What can we help you with?

What is Authorized Applications and OAuth and how to use it? - Classic Experience (1.0)


KA-07428


9

04/08/2025 21:42 PM

1.0

Important Note

This article covers the classic Authorize.net experience (1.0) for Authorized Applications and OAuth in the classic Merchant Interface. For the new experience (2.0) please see the support article: What are Authorized Applications and how to manage them in the Merchant Interface? - New Experience (2.0).

For information on how to identify what version of Authorize.net you are on, please see: How to identify what version of Authorize.net you are on and switching between them? - Classic (1.0) and New Experience (2.0)
 
This article guides merchants through understanding Authorized Applications and OAuth with Authorize.net, and how merchants interact with it.

What is OAuth?

OAuth is a secure method that allows the use of credentials from one site to access resources on another site. It is widely adopted by software-as-a-service (SaaS) providers. The implementation of OAuth by Authorize.net enables authorized solutions to submit API calls on an account's behalf. This method does not expose credentials, such as the API Login ID or Transaction Key. Merchants can revoke this authorization at any time, preventing the solution from making further API calls on the account's behalf.

How does it work?

If a solution is enabled for OAuth, the solution will display a button and action to begin the process to request and authorize access and permission.
  • When a user clicks this button, a browser tab opens to the Merchant Interface. If the user is not already logged in, they will be prompted to do so.
  • If the user is an Account Owner or Account Administrator, the Merchant Interface will display the name of the solution and the requested API permissions. Clicking the Allow button registers the solution and grants the requested permissions. From that moment, until permission is revoked, the solution may submit API calls on the account's behalf.
  • Only Account Owners and Account Administrators can approve OAuth requests. If the user is not an Account Owner or Account Administrator at sign-in as part of this process, they will receive an 'Access Denied' error message.
Merchants can view authorized applications in the Merchant Interface to see who has access and the type of access, along with options to revoke and remove access.

Which permissions may a solution request through OAuth?

OAuth permissions are limited by scope, which is specified by the solution. The scope options available are:
  • scope=read — provides read-only access to your data, for use in reporting, analysis, order fulfillment, etc.
  • scope=read,write — provides full access to all API calls, including the creation and update of transactions, subscriptions, and customer profiles, as well as the ability to delete customer profiles.

What happens if you revoke permission for an Authorized Application?

OAuth-enabled solutions use an access token to authenticate API calls, which expires after 10 minutes. If you revoke permission for an Authorized Application, any active access tokens will remain valid until they expire. Once the access token expires, the application cannot submit API calls and will receive error E00123, "The provided access token has expired." Therefore, solutions can submit API calls for up to 10 minutes after revocation.

 



Was this article helpful?


Articles Recommended for You
Updating results