Authorization Challenges Now Support Customer-Orchestrated Delivery

Overview

Beginning Tuesday, May 19th, authorization challenges support a new Customer Orchestration model alongside the existing Lithic-managed SMS flow. Under Customer Orchestration, Lithic emits a card_authorization.challenge webhook when a challenge is issued, and the card program delivers the prompt to the cardholder through its own channel (mobile push, in-app prompt, biometric verification, or any other authenticated channel) before posting the cardholder's response back to Lithic. The ASA latest_challenge object gains a method field and a DECLINED status value to identify how each challenge was delivered and whether the cardholder rejected it.

Details

The orchestration model is configured at the program level by the Lithic team and applies to every challenge for the program. Both Authorization Rules and ASA-triggered challenges use the configured model.

latest_challenge Object Changes

The latest_challenge object returned to ASA endpoints on the Authorization payload is updated as follows:

• method (string, required): The channel used to deliver the challenge to the cardholder. Values are SMS (delivered by Lithic via SMS) or OUT_OF_BAND (delivered by the card program via Customer Orchestration).
• phone_number (string, nullable): The phone number used to send the challenge. Present only when method is SMS. null for OUT_OF_BAND challenges.
• status: A new DECLINED value indicates that the cardholder rejected the challenge prompt.

The status parameter accepts the following values:

• COMPLETED - Cardholder successfully approved the challenge
• DECLINED - Cardholder declined the challenge
• PENDING - Challenge remains open awaiting cardholder response
• EXPIRED - Challenge timeout occurred without completion
• ERROR - Challenge processing encountered a system error

card_authorization.challenge_response Event

The challenge_method parameter on the card_authorization.challenge_response event accepts a new OUT_OF_BAND value in addition to the existing SMS value.

Example: latest_challenge in an ASA Request

Previously, the latest_challenge object identified the challenge by status, phone number, and completion timestamp:

{
  "latest_challenge": {
    "status": "COMPLETED",
    "phone_number": "+15551234567",
    "completed_at": "2026-05-15T14:25:12Z"
  }
}

With this update, the object includes a method field, supports the DECLINED status, and returns phone_number as null for out-of-band challenges:

{
  "latest_challenge": {
    "status": "COMPLETED",
    "method": "OUT_OF_BAND",
    "phone_number": null,
    "completed_at": "2026-05-15T14:25:12Z"
  }
}

Release Timeline

Production availability: May 19, 2026

User Impact

This change is additive. Existing SMS-based integrations continue to function without modification, and programs remain on Lithic Orchestration by default. ASA implementations whose decisioning logic reads latest_challenge.phone_number should handle a null value if migrating to Customer Orchestration, and any logic that branches on status should account for the new DECLINED outcome.

Programs interested in enabling Customer Orchestration should contact their Customer Success Manager.

Updated Documentation

For the full Customer Orchestration flow, including webhook payload structure and response handling, visit our Authorization Challenges guide. For the response endpoint specification, see the Respond to Authorization Challenge API reference.

If you have any questions or concerns, please contact us via the HELP link in your Lithic Dashboard.

The Lithic changelog has an RSS feed! To monitor for new update announcements, subscribe with your preferred RSS reader.