# Authentication refusal

If the user doesn't approve the authentication request, the **PKSA** will send a refusal message to the **HAS**. The **HAS** will then forward the following message to the **APP**:

### auth\_nack

```
{
    cmd: "auth_nack",
    uuid: string,
    data: string
}
```

{% tabs %}
{% tab title="Properties" %}

* **`uuid`**: the request identifier
* **`data`**: the `uuid` encrypted with `auth_key` and converted to Base64
  {% endtab %}
  {% endtabs %}

{% hint style="warning" %}
The `data` can be decrypted by the **APP** using the `auth_key` to ensure the `auth_nack` message comes from a **PKSA** it has previously shared the `auth_key` with. This prevents a malicious actor operating a **HAS** server from faking requests' refusal.
{% endhint %}