Before your application can access Authorize.net merchant data or act on the merchant's behalf, it must be authenticated. To make this process as easy as possible, Authorize.net provides the industry-standard OAuth 2.0 protocol for granting access.
The following diagram illustrates the process of receiving merchant permission, retrieving an authorization code, redirecting the merchant, and retrieving an access token.
Before you can use OAuth credentials to connect to Authorize.net on behalf of your merchant, you must register your application with us. You can register your application in the Authorize.net Partner Interface. There are separate URLs for production and sandbox. For sandbox credentials, contact developer_feedback@authorize.net.
Enter the following information:
| Text Field | Information |
|---|---|
Application Name | Name of the application for which you are requesting OAuth credentials. |
Description | Description of the application. |
Redirect URL | This is the page that the merchant is redirected back to after granting you permissions. This must exactly match the redirect URL that you supplied during registration. |
Scope | Select the permissions to give the application for the listed APIs, or for all listed APIs. |
Click
You can view your application in the Integrations page. Note that a Solution ID in shown in the right column of the Applications list. That Solution ID is now linked to your Client ID and will be audited automatically.
When the merchant arrives at your site, you must redirect them to Authorize.net so that they can log in with their credentials and authorize your application to perform certain actions on their behalf. Add a link to your site that contains the redirect URL that you supplied to Authorize.net during registration, encoded with the following parameters as a query string:
| Parameter Name | Required | Notes |
|---|---|---|
| Yes | This is the client ID appointed to your application by Authorize.net during registration. |
| Yes | This is the page that the merchant is redirected back to after granting you permissions. This must exactly match the redirect URL that you supplied during registration. |
| Yes | Specifies the level of access that the application is requesting.
|
| No | This value is echoed back in the response to protect against malicious interception, for example a CSRF attack. |
| No | The value must be oauth. |
https://account.authorize.net/oauth/authorize?
When the user initiates the redirect, the merchant is redirected to Authorize.net, and if they are not already logged in, they will be prompted to do so. If the merchant's credentials are expired, they will be prompted to reset it, after which they must click the redirect link again. The interface page opens, stating the partner's name along with the permissions requested. The merchant is prompted to either Allow or Deny the request for permissions.
Merchants giving permissions to your application must log into their Merchant Interface as an Account Owner or Account Administrator. They must also generate an API Login ID and Transaction Key, if they haven't already.
When the merchant clicks redirect_uri parameter. Attached to the redirect_uri will be two important URL arguments that you need to read from the request:
| Response Parameter Name | Required | Notes |
|---|---|---|
| Yes | The code is the value that you will exchange with Authorize.net for an access token in the next step of the authentication process. For security reasons, the authorization code has a ten minute lifespan and must be used before it expires; otherwise you must repeat all of the previous steps to request another. |
| Yes | A value used to test for possible CSRF attacks. This value is echoed back to you in the response from Authorize.net. If the state values do not match, you could be the victim of a CSRF attack and you should throw an HTTP 401 error code in response. |
| Error Code | Description |
|---|---|
| The requested scope is invalid, unknown, or malformed. |
| The requested client_id is invalid, unknown, or malformed. |
| The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. |
| The client is not authorized to request an authorization code using this method. |
| The requested redirectUri is invalid, unknown, or malformed. |
| The requested client_id is not found in the system. |
| The requested client_id is registered with invalid client type (only confidential clients are supported). |
Use the authorization code that you obtained in step 2 to retrieve an access token, which expires after one hour, and a refresh token, which expires after one year, from our /token REST endpoint.
Below is an example of a token request. While a header is not required, we recommend including the header v-c-client-correlation-id with a unique value, for every request to /token.
| Parameter Name | Values | Description |
|---|---|---|
| authorization_code | Required. This determines what type of flow the Authorization Server will use to acquire user authorization. |
| The authorization code received from the authorization server. | Required. The value passed in this parameter must exactly match the value supplied by the OAuth server during the authorization step. |
| The client ID obtained during client registration. | Required. Indicates the client that is making the request. |
| The client secret value obtained during client registration. | Required. Provides additional security. |
| Error Code | Description |
|---|---|
| The resource owner or authorization server denied the request. |
| The authorization server encountered an unexpected condition that prevented it from fulfilling the request. This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client by an HTTP redirect. |
Use the access token to authenticate transactions. For requests to the Authorize.net API, the access token is included in the merchantAuthentication block as shown in the following example:
In requests to the REST API, the access token is sent in an HTTP Authorization header with the Bearer type, as shown in the following example:
Authorization: Bearer eyJraWQiOiIyNmRjfjVkZTdlMmYwYTI0ODg0MjU1YjIwZWJjMGY0MSIsImFs
The following error is returned when the access token is invalid.
For more information about specific error responses when using the Authorize.net API, see our Response Code Tool.
To refresh the token, send a POST to the /token endpoint that contains the following parameters:
| Parameter | Values | Description |
|---|---|---|
| The client ID obtained during client registration. | Required. Indicates the client that is making the request. |
| The client secret value obtained during client registration. | Required. Provides additional security. |
| refresh_token | Required. This determines what type of token is created. |
| The value of the refresh token. | Required. The value passed in this parameter must exactly match the refresh token value provided during the creation of the access token. |
Below is an example of a token refresh request. While a header is not required, we recommend including the header v-c-client-correlation-id with a unique value, for every request to /token.
| HTTP Status Code | Error | Error Description | Notes |
|---|---|---|---|
400 | invalid_request | The request is missing a required parameter. | Remove device_id. |
400 | invalid_client | Invalid client . | Returned if the client ID does not exist in our database. |
400 | expired_client | Client status is expired. | Client status is set to expired in the database. |
400 | invalid_grant | Unauthorized grant type. | Returned if the client requests a grant type that is not supported by this client. |
400 | invalid_grant | Login failure. | Either the username or merchant is not valid, the account is disabled or locked, or the password is invalid or has expired. |
500 | server_error | Unable to create token. | Generic server error. |
If the merchant revokes a solution's permissions in the Authorize.net Merchant Interface, they will also revoke the refresh token immediately. Any previously issued access token will be valid till they expire. No new access token can be generated.
The OAuth boarding flows enable you to board a merchant and then do OAuth delegation for the newly boarded merchant during the same flow.
Two boarding flows are supported:
By default, two pricing options are shown:
To show only one pricing option, add a profileTypeID parameter to the URL and use a value of 1 to show pricing for payment gateway 2 to show pricing for
https://account.authorize.net/signUpNow?
&
account.authorize.net with sandbox.authorize.net.
After the merchant accepts the pricing option, they are redirected to the OAuth page. Whether they accept or reject the OAuth delegation options, they are then redirected back to the partner site.
The following sample URL shows how to redirect the customer to the MINT login page.
https://account.authorize.net/oauth/authorize?
&
&
account.authorize.net with sandbox.authorize.net.
When the merchant clicks "Sign up now" they are shown pricing flows that depend on how you submitted profileTypeId. Add a profileTypeID parameter to the URL and use a value of 1 to show pricing for payment gateway 2 to show pricing for
After the merchant accepts the pricing option, they are redirected to the OAuth page. Whether they accept or reject the OAuth delegation options, they are then redirected back to the partner site.
When a merchant account is first created, it is set to Test mode by default. Before live transactions can be processed, the account must be set to live mode. You can do this by submitting updateMerchantDetailsRequest with isTestMode as shown below. Please note that while this call can usually be processed within moments of an account being created, certain circumstances may cause up to a 15 minute delay before it can be attempted.
isTestMode Request