Skip to content

AuthCore authorization request and response

Authorization Request

The AuthCore service receives an authorization request from a Processor, translates it via a dedicated Connector into the format expected by AuthCore, and returns a response that the Connector forwards back to the Processor.

To AuthCore authorization request can be translated Enfuce Outgoing authorisation control webhook endpoint requests.

Authorization Request payload

'{
 "messageReferenceId": "Swagger:8730087654",
 "authRecordReferenceId": "Swagger:050374233372867492",
 "authRecordActionReferenceId": "Swagger:753244",
 "dateTime": "2025-12-09T15:46:03.741Z",
 "localTransactionDateTime": "2025-12-09T15:46:03.741Z",
 "cardId": "99055900",
 "truncatedPan": "4511XXX0001",
 "cardExpiration": "2048-04-30T21:59:59Z",
 "tokenId": "230709108342892084",
 "accountId": "1000019953.CZK",
 "transactionType": "RTL",
 "reqType": "BASE",
 "advice": false,
 "negativeAdvice": false,
 "negativeAdviceSimpleResponseCode": "APPROVED",
 "authRecordTimestamp": "2025-12-09T15:46:03.741Z",
 "authRecordFlags": "BASE",
 "transactionAmount": 100,
 "transactionCurrencyCode": "CZK",
 "cardholderBillingCurrency": "CZK",
 "cardholderBillingAmount": 100,
 "restrictionTransactionFlags": [],
 "fundsReservationDays": 7,
 "retrievalReferenceNumber": "225511227777",
 "cardAcceptorId": "DOBI-CAFE-01",
 "cardAcceptorTerminalId": "T1",
 "cardAcceptorName": "Dobito cafe",
 "cardAcceptorCity": "Prague",
 "cardAcceptorCountryCode": "CZ",
 "cardAcceptorBusinessCode": 5812,
 "cardAcceptorState": "CZ",
 "cardAcceptorZip": "11000",
 "acquirerId": "7777777"
 }'
Parameter Location Type Example Description Required
accept Header string */* Desired response media type. Yes
x-idempotency-key Header string 1 Guarantees safe retries. No
x-tenant Header string 1 Tenant identifier (multi‑tenant deployments). No
messageReferenceId Body string 8730087654 Unique identifier for the incoming message (used for tracing). Yes
authRecordReferenceId Body string 050374233372867492 Identifier of the auth record in the upstream system. Yes
authRecordActionReferenceId Body string 753244 Identifier of the specific action within the auth record. Yes
dateTime Body string 2025-12-09T15:46:03.741Z Timestamp of the request (when the message was created). Yes
localTransactionDateTime Body string 2025-12-09T15:46:03.741Z Local transaction timestamp (usually the same as dateTime). Yes
cardId Body string 99055900 CMS internal card identifier. Yes
truncatedPan Body string 4511XXX0001 Masked PAN (e.g., 4511XXX0001). No
cardExpiration Body string 2048-04-30T21:59:59Z Card expiration date/time. No
tokenId Body string 230709108342892084 Identifier of the token (if tokenised). No
accountId Body string 1000019953.CZK Account identifier in the form <accountExternalId>.<currency> (e.g., 1000019953.CZK). No
transactionType Body string RTL Transaction type code (RTL, ECP, ECR, …). Yes
reqType Body string BASE Request type (BASE…). Yes
advice Body boolean false Advisory flag – true if advisory processing is requested. Yes
negativeAdvice Body boolean false Negative‑advice flag. Yes
negativeAdviceSimpleResponseCode Body string APPROVED Simple response code for negative advice (e.g., APPROVED). No
authRecordTimestamp Body string 2025-12-09T15:46:03.741Z Timestamp when the auth record was created. Yes
authRecordFlags Body string BASE Flags describing the auth record (e.g., BASE). Yes
transactionAmount Body number 100 Amount of the transaction in the transaction currency. Yes
transactionCurrencyCode Body string CZK ISO‑4217 currency code of the transaction (e.g., CZK). Yes
cardholderBillingCurrency Body string CZK Currency used for card‑holder billing. No
cardholderBillingAmount Body number 100 Amount in the card‑holder billing currency. No
restrictionTransactionFlags Body array of strings [] List of restriction flags that apply to the transaction (empty array if none). Yes
fundsReservationDays Body integer 7 Number of days for which funds are reserved. No
retrievalReferenceNumber Body string 225511227777 Retrieval Reference Number (RRN) assigned by the acquirer. No
cardAcceptorId Body string DOBI-CAFE-01 Merchant identifier (e.g., DOBI-CAFE-01). No
cardAcceptorTerminalId Body string T1 Terminal identifier at the merchant. No
cardAcceptorName Body string Dobito cafe Merchant name. No
cardAcceptorCity Body string Prague City where the merchant is located. No
cardAcceptorCountryCode Body string CZ ISO‑3166‑1 alpha‑2 country code of the merchant (e.g., CZ). Yes
cardAcceptorBusinessCode Body integer 5812 Merchant Category Code (MCC). Yes
cardAcceptorState Body string CZ State/province of the merchant. No
cardAcceptorZip Body string 11000 Postal/ZIP code of the merchant. No
acquirerId Body string 7777777 Identifier of the acquiring bank/network. No

Authorization Response

Authorization response is translated by the Connector and provided back to Processor.

Authorization response structure

"response": {
   "rawData": "abcdef",
   "rawMessage": {
        "@type": "/cz.dobito.JsonObject",
        "typeId": "cz.dobito.authcore.connector.httpDirect.HttpDirectAuthorizationRes",
        "value": {
   "approved": true,
   "authorizationResult": "APPROVED"
    }
  }
}
Parameter Location Type Example Description Required
response.rawData Body string "abcde" Raw payload returned by AuthCore. Yes
response.rawMessage.@type Body string "/cz.dobito.JsonObject" Fully qualified type identifier used by the downstream system to deserialize the message. Yes
response.rawMessage.typeId Body string "cz.dobito.authcore.connector.httpDirect.HttpDirectAuthorizationRes" Specific class name that indicates the message schema for the authorization response. Yes
response.rawMessage.value.approved Body boolean true Indicates whether the transaction was approved (true) or declined (false). Yes
response.rawMessage.value.authorizationResult Body string "APPROVED" Human‑readable result code (e.g., APPROVED, DECLINED). Mirrors the approved flag but provides a textual status for logging or UI display. Yes