When you receive a transaction response from Authorize.net, it includes a SHA2 hash element. The name and position of this element depend on the API integration method used. The SHA2 hash field contains an HMAC-SHA512 hash that Authorize.net generated for the transaction. This can be used to validate the response came from Authorize.net, but it is not required to do so.

• All Authorize.net values, including the Signature Key and the 'transHashSHA2' element, use ISO 8859-1 characters. Using Unicode instead of ISO 8859-1 may cause hash mismatches.
• For Customer Information Manager/Customer Profiles 'createTransaction', the SHA2 value will not be provided in the response (including Silent Post for this specific call).
• For Automated Recurring Billing Silent Posts, the SHA2 value will not be provided in the response.

Authorize.net API

For Authorize.net API (XML, JSON, SOAP), the SHA2 element is 'transHashSHA2' in the API response. For more details, please see the Authorize.net API Hash Upgrade Guide.

Advance Integration Method (AIM)

For Advance Integration Method (AIM), the SHA2 element is at the end of the API response. For more details, please see the Advance Integration Method (AIM) guide (page 57-59).

Please note this is a deprecated integration method, please check our Upgrade Guide for API statuses.

For Authorize.net API and AIM, only 3 fields are involved in the SHA2 Hash:

• API Login ID
• Transaction ID
• Amount

Server Integration Method (SIM) or Direct Post Method (DPM)

For Server Integration Method (SIM) or Direct Post Method (DPM) and utilizing Replay Response, the SHA2 element is 'x_SHA2_Hash'. For more details, please see the Server Integration Method (SIM) guide (pages 73-75).

Please note this is a deprecated integration method, please check our Upgrade Guide for API statuses.

For Silent Post, the SHA2 element is 'x_SHA2_Hash'. Please see Silent Post Url article. An example can also be seen in the Authorize.net API Hash Upgrade Guide.

Please note it is recommended to consider moving to Webhooks as a replacement for this feature.

For SIM/DPM + Relay Response and Silent Post

There are 30 fields involved in the SHA2 Hash:

• x_trans_id
• x_test_request
• x_response_code
• x_auth_code
• x_cvv2_resp_code
• x_cavv_response
• x_avs_code
• x_method
• x_account_number
• x_amount
• x_company
• x_first_name
• x_last_name
• x_address
• x_city
• x_state
• x_zip
• x_country
• x_phone
• x_fax
• x_email
• x_ship_to_company
• x_ship_to_first_name
• x_ship_to_last_name
• x_ship_to_address
• x_ship_to_city
• x_ship_to_state
• x_ship_to_zip
• x_ship_to_country
• x_invoice_num