topic Re: transHashSHA2 is not documented in your API reference in Integration and Testing

transHashSHA2 is not documented in your API reference

karenb — Sun, 13 Jan 2019 09:57:37 GMT

Element "transHashSHA2" is not documented in your API reference, and the information in your Transaction Hash Upgrade Guide is inadequate, as it too fails to properly document the element. Is it properly documented somewhere so that your customers can complete the mandatory upgrade by the end of the month?

Re: transHashSHA2 is not documented in your API reference

Renaissance — Sun, 13 Jan 2019 21:39:05 GMT

Just curious, what type of response do you validate with this and what programming language do you use in your integration?

I’m not fully seeing a reason to validate API calls in my php app, but there’s obviously something I’m missing, else this wouldn’t exist. If you’re using php I can probably help you.

Re: transHashSHA2 is not documented in your API reference

karenb — Sun, 13 Jan 2019 23:14:49 GMT

Renaissance, we have people who will write the code. We just need the proper API documentation (and for Authorize.Net to operate in accordance with its documentation) to reflect the change that Authorize.Net is mandating. Many companies are prohibited from implementing changes without updated documentation, as implementing changes without updated documentation is generally considered a form of recklessness.

It is our understanding that the hash feature "enhance[s] the security of your transaction responses" and "allows your script to verify that the results of a transaction are actually from Authorize.Net" rather than from a criminal impersonator. To skip this check could be like not locking the door on our warehouse.

Re: transHashSHA2 is not documented in your API reference

Renaissance — Mon, 14 Jan 2019 07:12:45 GMT

Yeah that’s the exact purpose. I think others just have a different process than I do. The only transaction response I get is from webhooks and I do the sha512 verification there. I suppose this is better suited for other integration methods. On my app I have all kinds of API calls on the backend, but they are manually called, except for webhooks, and since my scripts are directed to authorize I see it as quite unlikely that the response is going to come from anyone else. And all of the calls I make would likely pose no security risks even if I did get a bad response. The other thing is my clients are all using SSL encryption, which is going to provide some of the security features that are being offered.

The reason I was asking is I know that this sounds complicated, but it is actually quite easy. I’ve already implemented this months ago (webhooks has a feature that is pretty much identical, with a few quirks) on my webhooks endpoint. It’s literally less than 10 lines of code.

I do understand your need for due diligence. And the folks here are getting you what you need. I was offering to help in the interim period if you were using something I’m familiar with, as I may go ahead and put this feature in the rest of my app. And I will say that I have found this to be an extremely good service.