Generating API Credentials and Keys in the New Authorize.net Merchant Interface (2.0)

Overview

This article explains the purpose of the API Login ID, Transaction Key, Signature Key, and Public Client Key in the new Authorize.net Merchant Interface (2.0), and provides step-by-step guidance for generating, viewing, and re-generating these credentials. These values are unique to your account and are used to securely connect your website or integrated business application to your Authorize.net Payment Gateway for transaction processing and reporting.

Important: This article applies only to the new Merchant Interface (2.0) experience. For the classic experience (1.0), please refer to the Classic Experience support article. To determine which version of Authorize.net you are using, refer to the version identification support article listed in the Additional Resources section.

Please note that the API Login ID and Transaction Key are not valid credentials for logging into or accessing the Merchant Interface. They are sensitive account information and should only be shared on a need-to-know basis (for example, with your web developer for payment gateway integration). The API ID and related Keys can be used across multiple websites and shopping cart integrations under one account.

Understanding Your API Credentials and Keys

API Login ID
The API Login ID is a complex value that identifies your account to the payment gateway when submitting transaction requests from your website. It is at least eight characters in length and includes uppercase and lowercase letters, numbers, and/or symbols.

Transaction Key
The Transaction Key is a 16-character alphanumeric value that is randomly generated in the Merchant Interface and used as an additional layer of authentication when submitting transaction requests. The Transaction Key will not be visible at any other time in the Merchant Interface, so you must record it temporarily or copy and paste it to a secure file location immediately. Like the API Login ID, the Transaction Key is sensitive and should only be shared on a need-to-know basis.

Signature Key
The Signature Key enhances the security of your Server Integration Method (SIM) and Direct Post Method (DPM) integrations by using the Hash-based Message Authentication Code with Secure Hash Algorithm 512 (HMAC-SHA512) authenticated hash. You must configure a Signature Key in the Merchant Interface before you can receive Webhooks notifications. This key is used to create a message hash that is sent with each notification, allowing you to verify the notification is genuine. The Merchant Interface presents the Signature Key in a 128-character hexadecimal format; however, developers will need to convert it into binary format to use it. Consult the documentation for your scripting language or development framework for details on converting hexadecimal strings to binary.

Public Client Key
The Public Client Key is required for using and integrating with the Authorize.net Accept products (for example, Accept.js). The Public Client Key is intended for client-side code and is not used for initiating transactions, so it may be safely stored in a website or smartphone application.

Generating Your API Credentials and Keys

1. Sign in to the Merchant Interface.
2. Confirm you are on or have switched to the New Merchant Interface (2.0).
3. Click Account from the left navigation.
4. Click Account and API Settings under Account.
5. Select API Credentials & Keys under Security Settings.
6. Select New Transaction Key, New Signature Key, or Public Client Key based on your need and integration.
7. Check the box labeled Disable Old Transaction/Signature Key Immediately to disable the old key right away.
   • If this box is not selected, the old key will automatically expire in 24 hours. This also impacts any use of the Signature Key for transaction response validation for the SHA2 field. Until expiration, the previous key will continue to be used for hash/response validation.
8. Click Submit to continue.
9. Request and enter the PIN for verification.
10. Copy and securely store the new Key when displayed.

Viewing API Credentials and Re-Generating Keys

1. Click Account from the left navigation.
2. Click Account and API Settings under Account.
3. Select API Credentials & Keys under Security Settings.
4. Locate your API ID under the API ID section.
5. Create a new key:
   • Click Generate new key under the appropriate key that needs to be recreated.
   • Select an expiration option for the current key:
     • Expire in 24 hours
     • Expire now
   • Complete user verification using the One Time Passcode (OTP) sent to your email.
   • Enter the Passcode and click Continue to verify, or Cancel to cancel the action.
6. Copy and securely store the new Key when displayed.

Frequently Asked Questions

• What is the difference between the API Login ID and my Merchant Interface login?
  • The API Login ID identifies your account to the payment gateway for transaction requests submitted from your website. It cannot be used to log into or access the Merchant Interface.
• Can I use the same API ID and Keys across multiple websites or shopping carts?
  • Yes. The API ID and related Keys can be used across multiple websites and shopping cart integrations under a single account.
• Why can I not see my Transaction Key after generating it?
  • The Transaction Key is only visible at the time of generation. You must record it temporarily or copy it to a secure file location immediately, as it will not be displayed again in the Merchant Interface.
• What happens if I do not disable the old Transaction or Signature Key when generating a new one?
  • If you do not select the option to disable the old key immediately, it will automatically expire in 24 hours. During that time, the old key will continue to be used for hash and response validation, including the SHA2 field for transaction response validation.
• Why does my developer need to convert the Signature Key?
  • The Merchant Interface displays the Signature Key in a 128-character hexadecimal format, but developers must convert it to binary format before use. Conversion methods depend on the scripting language or development framework being used.
• Is it safe to store the Public Client Key in my website or app?
  • Yes. The Public Client Key is intended for client-side code and is not used to initiate transactions, so it may be safely stored in a website or smartphone application.
• Who should I share my API Login ID and Transaction Key with?
  • These values are sensitive account information and should only be shared on a need-to-know basis, such as with your web developer for the purpose of payment gateway integration.
• How do I know which version of Authorize.net I am using?
  • Refer to the support article on identifying your Authorize.net version, which also explains how to switch between the Classic (1.0) and New (2.0) experiences.

Glossary

• API – Application Programming Interface
• SIM – Server Integration Method
• DPM – Direct Post Method
• HMAC-SHA512 – Hash-based Message Authentication Code with Secure Hash Algorithm 512
• SHA2 – Secure Hash Algorithm 2
• OTP – One Time Passcode
• PIN – Personal Identification Number

Additional Resources

• What is the purpose of the API Login ID, Transaction Key, Signature Key and Public Key for Authorize.net, and how can I obtain them? – Classic Experience (1.0)
• How to identify what version of Authorize.net you are on and switching between them? – Classic (1.0) and New Experience (2.0)
• Authorize.net Developer Center
• Signature Key and Transaction Hash
• Acceptjs and Accept UI