Although you can use this operation while testing your application, you never call it in production. To authenticate a real customer, you must use the Account Enroll or Authentication KBA component.
Many of the Array API operations that are invoked on behalf of a customer require the customer's identity to be authenticated. This operation, Retrieve Authentication Questions, initiates the customer authentication process by retrieving a set of questions from an authentication provider, questions such as "Which of these companies have you worked for?" or "How much is your monthly car payment?". These questions should be answerable by the customer who's represented by the User object that you identify through the clientKey query parameter.
If the authentication provider is able to generate a set of questions for your customer, Retrieve Authentication Questions returns a 200 status and presents the questions and multiple choice answers in the questions array in the response body. You present the questions to the customer and capture his or her answers which you send back to the authentication provider through the Submit the Customer's Answers call. If the answers are correct, the customer is said to be authenticated; you can then perform "authenticated customers only" operations, such as ordering a credit report.
If the provider can't generate questions -- typically because it doesn't recognize your customer -- it returns an HTTP status of 204 and an empty response body.
Authentication Providers
You can specify as many as three authentication providers by setting the providerN query parameters. If provider1 is unable to return any questions because it can't identify the customer, the operation consults provider2, and then provider3.
Currently, the three credit bureaus are used as authentication providers.
IMPORTANT Successfully retrieving questions from an authentication provider is a billable event. You're not billed if a provider doesn't return any questions (HTTP status 204). You're also not billed if you use the Sandbox Identities while you're testing your application.