This article will guide merchants through what are the IDs and Key involved in API integrations with Authorize.net
The API Login ID and Transaction Key are unique to your account. They are used to connect your website or other integrated business application to the Authorize.net Payment Gateway for transaction processing. Please note that they are not valid for logging into the Merchant Interface. The API Login ID is sensitive account information and should only be shared on a need-to-know basis, for example with your Web developer for the purposes of integration with the payment gateway.
The API ID and related Keys can be used on multiple web sites and shopping cart integrations for one account. For developer documentation, please see: Authorize.net Developer Center.
API Login ID
The API Login ID is a complex value that identifies your account to the payment gateway when submitting transaction requests from your website. The API Login ID is at least eight characters in length and includes uppercase and lowercase letters, numbers, and/or symbols.
Transaction Key
The Transaction Key is a 16-character alphanumeric value that is randomly generated in the Merchant Interface and is used as an additional layer of authentication when submitting transaction requests from your website. The Transaction Key will not be visible at any other time in the Merchant Interface. You must record it temporarily or copy and paste it to a secure file location immediately. Like the API Login ID, the Transaction Key is sensitive account information and should only be shared on a need-to-know basis, for example with your Web developer for the purposes of integration with the payment gateway.
Signature Key
The Signature Key is a feature that enhances the security of your Server Integration Method (SIM) and Direct Post Method (DPM) integrations. This is achieved by using the HMAC-SHA512 authenticated hash. You must have configured a Signature Key in the Merchant Interface before you can receive Webhooks notifications. This signature key is used to create a message hash that is sent with each notification. You can then use this message hash to verify the notification is genuine. The Merchant Interface will present the Signature Key in a 128-character hexadecimal format. However, developers will need to convert the Signature Key into binary format to use it. Please consult the documentation for your scripting language or development framework, for details on how to convert long hexadecimal strings to binary. For more information on using HMAC-SHA512 authenticated hash, please see Signature Key and Transaction Hash and Transaction Hash Upgrade Guide.
Steps to Generate Your API ID and Transaction/Signature Key
- Sign in to the Merchant Interface.
- Select Account from the main toolbar.
- Under Security Settings, select API Credentials & Keys.
- Based on the need and integration, select New Transaction Key or New Signature Key.
- To disable the old Transaction or Signature Key, check the box labeled Disable Old Transaction/Signature Key Immediately.
- If the Disable Old Transaction/Signature Key check box is not selected, the old Transaction or Signature Key will automatically expire in 24 hours. This will also impact any use of the Signature Key for transaction response validation for the SHA2 field. If the old Transaction/Signature Key is not expired, the previous key will continue to be used for the hash/response validation.
- Select Submit to continue.
- Request and enter PIN for verification.
- Your new Transaction/Signature Key is displayed.
Public Client Key
The Public Client Key is a feature for using and integrating to the Authorize.net Accept products. Before using Accept.js, you must generate a Public Client Key. The Public Client Key is intended for client-side code and is not used for initiating transactions, you may safely store the Public Client Key in a website or smartphone application. For more information please see the Accept product documentation: Acceptjs/UI
Steps to Generate Your Public Client Key
- Sign in to the Merchant Interface.
- Select Account from the main toolbar.
- Under Security Settings, select Manage Public Client Key.
- To disable the old Public Key, check the box labeled Disable Old Public Key(s).
- If the Disable Old Public Key(s) check box is not selected, the old Disable Old Public Key(s) will automatically expire in 24 hours. If the old Disable Old Public Key(s) is not expired, the previous key will continue to be used for the hash/response validation.
- Select Submit to continue.
- Request and enter PIN for verification.
- Your new Public Client Key is displayed.