Handle 3DS/SCA authentication challenges in agent payment flows

Verified steps

1. When creating a PaymentIntent or equivalent PSP object for an agent flow, request a payment_method configuration that signals machine-initiated or off-session intent where your PSP supports it — this reduces (but does not eliminate) 3DS challenges.
2. Build a detection step after payment submission: check the PSP response or PaymentIntent status for a requires_action state with type=redirect_to_url or type=use_stripe_sdk (Stripe-specific); other PSPs have equivalent challenge-signaling mechanisms.
3. When a 3DS challenge is detected, immediately suspend the agent's payment flow and surface the challenge URL and context to the human principal via a durable notification (push notification, email, or in-app alert with deep link).
4. Do not attempt to automate the 3DS challenge completion — completing 3DS requires the cardholder to authenticate via their bank's interface; automating this bypasses the SCA requirement and is a compliance violation.
5. Hold the PaymentIntent in a pending state server-side while the human completes authentication; after the human completes 3DS, the PSP will confirm the PaymentIntent and your webhook handler should resume the agent's downstream task.
6. If the human does not complete 3DS within the timeout window (often 10–15 minutes), the PaymentIntent expires; your system should notify the agent to cancel the associated task and re-queue it for human-initiated retry.