Authorize.net - Invalid Notification

Hi,

The "Invalid notification" error means that the hash validation between Authorize.net and HikaShop failed. The plugin compares a hash calculated from the notification data with the hash sent by Authorize.net to verify authenticity.

Since you mentioned that most transactions work fine and this is intermittent, it is likely related to special characters in the customer's name or address. The SHA-512 signature hash includes customer data fields (name, address, city, state, zip, etc.) and if any character is encoded differently between what Authorize.net sends and what PHP receives, the hash will not match.

Could you check: do you have a Signature Key configured in the plugin settings? This is different from the MD5 Hash field. Authorize.net deprecated the MD5 method back in 2019, so you should be using the Signature Key (SHA-512) instead. You can find/generate your Signature Key in your Authorize.net merchant account under Account > Settings > Security Settings > General Security Settings > API Credentials & Keys.

Also, could you check if the affected transactions have something in common? For example, customers with accented characters in their names, special characters in their addresses, or non-US addresses? That would help confirm whether this is a character encoding issue in the hash calculation.

If you have debug mode enabled in the payment method settings, you should also be able to get more information about the problem in the "Payment log file" under the HikaShop configuration page. The details there will help us pinpoint the exact cause.

Hi,

You don't need to clear out the MD5 Hash box, but you can if you want. It won't change anything.
Report to us once you get the issue again with the debug turned on so that we can check the payment log file.

Hi,

Thank you for enabling debug and providing the details. The screenshot confirms the issue: the customer's phone number contains invisible Unicode control characters. Specifically, it has a LEFT-TO-RIGHT EMBEDDING character (U+202A) at the beginning and a POP DIRECTIONAL FORMATTING character (U+202C) at the end. These are invisible in normal display but they are included in the data sent to Authorize.net, and they cause the SHA-512 hash to not match.

This typically happens when a customer copies and pastes their phone number from a source that includes bidirectional text formatting (for example, from certain mobile apps, contacts, or web pages).

To fix this customer's account, edit their billing and shipping addresses in HikaShop and clear the phone number field, then re-type it manually. That will remove the hidden characters.

To prevent this from happening in the future, you can add a regex validation to the phone field. Go to HikaShop > Display > Custom fields, edit the "address_telephone" field, and in the Options tab, set the regex to:

^[0-9\s\+\-\.\(\)]+$

Hi,

We'll be adding a patch in the Authorize.net payment plugin with the next release for this.

However, note that the SIM API is legacy. Authorize.net will discontinue it completely sooner or later. I would recommend looking into migrating to www.hikashop.com/marketplace/product/150...e-js-by-obsidev.html

The plugin is included in HikaShop. So it will be updated automatically when you update HikaShop.