Showing results for 
Search instead for 
Did you mean: 

MD5 Hash from server instead of Client's Webserver



I am using the SIM and have been able to successfully generate and MD5 hash to match the one sent back from to verify that the payment is in fact processed by In order to do this, I have followed the instructions here: on page 64. The only problem I am having is with this line right here: 


Referring to the MD5 Hash, "It should be stored securely separately from the merchant’s Web server."


Currently I have an administrative area where the client can input their credentials such as Login ID, Transaction Key, and MD5 Hash Value that correspond to the one's in their administrative area. I am trying to figure out how I can obtain this information from the webserver during a transaction in order to verify it against the supplied $_POST MD5 Hash value.


According to the docs: "To authenticate the MD5 Hash returned by the payment gateway in the transaction response, you need to create a script that can receive and parse the transaction response, call the merchant’s MD5 Hash value, and run the MD5 algorithm on the same fields listed above. "


The part I do not understand is how to "call the merchant's MD5 Hash value".


Is there an API endpoint I can supply my credentials to in order to receive my current MD5 Hash value? Is this is misunderstanding on my part?


Even in the SIM PHP SDK on Github currently:


public function __construct($api_login_id = false, $md5_setting = false) {

    $this->api_login_id = ($api_login_id ? $api_login_id : (defined('AUTHORIZENET_API_LOGIN_ID') ? AUTHORIZENET_API_LOGIN_ID : ""));

    $this->md5_setting = ($md5_setting ? $md5_setting : (defined('AUTHORIZENET_MD5_SETTING') ? AUTHORIZENET_MD5_SETTING : ""))


It looks like the MD5 Setting is being provided from the web server that is running the script. 


Can someone please point me in the right direction as to how I should call the MD5 Hash value from the server? Thanks!





Hi grazian0,


Thanks for pointing this out, the line that you referenced in the documentation is really misleading, as it's not possible to pull the MD5 secret key from anywhere except for your own server. We will send this to our documentation team for review.


It is recommended that the MD5 secret key should be stored securely, similar to the transaction key.




Administrator Administrator