developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a question

Accept.js - clientKey and apiLoginID inside Javascript

Hello

on my website I use code provided by your example:

https://developer.authorize.net/api/reference/features/acceptjs.html

There are also those lines:

 

authData.clientKey = '6WrfHGS76gHW3v7btBCE3HuuBukej96Ztfn5R32G5ep42vne7MCWZtAucY';
authData.apiLoginID = 'my_api_login_id';

 

Of course, I'm using my details.

Question is - is it secure to use clientKey and apiLoginID on that way? With other words, everybody can see those values - can they be misused?

Thank you.

zamiksica123
Contributor

‎09-11-2016 11:25 PM

0 Kudos
6 REPLIES 6

The client key is considered a public or publishable identifier, it's not actually an authentication credential so there is no issue with it being embedded in a javascript application, mobile app, etc.  The payment nonce returned from our Accept.js library is of no value to anyone other than the caller who requested it, it can only be used with a fully authenticated call like createTransaction or createCustomerPaymentProfile which require your full (secret) API authentication credentials.  Hope that makes sense and thanks for the question.

 

brianmc
Administrator Administrator
Administrator

‎09-12-2016 09:46 AM

0 Kudos

OK as I understand it is safe to use clientKey and LoginID inside JavaScript?

 

Could you please tell me regarding TransactionKey. I have not access to server Environment variables so instead of:

 

$loginId = getenv("API_LOGIN_ID");
$transactionKey = getenv("TRANSACTION_KEY");

I'm using:

 

$loginId = 'myloginid';
$transactionKey = 'myTransactionKey';

in my transactionCaller.php

Is that safe? Can I have any problem if I declare transactionKey inside my PHP file?

Tahnk you for help.

zamiksica123
Contributor
In response to brianmc

‎09-12-2016 11:41 AM

0 Kudos

Could someone from support answer on this question, please.

zamiksica123
Contributor
In response to zamiksica123

‎09-13-2016 11:40 AM

0 Kudos

@zamiksica123 We can confirm that your transaction key must be securely stored if used and should never be made available to unauthorized users on your website.

 

Richard

RichardH
Administrator Administrator
Administrator
In response to zamiksica123

‎09-13-2016 12:05 PM - edited ‎09-13-2016 12:06 PM

0 Kudos

Hello

I'm using TransactionKey inside "transactionCaller.php" file, like in your example:

https://github.com/AuthorizeNet/accept-sample-app/blob/master/transactionCaller.php

That PHP file is called only by JavaScript:

 

	$.ajax({
		url: "transactionCaller.php",
		data: {amount: document.getElementById('amount').value, dataDesc: dataObj.dataDescriptor, dataValue: dataObj.dataValue},
		method: 'POST',
		timeout: 5000
              ...
	})

I presume that TransactionKey can not be read from PHP file?

What other option I have if I hav enot access to server?

Thank you.

 

zamiksica123
Contributor
In response to RichardH

‎09-13-2016 12:45 PM

0 Kudos

You're correct the transactionKey cannot be read inside the PHP file, it's not being served directly out to the browser client, PHP is a "server-side" web technology.  

 

That being said we would certainly recommend any level of abstraction/security you have at your disposal, e.g. platform secure variables (example would be Azure Application secure variables), a separate constants file (preferably encrypted), web stack server variables, etc as per web application best practices.

 

 

brianmc
Administrator Administrator
Administrator
In response to zamiksica123

‎09-13-2016 01:53 PM

0 Kudos
Copyright © 2024 Khoros, LLC