cancel
Showing results for 
Search instead for 
Did you mean: 

no data in x_SHA2_Hash when using Silent Post

I've created a Signature Key but there is no data in x_SHA2_Hash when using Silent Post.

 

What is required to get the x_SHA2_Hash field to be populated?

desiminr61
Member
57 REPLIES 57

@Renaissance  and @kabutotx.

 

Thanks for all your help. 

 

I think my issue is somewhat solved. I decided to generate hash (for both fingerprint and verification) using my old signature key (one I generated yesterday) and it worked (I got hash to match on Silent Post). Then I tried to generate hash using my new key (one I generated this morning). Only fingerprint part worked and no match on Silent Post. It must be that Auth takes some period of time (24-36 hours perhaps) to completely propogate signature key changes.

 

We have some old ARB transactions which was created by Old API method. I see x_SHA2_Hash is empty when we receive Silent Post data. We have created the Signature Key in our account but still empty.

 

Can any one help, why this is empty and how to fix it?

shafiqhossain
Member

@shafiqhossain 

 

I think ARB uses webhooks. I know that is the preferred method but I think it may be possible that they are entirely on webhooks now, with no silent post. Not sure but you could look through the reference here.  It is quite easy to set up webhooks and that is the solution they are promoting and supporting here. It may be worth considering implementing those if this gives you much more challenges.  At some point all of the old API stuff will be gone.

I'm experiencing the same issue as @shafiqhossain regarding my ARB/silent posts sha512 hash being an empty string. I have a signature key generated and am not receiving any hash for verifications (only MD5).

 

Last weekend, I set up webhooks, but they don't appear to get generated for non-fraud payment declines (which is a necessary part of my system's workflow):

https://community.developer.authorize.net/t5/Integration-and-Testing/Webhooks-ARB-Declines/td-p/6105...

 

Is there anything else I should try?

Just curious as I have a client for whom I will be doing some ARB integration work, you are looking to get when a payment is declined at any time in the subscription? The ARB are initiated through the interface or API calls, correct? And not through a hosted payment form?

Yes, the subscription is created via an API call.

 

Once it's set up, a "silent post" webhook is sent to your own API whenever a payment attempt or signup occurs and succeeds or fails (unless the failure is due to a credit card expiration, in which case no silent post is sent).

 

I *think* they changed it so that it will retry on failed charges if you enable that feature, but my integration is from well before that, so I use the failed charge notifications to handle subscription downgrades, email notifications, etc.

 

AFAIK, they only send webhooks when a payment is declined due to fraud.

Yeah that’s a fix you’re in. I can think of two solutions. One is to design some kind of transaction reporting API call that pulls who paid for their subscription. You could run it once a month. You could build some logic in your script to downgrade those who should have paid but do not appear on the list.

That would be painful, and if I were in your shoes I would change the way the response is validated with the silent post. I would alter the validation piece of your script to validate based on the reason response code, response code, or some other single returned value or combination of returned values. So you could have if($_POST[‘x_response_code’] ==1){do this} for instance. It is much less secure than the sha512 or even md5, but is better than nothing. If some malicious user was sending data to your endpoint they would then at least have to guess what parameter(s) you were expecting. If you had some not often used parameter that you could pass in your API call that is returned in the response, that would beef up your security that much more.

I meet the same issue as @gh and @shafiqhossain in my silent post data from ARB transactions.

I also use API (ARBCreateSubscriptionRequest) to create the ARB subscriptions, and I'm sure my signature key is set up ready and already test it via calling AIM transaction, no problem to get SHA2 hash.

And in the silent post data, there is empty x_SHA2_Hash and empty x_MD5_Hash in ARB transaction. I guess the empty x_MD5_Hash is correct now, but I don't know why the x_SHA2_Hash is also empty. The silent post data from AIM transaction is no problem, there is x_SHA2_Hash value. (although I still cannot verify the hash correctly)

 

Could someone help to check it? If it is a bug for silent post?

 

I know the alternative way is using webhooks, but the useful data from webhooks are too few, only transaction id can be used. We need to call getTransactionDetailsRequest API to get details transaction data. It will take time to do it. (server handshake, internet transmission, etc.). 

You can find the data from silent post are enough, we can use them to do what we want, email from x_email, invoice from x_invoice_num, pay number from x_subscription_paynum, subscription id from x_subscription_id.

 

P.S. My testing environment is in sandbox.