cancel
Showing results for 
Search instead for 
Did you mean: 

Is the API login ID supposed to be secret or not?

The admin page, where the API login id and transaction id are shown and generated, has this text:

 

"IMPORTANT: The API Login ID and Transaction Key should not be shared with anyone. Be sure to store these values securely and change the Transaction Key regularly to further strengthen the security of your account."

 

But the DPM developer guide (and I assume the AIM and SEC too) show the contents of the submitted form looking like this:

 

<FORM METHOD=POST ACTION=
"https://secure.authorize.net/gateway/transact.dll">
<% ret = InsertFP (APIloginid, sequence, amount, txnkey) %>
<INPUT TYPE=HIDDEN NAME="x_login" VALUE="the merchant’s API Login ID">
<INPUT TYPE=HIDDEN NAME="x_version" VALUE="3.1">
<INPUT TYPE=HIDDEN NAME="x_method" VALUE="CC">
<INPUT TYPE=HIDDEN NAME="x_show_form" VALUE="PAYMENT_FORM">
<INPUT TYPE=HIDDEN NAME="x_amount" VALUE="9.95">
<INPUT TYPE=HIDDEN NAME="x_relay_response" VALUE="TRUE">
<INPUT TYPE=HIDDEN NAME="x_relay_url" VALUE="Any valid URL">
<INPUT TYPE=SUBMIT VALUE="Click here for the secure payment form">
</FORM>

 

What's that in the form? Yes, the API login ID, in a very non-secret place in front of the end user.

 

Am I mixing up fields here, or are these two pieces of information contradictory? If they are, then which is right? Should the login ID perhaps be NOT in this form for all to see, or is it actually something that does not need to be kept secret?

 

I need to know I'm covered if someone uses this login key for purposes for which it was not intended, if the documentation clearly states that it should be made public.

 

-- Jason

jasonjudge
Contributor
1 ACCEPTED SOLUTION

Accepted Solutions

Only the combo is secret, as you need to pass the login ID for authorize.net to know who is sending them the request.

View solution in original post

RaynorC1emen7
Expert
2 REPLIES 2

Only the combo is secret, as you need to pass the login ID for authorize.net to know who is sending them the request.

RaynorC1emen7
Expert

That was my assumption, but I just wanted to be sure what the ambiguous statement in the admin page meant. It should really just say that the transaction key must not be shared, because that is the only one of the pair that is not shared in reality.