Note: This guide documents how to use the transaction hash with the Authorize.Net API. Users of the legacy AIM connection method should refer to the AIM Guide, pages 57-59, for instructions. Users of the legacy SIM and DPM connection methods should refer to the SIM Guide, pages 73-75.
Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-512 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.
When you receive a transaction response from Authorize.Net, it includes the transHashSHA2 element. transHashSHA2 contains the HMAC-SHA512 hash that Authorize.Net generated for the transaction. To use it, construct a HMAC-SHA512 hash and compare your hash result with transHashSHA2. If the two values match, the transaction response came from Authorize.Net.
Note: The value of transHashSHA2 will be null if you do not generate the Signature Key first.
Note: All Authorize.Net values, including the Signature Key and the transHashSHA2 element, use ISO 8859-1 characters. Using Unicode instead of ISO 8859-1 may cause hash mismatches.
To use the Signature Key to validate the value of transHashSHA2:
For C# users, Authorize.Net provides the following code for converting the Signature Key into a byte array and calculating the HMAC-SHA512 hash.
public string HMACSHA512(string key, string textToHash)