APS Widget — Ticket Transfer Test Page

Served from eps-verification.ticketmaster.net behind the preprod EPS umbrella. The umbrella routes /epsf/asset/aps.js and /epsf/v1/* to epsf → APS.

Preprod evaluate actions available (config/release-preprod9-prd124.toml): ticket_transfer (mfa=0.5, block=0.1 — can challenge/block, good for demoing MFA), te_purchase (the real TicketExchange action — always-allow, no friction, ABUSE-5864), stas_test. This page uses ticket_transfer so the MFA/block branches are reachable.

Session token (SOTC) needed

APS needs a valid preprod SOTC to identify the user. It cannot be auto-copied from alpha.ticketmaster.com — cookies are domain-scoped and SOTC is HttpOnly. Paste one here (DevTools → Application → Cookies on a logged-in tab, or mint one), and it will be set as the SOTC cookie for this origin. Then click "Transfer tickets" again.

SOTC value (the raw RS256 JWT)

1. Build the transfer

eventId

orderId

Mode — both call /epsf/v1/evaluate directly and show the raw decision. real mints a fresh reCAPTCHA token and lets Google score it; the others inject _test_decision to force the outcome. Any mfa/pow result auto-completes and renders the verify curl. persona_live forces the challenge branch then stops — completing it needs a real Persona inquiry (see step 2). All modes need a valid SOTC cookie. Use mock MFA adapter (/mocks/tmmfaadapter.mock.js) instead of real preprod Identity

The real adapter needs an Identity session and may not fully render in this standalone harness. Check this to load the offline mock (served by the harness proxy) — an interactive overlay with a button for every outcome.

Skip phone validation (send result="success" without rendering the widget)

The real Identity OTP send/verify endpoint rate-limits after a few attempts, which breaks repeated testing. Check this to bypass the TMMFAAdapter widget entirely and POST result="success" directly to challenge/complete — the preprod backend's MFA path does NO device-token validation (challenge_completion_service.rs:366), so this completes the challenge and issues a token without consuming an OTP attempt.

2. Evaluate decision

The raw /epsf/v1/evaluate response. On a challenge the page auto-fires challenge/complete and shows the issued { token }.

— click "Transfer tickets" —

3. Backend verify (server-to-server)

/api/v1/verify is a backend call, not a browser call. Copy either curl below and run it from your backend / terminal — APS accepts the SOTC as an X-Auth-Token header (Method A) or a SOTC cookie (Method B). The context MUST match what step 1 sent.

— token needed first —

APS Widget — Ticket Transfer (integrator: ticket_transfer)

Session token (SOTC) needed

1. Build the transfer

2. Evaluate decision

3. Backend verify (server-to-server)

APS Widget — Ticket Transfer (integrator: `ticket_transfer`)