At Swan, Consent is built-in. This is quite special, because other BaaS' have their clients do it themselves. Setting up consent can be a real bother...We are happy to take it off your hands.


Some operations at Swan, such as initiating a payment, are sensitive and require user consent. This is obtained by sending a text message to the user. The user then consents via the web browser.
To protect the user and comply with legal requirements, consent can be given through a Strong Customer Authentication.

Strong Customer Authentication

Strong Customer Authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) to payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.
When integrating SCA, the consentUrl and oAuthUrl shouldn't be displayed in an iFrame. When clicked, the links should respect one of the following behaviors:
  1. 1.
    The link opens a pop-up that redirects the user to another page. Upon redirect, the pop-up closes automatically.
  2. 2.
    The link opens within the same page, then redirects the user to the rest of the flow.

SCA on mobile

When a Strong Customer Authentication is necessary, users can consent from their mobile devices. They'll receive a text message requesting their consent. Then, the user must enter their 6-digit security passcode or use biometrics when available.
If the end user doesn't receive a text message, they can either request the text message be sent again or consent by scanning a QR code.
Example of FaceID used to validate a transfer

Sensitive operations

To perform sensitive operations by API, you need to be authenticated with an accessToken. You can either use a user access token in the name of the user wanting to make the payment, or with a project access token impersonating that user.
The following mutations concern sensitive operations, and could require consent: