Official PHP SDK for Authorize.Net

1.9.3 2017-04-25 05:57 UTC


Travis Scrutinizer Code Quality Packagist


Proprietary, see the provided


  • PHP 5.6+
  • cURL PHP Extension
  • JSON PHP Extension
  • SimpleXML PHP Extension
  • An Authorize.Net Merchant account or Sandbox account (You can get a free sandbox account at
  • TLS 1.2 capable versions of libcurl and OpenSSL (or its equivalent)

TLS 1.2

The Authorize.Net APIs only support connections using the TLS 1.2 security protocol. This PHP SDK communicates with the Authorize.Net API using libcurl and OpenSSL (or equivalent crypto library). It's important to make sure you have new enough versions of these components to support TLS 1.2. Additionally, it's very important to keep these components up to date going forward to mitigate the risk of any security flaws that may be discovered in these libraries.

To test whether your current installation is capable of communicating to our servers using TLS 1.2, run the following PHP code and examine the output for the TLS version:

    $ch = curl_init('');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_VERBOSE, true);
    $data = curl_exec($ch);

If curl is unable to connect to our URL (as given in the previous sample), it's likely that your system is not able to connect using TLS 1.2, or does not have a supported cipher installed. To verify what TLS version your connection does support, run the following PHP code:

$ch = curl_init('');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);

$json = json_decode($data);
echo "Connection uses " . $json->tls_version ."\n";


We recommend using Composer (note we never recommend you override the new secure-http default setting). Don't forget to require its autoloader in your script or bootstrap file:

require 'vendor/autoload.php';

Update your composer.json file as per the example below and then run composer update.

  "require": {
  "php": ">=5.6",
  "ext-curl": "*",
  "authorizenet/authorizenet": "~1.9"

Alternatively, we provide a custom SPL autoloader for you to reference from within your PHP file:

require 'path/to/anet_php_sdk/autoload.php';

This autoloader still requires the vendor directory and all of its dependencies to exist. However, this is a possible solution for cases where composer can't be run on a given system. You can run composer locally or on another system to build the directory, then copy the vendor directory to the desired system.


To authenticate with the Authorize.Net API you will need to retrieve your API Login ID and Transaction Key from the Merchant Interface. You can find these details in the Settings section. If you don't currently have a production Authorize.Net account and need a sandbox account for testing, you can easily sign up for one here.

Once you have your keys simply load them into the appropriate variables in your code, as per the below sample code dealing with the authentication part of the flow.


use net\authorize\api\contract\v1 as AnetAPI;


$merchantAuthentication = new AnetAPI\MerchantAuthenticationType();


$request = new AnetAPI\CreateTransactionRequest();


You should never include your Login ID and Transaction Key directly in a PHP file that's in a publically accessible portion of your website. A better practice would be to define these in a constants file, and then reference those constants in the appropriate place in your code.

SDK Usage Examples and Sample Code

Apart from this README, we have comprehensive sample code for all common uses of our API:

Additionally, you can find details and examples of using the SDK in our API Reference Guide:

Setting Production Environment

To change from the sandbox environment to the production environment, replace the environment constant in the execute method. For example, in the method above:

$response = $controller->executeWithApiResponse( \net\authorize\api\constants\ANetEnvironment::PRODUCTION);


The SDK generates a log with masking for sensitive data like credit card, expiration dates. The provided levels for logging are debug, info, warn, error. Add use \net\authorize\util\LogFactory;. Logger can be initialized using $logger = LogFactory::getLog(get_class($this)); The default log file phplog gets generated in the current folder. The subsequent logs are appended to the same file, unless the execution folder is changed, and a new log file is generated.

Usage Examples

  • Logging a string message $logger->debug("Sending 'XML' Request type");
  • Logging xml strings $logger->debug($xmlRequest);
  • Logging using formatting $logger->debugFormat("Integer: %d, Float: %f, Xml-Request: %s\n", array(100, 1.29f, $xmlRequest));

Customizing Sensitive Tags

A local copy of AuthorizedNetSensitiveTagsConfig.json gets generated when code invoking the logger first gets executed. The local file can later be edited by developer to re-configure what is masked and what is visible. (Do not edit the JSON in the SDK).

  • For each element of the sensitiveTags array,
    • tagName field corresponds to the name of the property in object, or xml-tag that should be hidden entirely ( XXXX shown if no replacement specified ) or masked (e.g. showing the last 4 digits of credit card number).
    • pattern[Note] and replacement[Note] can be left "", if the default is to be used (as defined in Log.php). pattern gives the regex to identify, while replacement defines the visible part.
    • disableMask can be set to true to allow the log to fully display that property in an object, or tag in a xml string.
  • sensitiveStringRegexes[Note] has list of credit-card regexes. So if credit-card number is not already masked, it would get entirely masked.
  • Take care of non-ascii characters (refer manual) while defining the regex, e.g. use "pattern": "(\\p{N}+)(\\p{N}{4})" instead of "pattern": "(\\d+)(\\d{4})". Also note \\ escape sequence is used.

Note: For any regex, no starting or ending '/' or any other delimiter should be defined. The '/' delimiter and unicode flag is added in the code.


Integration tests for the AuthorizeNet SDK are in the tests directory. These tests are mainly for SDK development. However, you can also browse through them to find more usage examples for the various APIs.

  • Run composer update --dev to load the PHPUnit test library.
  • Copy the phpunit.xml.dist file to phpunit.xml and enter your merchant credentials in the constant fields.
  • Run vendor/bin/phpunit to run the test suite.

You'll probably want to disable emails on your sandbox account.

Test Credit Card Numbers

Card Type Card Number
American Express Test Card 370000000000002
Discover Test Card 6011000000000012
Visa Test Card 4007000000027
Second Visa Test Card 4012888818888
JCB 3088000000000017
Diners Club/ Carte Blanche 38000000000006

Set the expiration date to anytime in the future.


Add PhpDocumentor to your composer.json and run composer update --dev:

"require-dev": {
    "phpdocumentor/phpdocumentor": "*"

To autogenerate PHPDocs run:

vendor/bin/phpdoc -t doc/api/ -d lib