Home / Issuing / Control Authorizations

Collaborative Authorization

Overview

Collaborative authorization empowers you to approve or decline transactions in real time based on your business logic. The following steps outline an example of how collaborative authorization typically works on a card product:

  1. An account holder makes a purchase.
  2. The account holder's purchase is sent to Highnote and passed through your business logic, for example, your configured spend rules.
  3. If the purchase passes your business logic, an HTTPS POST request is sent to your configured collaborative authorization endpoint for approval.
  4. You respond to the request with an approval or denial decision.
  5. The authorization response is sent to the merchant with the decision.

These steps are outlined in the following graphic:

collab-auth-diagram-a.svg

This guide covers how to configure and activate a collaborative authorization endpoint, verify requests, make real-time authorization decisions, and simulate authorizations in the test environment.

Enable the feature

Note: Collaborative authorization is self-service in your test environment. In the live environment, the Highnote team must enable the feature for your product.

To start using collaborative authorization, you must complete the following steps:

  1. Have the Highnote team enable the feature for your card product. For more information, contact support@highnote.com.
  2. Register a collaborative authorization endpoint.
  3. Activate the collaborative authorization endpoint.
  4. Configure your request and response process.
  5. Optional - Test the feature.

Manage endpoints

You can manage collaborative authorization endpoints using the Highnote dashboard or API.

via the dashboard

For information on managing your collaborative authorization endpoints using the Highnote dashboard, see the Collaborative authorization support guide.

via the Highnote API

Refer to the following guidelines when managing collaborative authorization endpoints using the Highnote API:

  • You can have up to five collaborative authorization endpoints, but only one endpoint can be active at a time.
  • Collaborative authorization requests are sent as HTTPS POST requests with JSON bodies. The following headers will be included on each request:
    • user-agent: HightnotePlatform/1.0.0
    • highnote-signature: The result of computing an HMAC 256 signature of the request body
    • content-type: application/json

Register an endpoint

You can use the following mutation to register and add a collaborative authorization endpoint. By default, collaborative authorization endpoints are inactive at creation. Refer to the following requirements when registering a collaborative authorization endpoint:

  • Make the endpoint highly available.
  • The endpoint must be capable of returning a 2XX response. All other status codes will result in the transaction being declined.
  • The endpoint requests and responses must be served via HTTPS.

Activate an endpoint

Warning: Activating an endpoint will automatically deactivate any existing ACTIVE endpoints. Only one endpoint can be ACTIVE at a time.

Once a collaborative authorization endpoint has been registered, you must activate and verify it. Use the following mutation to activate a collaborative authorization endpoint:

Request and response guidelines

Warning: The collaborativeAuthorizationRequest.id is an idempotent key. In the event of a retry, Highnote will resend the same request to your collaborative authorization endpoint with the same id.

Note the following guidelines for handling collaborative authorization requests and responses:

  • You have up to two seconds to respond to a collaborative authorization request with an approval or denial decision.
  • Returning any HTTP response code except 2XX will cause the collaborative authorization request to fail and trigger your default authorization settings.
  • Failure to respond to a request within two seconds will cause the collaborative authorization request to fail and trigger your default authorization settings.

Request body

A collaborative authorization request is an HTTPS POST request with a JSON body. A collaborative authorization request body has several Amount fields relating to a transaction's money movement. These Amount fields may differ from one request to another.

Refer to the following table for an overview of the various Amount fields in a request body:

FieldDescriptionNotes
transactionAmountThe amount of money processed in the transactionDisplayed in the cardholder's currency
settlementAmountThe amount of money settled in HighnoteDiffers from transactionAmount when both fields are in different currencies. For example, if a transactionAmount reflects funds in EUR, the settlementAmount will reflect USD and differ.
requestedAmountThe amount of funds requested from the network for the transactionDisplayed in USD and includes surcharge fees

Request body example payload

The following code snippet provides an example of a collaborative authorization request body:

Example collaborative authorization response payload

Response

Collaborative authorization reponse bodies may have the following fields:

FieldDescription
transaction.idUnique identifier of the transaction
reponseCodeTransaction authorization response
authorizedAmountAn Amount object

For a full list of collaborative authorization response codes, see the CollaborativeAuthorizationReponseCode API reference.

Approved response

When your endpoint responds with the following payload, an AuthorizationEvent will reflect a status of APPROVED. The following code snippet provides an example APPROVED response body:

Approved response body

Partial amount approved response

Note: For partial approvals, the authorizedAmount cannot be greater than the requestedAmount and must be expressed in the same currency.

When your endpoint responds with the following payload, an AuthorizationEvent will reflect a status of PARTIAL_AMOUNT_APPROVED. The merchant must report whether their point of sale can accept a partial amount via the terminalSupportsPartialApproval field in the pointOfSaleDetails object:

Partial amount approved response

Declined response

When you need to decline an AuthorizationEvent, your endpoint will pass back an appropriate response code reflecting why your system declined the authorization:

Decline response

Response codes

During collaborative authorization, when Highnote receives an authorization from the payment network, Highnote responds with one of three initial response codes:

  • APPROVED
  • PARTIAL_AMOUNT_APPROVED
  • DO_NOT_HONOR

You will see only see a collaborative authorization request in your system if Highnote sends an APPROVED or PARTIAL_AMOUNT_APPROVED response. When your system responds to the collaborative authorization request, the resulting response code from Highnote's platform follows the pattern described in the following tables.

Approved response codes

The following table provides an overview of scenarios when Highnote provides an APPROVED response to a IssuerPreliminaryAuthorizationEvent:

Initial Highnote responseYour system's responseFinal Highnote platform response code
APPROVEDYour system returns an APPROVED response without authorizedAmount or with authorizedAmount equal to requestedAmountAPPROVED
APPROVEDYour system returns an APPROVED response with authorizedAmount less than requestedAmount and the POS supports partial approvalPARTIAL_AMOUNT_APPROVED
APPROVEDYour system returns an APPROVED response with authorizedAmount less than requestedAmount and POS does not supports partial approvalDO_NOT_HONOR
APPROVEDYour system returns an APPROVED response with authorizedAmount more than requestedAmountDO_NOT_HONOR
APPROVEDYour system responds with an APPROVED response and authorizedAmount is not equal to requestedAmount and POS does not support partial approvalDO_NOT_HONOR
APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED response without authorizedAmountAPPROVED
APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED reponse with authorizedAmount equal to requestedAmountAPPROVED
APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED reponse with authorizedAmount more than requestedAmountDO_NOT_HONOR
APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED response with authorizedAmount less than requestedAmountPARTIAL_AMOUNT_APPROVED
APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED and authorizedAmount is not equal to requestedAmount and POS does not support partial approvalDO_NOT_HONOR
APPROVEDYour system returns a response with a different currency code than the currency code used in the original transactionDO_NOT_HONOR

Partial amount approved response codes

The following table provides an overview of scenarios when Highnote provides an PARTIAL_AMOUNT_APPROVED response to a IssuerPreliminaryAuthorizationEvent:

Initial Highnote responseYour system's responseFinal Highnote platform response code
PARTIAL_AMOUNT_APPROVEDYour system returns an APPROVED response without authorizedAmount or with authorizedAmount equal to requestedAmountPARTIAL_AMOUNT_APPROVED
PARTIAL_AMOUNT_APPROVEDYour system returns an APPROVED response with authorizedAmount less than requestedAmountPARTIAL_AMOUNT_APPROVED
PARTIAL_AMOUNT_APPROVEDYour system returns an APPROVED response with authorizedAmount more than requestedAmountDO_NOT_HONOR
PARTIAL_AMOUNT_APPROVEDYour system returns an PARTIAL_AMOUNT_APPROVED response without authorizedAmountPARTIAL_AMOUNT_APPROVED
PARTIAL_AMOUNT_APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED response with authorizedAmount equal to requestedAmountPARTIAL_AMOUNT_APPROVED
PARTIAL_AMOUNT_APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED response with authorizedAmount more than requestedAmountDO_NOT_HONOR
PARTIAL_AMOUNT_APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED response with authorizedAmount less than requestedAmountPARTIAL_AMOUNT_APPROVED
PARTIAL_AMOUNT_APPROVEDYour system returns a PARTIAL_AMOUNT_APPROVED response and authorizedAmount is not equal to requestedAmount and POS does not support partial approvalDO_NOT_HONOR
PARTIAL_AMOUNT_APPROVEDYour system returns a response with a different currency code than the currency code used in the original transactionDO_NOT_HONOR

Find collaborative authorization key

When you register a collaborative authorization endpoint, the API returns a secret key. If you need to retrieve this key again, you can query the CollaborativeAuthorizationEndpoint object to retrieve the signingKeys field.

Use the following query to retrieve a collaborative authorization endpoint's secret key:

Simulate collaborative authorization

You can use the collaborative authorization simulation to test your endpoints in the test environment. For more information, see Simulate Collaborative Authorization.

Provide Feedback

Was this content helpful?