Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
Contributor
Posts: 27
Registered: ‎08-19-2016

Accept.js - clientKey and apiLoginID inside Javascript

Hello

on my website I use code provided by your example:

https://developer.authorize.net/api/reference/features/acceptjs.html

There are also those lines:

 

authData.clientKey = '6WrfHGS76gHW3v7btBCE3HuuBukej96Ztfn5R32G5ep42vne7MCWZtAucY';
authData.apiLoginID = 'my_api_login_id';

 

Of course, I'm using my details.

Question is - is it secure to use clientKey and apiLoginID on that way? With other words, everybody can see those values - can they be misused?

Thank you.

Administrator
Posts: 149
Registered: ‎03-28-2014

Re: Accept.js - clientKey and apiLoginID inside Javascript

The client key is considered a public or publishable identifier, it's not actually an authentication credential so there is no issue with it being embedded in a javascript application, mobile app, etc.  The payment nonce returned from our Accept.js library is of no value to anyone other than the caller who requested it, it can only be used with a fully authenticated call like createTransaction or createCustomerPaymentProfile which require your full (secret) API authentication credentials.  Hope that makes sense and thanks for the question.

 

Contributor
Posts: 27
Registered: ‎08-19-2016

Re: Accept.js - clientKey and apiLoginID inside Javascript

OK as I understand it is safe to use clientKey and LoginID inside JavaScript?

 

Could you please tell me regarding TransactionKey. I have not access to server Environment variables so instead of:

 

$loginId = getenv("API_LOGIN_ID");
$transactionKey = getenv("TRANSACTION_KEY");

I'm using:

 

$loginId = 'myloginid';
$transactionKey = 'myTransactionKey';

in my transactionCaller.php

Is that safe? Can I have any problem if I declare transactionKey inside my PHP file?

Tahnk you for help.

Contributor
Posts: 27
Registered: ‎08-19-2016

Re: Accept.js - clientKey and apiLoginID inside Javascript

Could someone from support answer on this question, please.

Posts: 2,765
Topics: 57
Kudos: 270
Blog Posts: 67
Registered: ‎12-05-2011

Re: Accept.js - clientKey and apiLoginID inside Javascript

[ Edited ]

@zamiksica123 We can confirm that your transaction key must be securely stored if used and should never be made available to unauthorized users on your website.

 

Richard

Contributor
Posts: 27
Registered: ‎08-19-2016

Re: Accept.js - clientKey and apiLoginID inside Javascript

Hello

I'm using TransactionKey inside "transactionCaller.php" file, like in your example:

https://github.com/AuthorizeNet/accept-sample-app/blob/master/transactionCaller.php

That PHP file is called only by JavaScript:

 

	$.ajax({
		url: "transactionCaller.php",
		data: {amount: document.getElementById('amount').value, dataDesc: dataObj.dataDescriptor, dataValue: dataObj.dataValue},
		method: 'POST',
		timeout: 5000
              ...
	})

I presume that TransactionKey can not be read from PHP file?

What other option I have if I hav enot access to server?

Thank you.

 

Administrator
Posts: 149
Registered: ‎03-28-2014

Re: Accept.js - clientKey and apiLoginID inside Javascript

You're correct the transactionKey cannot be read inside the PHP file, it's not being served directly out to the browser client, PHP is a "server-side" web technology.  

 

That being said we would certainly recommend any level of abstraction/security you have at your disposal, e.g. platform secure variables (example would be Azure Application secure variables), a separate constants file (preferably encrypted), web stack server variables, etc as per web application best practices.