Stripe decline code
authentication_requiredThe card issuer requires Strong Customer Authentication (3D Secure) before the charge can proceed.
Type
Recoverable
Frequency
Commonauthentication_required is a European-driven decline under PSD2/SCA regulations. The customer has to complete a 3D Secure challenge with their bank before the charge can go through. For recurring SaaS subscriptions, this usually happens on the first charge or when the bank decides to re-challenge. Once the customer authenticates, subsequent charges can be exempted under MIT (merchant-initiated transaction) rules.
Do not retry without authentication. Instead, use Stripe's authenticate flow: create a SetupIntent or PaymentIntent with confirm: false, redirect the customer to the 3DS challenge, and charge on success. Stripe supports sending the customer a secure off-session authentication link.
Explain that the bank requires an extra verification step and send a secure link to authenticate. Typical UX: a redirect to the bank's 3DS page or an in-app modal.
Bank requires extra verification (like 3D Secure). Recoverable once the customer authenticates.
Strong Customer Authentication, a requirement under the European PSD2 regulation. Most European cards and some UK cards require 3D Secure challenges for online purchases.
Yes for the renewals. If the first charge is authenticated with 3DS, subsequent recurring charges qualify as MIT and can be exempted from SCA. Use Stripe's off_session flag.
How Rebounce handles authentication_required
Rebounce classifies every failed payment by its Stripe decline code and applies the optimal recovery strategy automatically. For authentication_required, that means intelligent retries at the right times. Multi-channel follow-up through email, SMS, WhatsApp, and in-app banners ensures the customer actually sees the message.