Which Authentication Mechanism do you need?

Your choice of auth mechanism depends largely on your path to integration. For example, we recommend using the API Passcode with our REST API (a server-to-server integration).

However, we have been in the payments industry for more than a decade (we’ve facilitated over 8,000 successful integrations). So, we provide a few different auth mechanisms to meet different needs.

To determine which auth mechanism is right for your integration, consult this table. Then, follow the navigation links for detailed descriptions of that method.

Deprecated Services: If you have already integrated with our Process Transaction API, username/password continues to be available as an auth mechanism. However, we recommend that you migrate to API Passcode, User Session, or Hash Value authentication.

If you have any lingering questions about authentication, please contact our support team.


No authentication ("no-auth")

"No authentication" (no-auth) is the default setting of every new account. We provide no-auth as an option to allow payment forms to work automatically.

A merchant using no-auth can receive payments, but cannot provide refunds, for example.

No-auth is ideal for merchants/developers who:

  • do not want to undertake any extra development
  • are willing to take on the extra risks (e.g. monitoring for fraud before order fulfillment)

API Passcode

About API Passcode

Use of the API Passcode is our feature auth mechanism.

Note: we recommend you avoid using the API passcode with client-side or mobile applications (it’s best to think of most mobile apps as a browser). Otherwise, you risk exposing the passcode. Instead, for client-side applications, we recommend Hash Validation.

How to use the API Passcode

  1. Log on to the Online Member Area.
  2. Go to: administration > account settings > order settings
  3. Under Payment Gateway > Security/Authentication, click Generate New Passcode. We automatically generate a code for you.
  4. Click Update. Note: if you do not click Update, the system may not save your passcode.


About Hash

You can use hash to help protect the integrity of API transaction requests. We support SHA-1 encryption; also, we support MD5 encryption, though we suggest avoiding its use for most integrations.

There is a difference between the following two hash components (for more details, see How to Use Hash Validation):

  • Hash Key: an encoded key that allows you to create hash values for various, particular transactions
  • Hash Value: the Beanstream system provides this value, as requested, in your query string

Note: Once you have enabled this option, you will have to use it on every single transaction you submit to the API.

How to Use Hash Validation

  1. Log on to the Online Member Area.
  2. Go to: administration > account settings > order settings
  3. Under Payment Gateway > Security/Authentication, select Require hash validation on all Payment Gateway transaction requests.
  4. Pick the Hash Algorithm that you want to use (we recommend SHA-1).
  5. Take the API request string (or… ) and place the hash key in the string where you want the system to generate the hash value. This may be at the end of the string, or after any complete variable within the string.
  6. variable1=aaa&variable2=bbb&variable3=cccLJHdo33vdfjknvf04895jJDFFDldkfm678as6kf&variable4=ddd&variable5=eee

  7. Generate a hash of the string up until the end of the hash key only. Use SHA-1 to match your selection in your Beanstream account.

    A quick Google search will return a list of many free SHA-1 hash generator tools.
  8. Include your results in your string by placing a hashValue variable in the same location as you placed your hash key.
  9. Send this string to the Process Transaction API.

Nicole Stright

Nicole Stright

Nicole is our coffee dependent content specialist. With a quick-witted way with words, she could make you enjoy reading an instruction manual. She was born American, raised Canadian and has lived briefly in Poland. A quintessential west coastian she can be found running the seawall, practicing savasana in yoga or enjoying an over-hopped I.P.A. Nicole is responsible for all of the bean puns as well as creating compelling copy driven by analytics that converts. She strives to simplify the complicated and wants readers to easily understand the often convoluted industry of payments.
Nicole Stright