Changelog
StatusDashboard
Start typing to search…
Back to All
added

Available Now: Authorization Challenges

1 day ago by Matt Ruhland

Release Date

October 15, 2025

Products Affected

Authorization Rules, ASA

Impact

New feature available, additive only

Audience

All customers

Action Required

None

Overview

Authorization Challenges are now available: introducing SMS-based cardholder authentication for transactions identified as potentially fraudulent. With this new capability, card programs can implement an additional verification layer that declines suspicious transactions while sending an SMS to cardholders for confirmation. After successful validation, cardholders can retry their transaction with conditional approval through configurable bypass logic. This feature opens new possibilities for reducing false declines while maintaining strong fraud protection.

Details

Programs can implement Authorization Challenges through either Authorization Rules or ASA. Challenged transactions appear with the new decline reason code CARDHOLDER_CHALLENGED, providing clear visibility into when challenges are triggered. Programs can customize SMS templates for the initial challenge request and followup messages to match their brand voice and cardholder communication standards.

Authorization Challenges via Authorization Rules

Programs can trigger challenges through Authorization Rules using the new CONDITIONAL_ACTION rule type with a CHALLENGE action. Configure rules via the Auth Rules API or directly through the Rules tab in the Lithic Dashboard. After a cardholder successfully confirms a transaction, Authorization Rules automatically bypass the same challenge for that card and merchant combination for 24 hours, allowing seamless retry without additional friction.

Via API

POST /v2/auth_rules

{
  "program_level": true,
  "type": "CONDITIONAL_ACTION",
  "event_stream": "AUTHORIZATION",
  "parameters": {
    "action": "CHALLENGE",
    "conditions": [
      {
        "attribute": "RISK_SCORE",
        "operation": "IS_GREATER_THAN",
        "value": 700
      }
    ]
  }
}

Via Lithic Dashboard


Authorization Challenges via ASA

ASA implementations can now return CHALLENGE in the authorization response to trigger verification. As opposed to Auth Rules, ASA customers can specify phone numbers per-transaction rather than relying solely on accountholder records. ASA implementations receive challenge state information in a new latest_challenge object containing status details (COMPLETED, PENDING, etc.) and can implement custom bypass logic based on their specific risk tolerance.

Example ASA response:

{
  "result": "CHALLENGE",
  "phone_number": "+15551234567"
}

Example latest_challenge object in subsequent ASA requests:

{
  "status": "COMPLETED",
  "phone_number": "+15551234567",
  "completed_at": "2024-10-09T14:23:45Z"
}

Release Timeline

Available now

Enablement

Programs interested in implementing Authorization Challenges should contact their Customer Success Manager to begin setup and configure message templates.

User Impact

This feature is additive only. Existing authorization logic continues to function without modification.

Updated Documentation

For complete implementation details, visit our Authorization Challenges documentation. API specifications are available in the Auth Rules API Reference and ASA Reference.

If you have any questions or concerns, please contact us via the HELP link in your Lithic Dashboard.

The Lithic changelog has an RSS feed! To monitor for new update announcements, subscribe with your preferred RSS reader.