Workflow Overview

The following overview provides the steps that you and the merchant must take to implement OAuth.

You enable mutual authentication by obtaining a Certificate Signing Request from a supported certificate authority (CA) and submitting your common name details to Cybersource.

You register your application in the Cybersource Business Center. During registration, you must provide a scope of permissions and a redirect URL. The product is still changing, so contact us to understand which APIs and scopes are enabled for OAuth.

The merchant visits your application, enters form information, and clicks a link or button to continue the process.

Your application redirects the merchant to Cybersource.

The merchant signs into their Cybersource account and grants or denies permissions to your application within the scopes that you provided in Step 2. Remind the merchant that the Cybersource account that they use must have sufficient account permissions to grant or deny these OAuth permissions.

Cybersource redirects the merchant to your application using the redirect URL that you provided during registration. If the merchant grants the permissions, an authorization code is appended to the redirect URL.

Your application calls Cybersource and exchanges the authorization code for an access token that you can use to authenticate transactions with Cybersource, as well as a refresh token that you can use to request additional access tokens.

You can view a sample of these workflow steps by using our demo application. You can also view the code for that sample application.

You must obtain test merchant credentials to emulate the access delegation. Your test account must contain at least one card-based transaction from within the past 7 days.

To test your own application, you can use the certificate that is available with the Cybersource sample application code, hosted on Github.

To change the scopes that you set in Step 2, you must repeat Steps 2 through 7.