I know it seems like a simple question, and it really is. I ask because:
On the AIM PDF, it says that x_login and x_tran_key are required when submitting a form. However, on the API generation page, it says to no share your API key or Transaction Key with anyone.
Basically, by saying "Don't share your API Key or Transaction Key with anyone" and then saying "Please set your API Key and Transaction Key as hidden fields in your checkout form" is a complete conundrum. Anyone who looks at the source of my checkout page will be able to get the API Key and Transaction Key. Hidden fields are not secure.
I just don't understand :(
Your API Login ID and Transaction Key should not be visible in the source code of the page but they must be included in any AIM POST as the value to x_login and x_tran_key as this is the purpose that these values server in relation to allowing you to process transactions programmatically. If your source code cannot be obstructed you should pull the values from a secure file during the POST of the transaction.