Skip to main content

Adyen 3DS Configuration Guide

M
Written by Mark Robert Turner

Adyen Customer Area

Add Allowed Origins

The Adyen Web SDK requires that the checkout page’s origin/domains are whitelisted. Without this, 3DS fingerprinting will fail silently.

  1. Go to Developers > API credentials > [your credential]

  2. Under Client-side authentication > Allowed origins, add every domain that hosts the checkout page:

    • Production URL Example:

      • catering.sarahssweets.com

      • order.sarahsweets.com

Note: If a partner has multiple URLs to accommodate multiple countries. This action must be done for every market production URL.

Example:

This must match window.location.origin on the checkout page. iOS and Android do not require allowed origins.

Get the Client Key

The client key is returned to clients alongside the 3DS action so they can initialize the Adyen SDK. It is separate from the API key.

  1. Go to Developers > API credentials > [your credential]

  2. Under Client-side authentication, copy the Client key

  3. Set it in chainConfig as adyen_client_key (see below)

Test client keys start with test_, live keys start with live_.

Note: This action is only done once.

Dynamic 3DS Rules

Adyen controls whether a transaction requires a 3DS challenge. The default rule in test mode is “Prefer Not” (most transactions go frictionless).

To force challenges during testing:

  1. Go to Risk > Dynamic 3D Secure

  2. Set the default rule to Always for the test environment

  3. Revert before going live


Lunchbox Admin Backend

Chain Config Settings

Add to the CCProcessing section of the chain’s config:

Key

Value

adyen_client_key

Client key from Adyen Customer Area (e.g. test_ABC123...)

How 3DS Is Enabled

No feature flag is needed. When the Adyen gateway is active and adyen_client_key is set, the gateway automatically adds payer_authentication_config: { provider: "adyen" } to the payment method returned to clients. Clients use this to detect that 3DS is supported and include the required payer_authentication fields on payment calls.

Sending payer_authentication data on transactions where Adyen does not trigger 3DS is harmless — Adyen ignores the extra fields.


Checklist

  • [ ] Checkout domain(s) added to Allowed Origins in Adyen Customer Area

  • [ ] adyen_client_key set in chainConfig

  • [ ] Verify 3DS challenge appears in test mode (set Dynamic 3DS rule to Always)

  • [ ] Verify redirect fallback works (use force_redirect: true per implementation guide)

  • [ ] Revert Dynamic 3DS rule before going live

Did this answer your question?