- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was caught off guard by the retirement of the md5 hash. I'm trying to fix some legacy code to keep our legacy site limping along until we can get the rebuilt site out -- THE LEGACY SERVER CANNOT RUN the latest SDK so please do not suggest that in response to this question.
In trying to fix this legacy code, I cannot get the test transactions (or even a couple of transactions run on the production system) to supply the HMAC-SHA512 hash promised in the Aim Guide in the section titled "Authenticating the Response."
Here's a sample raw response from an AIM transaction with some values changed for privacy:
"1"|"1"|"1"|"This transaction has been approved."|"52R4QE"|"Y"|"40034138508"|"2019-07-0269072"|"Purchase Description Blah Blah Blah"|"99.95"|"CC"|"auth_capture"|"3"|"Joe"|"Test"|"n/a"|"123 Main St."|"Los Angeles"|"CA"|"90026"|"US"|""|""|"joe.test@example.com"|""|""|""|""|""|""|""|""|""|""|""|""|""|""|"P"|"2"|""|""|""|""|""|""|""|""|""|""|"XXXX1111"|"Visa"|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""|""
According to the AIM Guide, "The last field in the response contains the HMAC-SHA512 hash that Authorize.Net generated for the transaction, which can be used to authenticate the response. To use it, construct an HMAC-SHA512 hash..."
This does not appear to be the case at all. Is this HMAC only present for certain types of transacations? Is it not provided by the sandbox gateway? What's the deal?
Solved! Go to Solution.
โ07-02-2019 11:38 PM
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have 3 API credentials, the login, the transaction key, and the signature key. Up to this point youโve never had to use a signature key which means that you probably have never generated one. Go to your sandbox interface and generate a signature key and see what happens. You will not get a hash without one. AIM direct responses should have a hash.
โ07-02-2019 11:52 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have 3 API credentials, the login, the transaction key, and the signature key. Up to this point youโve never had to use a signature key which means that you probably have never generated one. Go to your sandbox interface and generate a signature key and see what happens. You will not get a hash without one. AIM direct responses should have a hash.
โ07-02-2019 11:52 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response. It stands to reason that the gateway cannot provide a hash until you define the signature key used to generate that hash. I added a signature key to the account(s) and I now see the signature.
โ07-03-2019 11:45 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are quite welcome my friend. Now search for my thread โworking PHP hash verificationโ for sample code. The first post has the code that should work for AIM. It uses the same formula as modern API. Iโve tested on modern API and it works. Also tested my SIM/DPM code on SIM and DPM and it works. Youโll have to do some adjusting to get the hash and other elements. Will probably have to sort using a numeric array. Luckily the calculation is simple, with few elements. Let me know if it works, as I am not sure Iโve had users test my code on AIM.
โ07-03-2019 12:20 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the additional detail. I had managed to locate all that and things seem to be working. I found this code snippet to be especially useful:
https://github.com/AuthorizeNet/sample-code-php/blob/master/Sha512/compute_trans_hashSHA2.php
โ07-03-2019 12:25 PM