SIM x_receipt_url, x_relay_url and Silent Post URL

The relay URL is passed the order data along with the order status, so you would update your database there before forwarding the person to your receipt page. Silent Post is not needed except with ARB.

Here is my result against Authorize.Net test server.

If I set x_relay_url only, I got the following error after the payment complete.

An error occurred while trying to report this transaction to the merchant. An e-mail has been sent to the merchant informing them of the error. The following is the result of the attempt to charge your credit card.
      This transaction has been approved.
It is advisable for you to contact the merchant to verify that you will receive the product or service.

However, the relay URL was successfully called and was able to process the POST fields.

If I set Silent Post URL only, it worked exactly the same as x_relay_url, except that no error was displayed. Great !

Both cases showed that the transaction can be successfully recorded on my server after the payment complete, without having to click "Go back" button for x_receipt_url to process.

I wonder why x_relay_url case displayed error.

But at least I can use Silent Post URL to server the purpose. Next, I'll need to verify if it can receive other transaction notification, such as Refund.

That error generally means it couldn't contact the relay response URL. Did you configure the URL in your control panel? Is the relay response page available when you post to it yourself?

http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Relay-Response-Basics-a...

Really shouldn't be using silent post with SIM if you can avoid it.

Thank you TJPride for you prompt reply.

I opened an eTicket on this issue. According to their reply, Silent Post URL is what I need, and my test confirmed that. When I click "Void" to refund the payment from merchant account, the silent_post_url received the notification about this transaction (so the member status can be updated immediately on my site).

However, the same verification mechanism against x_MD5_hash (see below) only works for Payment Complete, not for Void. I'm waiting for their explanation.

...
$hash=strtoupper(md5('my_hash_value'.$ANET_LOGIN_ID.$trans_id.$amount)); // according the doc
if ($hash==$_POST['x_MD5_hash'])
{
   // ... success on Payment Complete
}
else
{
   // ... failure on Void
}

Well sure, you don't void things through SIM, you'd use AIM for that. SIM is only for allowing your users to create transactions. And anything run through your control panel wouldn't show up through relay response, just through silent post.

From the documentation:

VOID

This transaction type is used to cancel an existing transaction that has a status of Authorized/Pending Capture or Captured/Pending Settlement. Settled transactions cannot be voided (issue a Credit to reverse such charges). The SIM API does not support Void transactions.

You can manually void transactions from the Unsettled Transactions screen of the Merchant Interface. From there, you can use the Group Void filter toward the top of your screen to void multipletransactions at once, or click on the individual Transaction ID of the transaction you would like to void; the next screen will provide a Void button.

If this transaction type is required, it is recommended that the merchant process the transactions by logging on to the Merchant Interface directly, or by using a desktop application that uses AIM.

The following link solved my problem. For x_type "void" or "credit", authorize.net uses user login ID (not API LOGIN ID) to construct x_MD5_Hash. Now my Silent Post URL works great.

http://community.developer.authorize.net/t5/Integration-and-Testing/MD5-hash-different-on-virtual-te...

Only voids and credits from the terminal, not from the API.

That makes no sense, though. The API is not supposed to require putting in any part of your account login, you'd think that even transactions you put in via the terminal would have a hash generated from the API login so that you aren't forced to have the account user inside your hosting to verify the MD5 hash. This is a minor security breach.

Whatever works, I suppose, but this really needs to be changed.

I'm using SIM. So "void" and "credit" are issued directly from merchant account, not from API, the silent URL receives the notification. This could be reason they use account login ID instead of API LOGIN ID to construct hash.

AIM will be my next test.