The admin page, where the API login id and transaction id are shown and generated, has this text:
"IMPORTANT: The API Login ID and Transaction Key should not be shared with anyone. Be sure to store these values securely and change the Transaction Key regularly to further strengthen the security of your account."
But the DPM developer guide (and I assume the AIM and SEC too) show the contents of the submitted form looking like this:
<FORM METHOD=POST ACTION=
"https://secure.authorize.net/gateway/transact.dll">
<% ret = InsertFP (APIloginid, sequence, amount, txnkey) %>
<INPUT TYPE=HIDDEN NAME="x_login" VALUE="the merchant’s API Login ID">
<INPUT TYPE=HIDDEN NAME="x_version" VALUE="3.1">
<INPUT TYPE=HIDDEN NAME="x_method" VALUE="CC">
<INPUT TYPE=HIDDEN NAME="x_show_form" VALUE="PAYMENT_FORM">
<INPUT TYPE=HIDDEN NAME="x_amount" VALUE="9.95">
<INPUT TYPE=HIDDEN NAME="x_relay_response" VALUE="TRUE">
<INPUT TYPE=HIDDEN NAME="x_relay_url" VALUE="Any valid URL">
<INPUT TYPE=SUBMIT VALUE="Click here for the secure payment form">
</FORM>
What's that in the form? Yes, the API login ID, in a very non-secret place in front of the end user.
Am I mixing up fields here, or are these two pieces of information contradictory? If they are, then which is right? Should the login ID perhaps be NOT in this form for all to see, or is it actually something that does not need to be kept secret?
I need to know I'm covered if someone uses this login key for purposes for which it was not intended, if the documentation clearly states that it should be made public.
-- Jason
Solved! Go to Solution.
02-10-2015 04:14 AM
Only the combo is secret, as you need to pass the login ID for authorize.net to know who is sending them the request.
02-10-2015 06:19 AM
Only the combo is secret, as you need to pass the login ID for authorize.net to know who is sending them the request.
02-10-2015 06:19 AM
That was my assumption, but I just wanted to be sure what the ambiguous statement in the admin page meant. It should really just say that the transaction key must not be shared, because that is the only one of the pair that is not shared in reality.
02-10-2015 06:59 AM