Search

OUR API

API Documentation API Reference Sample Code [on GitHub]
SDKs [on GitHub] API Change Log System Change Log
Upgrade Guide

Hello World

Get Started Common Setup Questions Testing Guide
How Payments Work

Support

Get Support News and Announcements Forums
Authorize.Net on GitHub Authorize.Net on Stack Overflow Developer Blog
Response (Error) Codes FAQs Contact Us

Sign In

Sandbox Affiliate

Search Developer Site

Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
jlhutto
Member
jlhutto
Posts: 6
Registered: ‎02-04-2019

accept hosted form button... with YOUR API LOGIN ID

‎02-08-2019 09:28 AM

I'm currently testing and integrating accept.js 

I'm using the form button in the api for integration of the hosted form (below)

But I'm concerned that it exposes my api login and public key?

When I did a source screen it shows my information.   Can't anyone then use it to process a credit card with my credentials ?   

 

data-apiLoginID="YOUR API LOGIN ID" 
data-clientKey="YOUR PUBLIC CLIENT KEY"

 

 

 

<form id="paymentForm"
method="POST"
action="https://YourServer/PathToExistingPaymentProcessingScript">
<input type="hidden" name="dataValue" id="dataValue" />
<input type="hidden" name="dataDescriptor" id="dataDescriptor" />
<button type="button"
class="AcceptUI"
data-billingAddressOptions='{"show":true, "required":false}'
data-apiLoginID="YOUR API LOGIN ID"
data-clientKey="YOUR PUBLIC CLIENT KEY"
data-acceptUIFormBtnTxt="Submit"
data-acceptUIFormHeaderTxt="Card Information"
data-responseHandler="responseHandler">Pay
</button>
</form>

 

Message 1 of 3 (20,428 Views)
Reply
0 Kudos
Trusted Contributor
Renaissance
Posts: 364
Registered: ‎11-05-2018

Re: accept hosted form button... with YOUR API LOGIN ID

‎02-08-2019 07:27 PM

That is something else. I’m not the best person to answer this I think, but without knowing any simpler way, I would be tempted to do some sort of encrypt/decrypt function or at least a base64 encode or decode, or something. Your payment script is presumably not visible in the browser, so you could have it decrypt your credentials from the post data.

But I am being far too complicated. There has to be an easier way to fix this. I’m going to stay tuned to this one out of mere curiosity. I’ve never done a js integration but this is a good heads up for when I do.
Message 2 of 3 (20,358 Views)
Reply
0 Kudos
RichardH
Posts: 2,724
Topics: 57
Kudos: 237
Blog Posts: 67
Registered: ‎12-05-2011

Re: accept hosted form button... with YOUR API LOGIN ID

‎02-08-2019 07:39 PM

Hello @jlhutto

 

Your API Login is not sensitive information and is used with the public key to encrypt the payment information and return a payment nonce. 

 

You then submit the nonce to the gateway securely from your server using your API Login and Transaction Key or with OAuth. 

 

Richard

Build modern websites and mobile applications without increasing PCI burden using Authorize.Net Accept


Still using SIM, DPM or AIM? Please check our upgrade guide for details on migrating to our full Authorize.Net API.
Message 3 of 3 (20,345 Views)
Reply