- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accept.js - clientKey and apiLoginID inside Javascript
Hello
on my website I use code provided by your example:
https://developer.authorize.net/api/reference/features/acceptjs.html
There are also those lines:
authData.clientKey = '6WrfHGS76gHW3v7btBCE3HuuBukej96Ztfn5R32G5ep42vne7MCWZtAucY';
authData.apiLoginID = 'my_api_login_id';
Of course, I'm using my details.
Question is - is it secure to use clientKey and apiLoginID on that way? With other words, everybody can see those values - can they be misused?
Thank you.
โ09-11-2016 11:25 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The client key is considered a public or publishable identifier, it's not actually an authentication credential so there is no issue with it being embedded in a javascript application, mobile app, etc. The payment nonce returned from our Accept.js library is of no value to anyone other than the caller who requested it, it can only be used with a fully authenticated call like createTransaction or createCustomerPaymentProfile which require your full (secret) API authentication credentials. Hope that makes sense and thanks for the question.
โ09-12-2016 09:46 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK as I understand it is safe to use clientKey and LoginID inside JavaScript?
Could you please tell me regarding TransactionKey. I have not access to server Environment variables so instead of:
$loginId = getenv("API_LOGIN_ID"); $transactionKey = getenv("TRANSACTION_KEY");
I'm using:
$loginId = 'myloginid'; $transactionKey = 'myTransactionKey';
in my transactionCaller.php
Is that safe? Can I have any problem if I declare transactionKey inside my PHP file?
Tahnk you for help.
โ09-12-2016 11:41 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could someone from support answer on this question, please.
โ09-13-2016 11:40 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@zamiksica123 We can confirm that your transaction key must be securely stored if used and should never be made available to unauthorized users on your website.
Richard
โ09-13-2016 12:05 PM - edited โ09-13-2016 12:06 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I'm using TransactionKey inside "transactionCaller.php" file, like in your example:
https://github.com/AuthorizeNet/accept-sample-app/blob/master/transactionCaller.php
That PHP file is called only by JavaScript:
$.ajax({ url: "transactionCaller.php", data: {amount: document.getElementById('amount').value, dataDesc: dataObj.dataDescriptor, dataValue: dataObj.dataValue}, method: 'POST', timeout: 5000 ... })
I presume that TransactionKey can not be read from PHP file?
What other option I have if I hav enot access to server?
Thank you.
โ09-13-2016 12:45 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're correct the transactionKey cannot be read inside the PHP file, it's not being served directly out to the browser client, PHP is a "server-side" web technology.
That being said we would certainly recommend any level of abstraction/security you have at your disposal, e.g. platform secure variables (example would be Azure Application secure variables), a separate constants file (preferably encrypted), web stack server variables, etc as per web application best practices.
โ09-13-2016 01:53 PM