topic Re: Accept.js - clientKey and apiLoginID inside Javascript in Integration and Testing

Accept.js - clientKey and apiLoginID inside Javascript

zamiksica123 — Mon, 12 Sep 2016 06:25:59 GMT

Hello

on my website I use code provided by your example:

https://developer.authorize.net/api/reference/features/acceptjs.html

There are also those lines:

authData.clientKey = '6WrfHGS76gHW3v7btBCE3HuuBukej96Ztfn5R32G5ep42vne7MCWZtAucY';
authData.apiLoginID = 'my_api_login_id';

Of course, I'm using my details.

Question is - is it secure to use clientKey and apiLoginID on that way? With other words, everybody can see those values - can they be misused?

Thank you.

Re: Accept.js - clientKey and apiLoginID inside Javascript

brianmc — Mon, 12 Sep 2016 16:46:00 GMT

The client key is considered a public or publishable identifier, it's not actually an authentication credential so there is no issue with it being embedded in a javascript application, mobile app, etc. The payment nonce returned from our Accept.js library is of no value to anyone other than the caller who requested it, it can only be used with a fully authenticated call like createTransaction or createCustomerPaymentProfile which require your full (secret) API authentication credentials. Hope that makes sense and thanks for the question.

Re: Accept.js - clientKey and apiLoginID inside Javascript

zamiksica123 — Mon, 12 Sep 2016 18:41:42 GMT

OK as I understand it is safe to use clientKey and LoginID inside JavaScript?

Could you please tell me regarding TransactionKey. I have not access to server Environment variables so instead of:

$loginId = getenv("API_LOGIN_ID");
$transactionKey = getenv("TRANSACTION_KEY");

I'm using:

$loginId = 'myloginid';
$transactionKey = 'myTransactionKey';

in my transactionCaller.php

Is that safe? Can I have any problem if I declare transactionKey inside my PHP file?

Tahnk you for help.

Re: Accept.js - clientKey and apiLoginID inside Javascript

zamiksica123 — Tue, 13 Sep 2016 18:40:23 GMT

Could someone from support answer on this question, please.

Re: Accept.js - clientKey and apiLoginID inside Javascript

RichardH — Tue, 13 Sep 2016 19:06:36 GMT

@zamiksica123 We can confirm that your transaction key must be securely stored if used and should never be made available to unauthorized users on your website.

Richard

Re: Accept.js - clientKey and apiLoginID inside Javascript

zamiksica123 — Tue, 13 Sep 2016 19:45:40 GMT

Hello

I'm using TransactionKey inside "transactionCaller.php" file, like in your example:

https://github.com/AuthorizeNet/accept-sample-app/blob/master/transactionCaller.php

That PHP file is called only by JavaScript&colon;

	$.ajax({
		url: "transactionCaller.php",
		data: {amount: document.getElementById('amount').value, dataDesc: dataObj.dataDescriptor, dataValue: dataObj.dataValue},
		method: 'POST',
		timeout: 5000
              ...
	})

I presume that TransactionKey can not be read from PHP file?

What other option I have if I hav enot access to server?

Thank you.

Re: Accept.js - clientKey and apiLoginID inside Javascript

brianmc — Tue, 13 Sep 2016 20:53:53 GMT

You're correct the transactionKey cannot be read inside the PHP file, it's not being served directly out to the browser client, PHP is a "server-side" web technology.

That being said we would certainly recommend any level of abstraction/security you have at your disposal, e.g. platform secure variables (example would be Azure Application secure variables), a separate constants file (preferably encrypted), web stack server variables, etc as per web application best practices.