Posts: 2
Registered: ‎09-12-2015

Authorize.Net Accept Hosted Notification Whitelist

We are looking to register for Webhooks to receive real-time notifications when Authorize.Net Accept Hosted transactions are either declined or approved.

We would like to block all IP addresses except those that will originate the notifiations.

Is there a list of such IP's?


Posts: 416
Topics: 0
Kudos: 85
Blog Posts: 0
Ideas: 0
Solutions: 32
Registered: ‎04-28-2017

Re: Authorize.Net Accept Hosted Notification Whitelist

When's server constructs an HTTP POST to the endpoint URL specified in the Webhook enrollment, a hash is included in the header. Your application can use the hash to verify the data integrity and authentication of the post message.


The body of the message is hashed with your signature key using HMAC SHA-512. The signature key can be obtained in the Authorize.Net Merchant Interface, at Account > Settings > Security Settings > General Security Settings > API Credentials and Keys.


The hash is sent in a custom header: X-ANET-Signature. Using the signature key, the body can be hashed again using the same algorithm. The calculated hash should match the hash sent in the header. If the hashes do not match, it could be an indication of a threat, and the Webhook message should be rejected.

Powered by -
Certified developers
Posts: 2
Registered: ‎09-12-2015

Re: Authorize.Net Accept Hosted Notification Whitelist

Thanks.  We do plan to use this hash matching technique to validate the authenticity of the HTTP post.


As an additional layer of protection, is there any way to whitelist known IP's from which the HTTP post would originate?



All Star
Posts: 699
Registered: ‎11-03-2016

Re: Authorize.Net Accept Hosted Notification Whitelist

Hi @mmoandev,


You can certainly do that, but I wouldn't recommend it. We can add additional IPs at any time, and you run the risk of blocking valid notifications.


That said, the current list is