canceled`, and `timeout`.

## Webhook synchronization

Use webhooks to update backend state when transactions are created, settled, require 3D Secure, or complete 3D Secure. Your backend should deduplicate webhook events, verify the signature, and process updates asynchronously.