Views:
Important Note

This article covers the new Authorize.net experience and OAuth Applications and how to manage them in the new Partner Interface. For information on how to identify what version of Authorize.net you are on, please see the support article: How to identify what version of Authorize.net you are on and switching between them? - Classic and New Experience

 
This article guides Resellers and Technology Partners through understanding and using OAuth with Authorize.net, and how merchants interact with it.

What is OAuth?

OAuth is a secure method that allows the use of credentials from one site to access resources on another site. It is widely adopted by software-as-a-service (SaaS) providers. The implementation of OAuth by Authorize.net enables authorized solutions to submit API calls on an account's behalf. This method does not expose credentials, such as the API Login ID or Transaction Key. Merchants can revoke this authorization at any time, preventing the solution from making further API calls on the account's behalf.

How does it work?

If a solution is enabled for OAuth, the solution will display a button and action to begin the process to request and authorize access and permission.
  • When a user clicks this button, a browser tab opens to the Merchant Interface. If the user is not already logged in, they will be prompted to do so.
  • If the user is an Account Owner or Account Administrator, the Merchant Interface will display the name of the solution and the requested API permissions. Clicking the Allow button registers the solution and grants the requested permissions. From that moment, until permission is revoked, the solution may submit API calls on the account's behalf.
  • Only Account Owners and Account Administrators can approve OAuth requests. If the user is not an Account Owner or Account Administrator at sign-in as part of this process, they will receive an 'Access Denied' error message.
Merchants can view authorized applications in the Merchant Interface to see who has access and the type of access, along with options to revoke and remove access.

How to setup and manage register OAuth Applications?

Before your application can access Authorize.net merchant data or act on the merchant's behalf, it must be registered and authenticated.

Registering your application

To add your application, follow these steps:

  1. Sign in to the Partner Interface.
  2. Click Account in the left navigation.
  3. Click OAuth Applications under Integrations.
  4. Click Create OAuth Application on the right.
  5. Enter the application information:
    1. Application Name - Name of the application for which you are requesting OAuth credentials.
    2. Description - Description of the application.
    3. Redirect - This is the page that the merchant is redirected back to after granting you permissions. This must exactly match the redirect URL that you supplied during registration.
    4. Permission - Select the permissions to give the application for the listed APIs.
      1. Read
      2. Write
  6. Click Save. Your application is registered and the Client ID and Client Secret are shown. Store them securely. You will need them to redirect the merchant.

Editing your application

To edit your application, follow these steps:

  1. Click Account in the left navigation.
  2. Click OAuth Applications under Integrations.
  3. Find your application in the list provided and click the 3 dots and select Edit.
  4. Update any necessary information and click Save.

Integrating your application

For further information on integrating your application for OAuth and performing calls on behalf of merchants please see: OAuth Developer Guide.

Which permissions may a solution request through OAuth?

OAuth permissions are limited by scope, which is specified by the solution. The scope options available are:
  • scope=read — provides read-only access to your data, for use in reporting, analysis, order fulfillment, etc.
  • scope=read,write — provides full access to all API calls, including the creation and update of transactions, subscriptions, and customer profiles, as well as the ability to delete customer profiles.

What happens if a merchant revokes permission for an Authorized Application?

OAuth-enabled solutions use an access token to authenticate API calls, which expires after 10 minutes. If merchants revoke permission for an Authorized Application, any active access tokens will remain valid until they expire. Once the access token expires, the application cannot submit API calls and will receive error E00123, "The provided access token has expired." Therefore, solutions can submit API calls for up to 10 minutes after revocation.

How does it work, from a Reseller and Technology Partner or Developer perspective?

To use OAuth, you'll need:
  • A Reseller or Technology Partner account to generate and obtain your account's API credentials
  • Register and create OAuth Applications and Solution ID.
  • Integrate OAuth into your software and application along with integrating the Solution ID into your application's API calls.

OAuth Flow:

  1. The merchant visits your application, enters form information, and clicks a link or button to continue the process.
  2. Your application redirects the merchant to Authorize.net.
  3. The merchant grants or denies your application the permissions that you will provide when you register your application with Authorize.net.
  4. Authorize.net returns an authorization code, contained in a redirect URL. This redirects the merchant back to your application.
  5. Your application calls Authorize.net and exchanges the authorization code for a token that can be used for authenticating transactions with Authorize.net, as well as a refresh token that can be used for additional calls.