The full XML of my ARB request is below, with credentials obfuscated. When I execute this in the test runner (https://developer.authorize.net/api/reference/index.html#recurring-billing-create-a-subscription) it works fine - SUCCESS. But when I run it from my local machine (yes I have valid SSL set up) I get "Invalid OTS Token".
I am running this in the sandbox: https://apitest.authorize.net/xml/v1/request.api
<name>Monthly Trash Service</name>
<address>123 Sunset Ave.</address>
IMPORTANT: From my same localhost machine and within the same webapp I can send createTransactionRequest and it works fine - SUCCESS. It's only ARB requests that throw the error. This means that it can't be related to SSL or certificates or credentials, etc - else the createTransactionRequest would also fail.
This error occurs every time - 100% reproducible.
Thanks in advance for any advice.
I found the solution after a lot of searching online. It turns out that for ARB you need a delay after getting the nonce and before making the final call. For my PHP implementation, sleep(5) solved it for me.
Share on authnet for allowing this nasty bug to continue for so long. If they're going to do this, they should at least include the error message something like "Consider adding a 5 second sleep before making the call". But WHY can't authnet just put the sleep on their own side, since they know it's required, else failure??