First Data Unauthorized Request. Bad or missing credentials: Things are not always as they seem.

Screen Shot 2013-10-13 at 2.27.49 PM I added code to a client’s website a while back to allow them to use First Data to take credit cards on their site. Everything was working well until last week when it just quit working. It was no longer communicating with First Data.

It completely stopped receiving a response at all from the CURL call to First Data. Nothing.

You can see the code that I was using here.

I put some debug code in to show the response I was getting from First Data. Nothing. I even used print_r(curl_getinfo($ch)); to see what was going on with CURL. All I got was blanks and zeros.

I thought maybe CURL was having a problem so I used this instead:

$result = file_get_contents($url, null, stream_context_create(array(
    'http' => array(
    'method' => 'POST',
    'header' => $curl_headers,
    'content' => $data_string
  ),
)));

At least I got a response this time: Unauthorized Request. Bad or Missing Credentials.

I checked the credentials. They were good. I took the code and put it on my server and it worked like a charm. I knew the credentials were good. It definitely had something to do with the connection between the clients host server and their First Data account.

After multiple phone calls with a supervisor at First Data and several hours of troubleshooting, I finally found the problem. It had to do with the SSL option in CURL. I’m not sure if the hosting server updated CURL or PHP, or if First Data changed something, but adding this option made it work:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

Now, the complete CURL code looks like this:

    $content_type = 'application/json; charset=UTF-8';
	$hashtime = gmdate("c");
	$content_digest = sha1($data_string);
	$api_uri = '/transaction/v13';
	$hashstr = "POST\n".$content_type."\n".$content_digest."\n".$hashtime."\n".$api_uri;
	$authstr = base64_encode(hash_hmac("sha1",$hashstr,HMAC_KEY,TRUE));
	
	$curl_headers = array('Content-Type:'.$content_type, 'Accept: application/json');
	$curl_headers[] = 'Authorization: GGE4_API '.KEY_ID.':'.$authstr;
	$curl_headers[] = 'X-GGe4-Date:'.$hashtime;
	$curl_headers[] = 'X-GGe4-Content-SHA1:'.$content_digest;
	
	// Initializing curl
	$ch = curl_init( $url );
	curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
	curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_HTTPHEADER, $curl_headers);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
	
	// Getting results
	$result = curl_exec($ch);
	
	// Getting jSON result string
	$data_string = json_decode($result);

So… if your getting the Unauthorized Request error or NO error at all from CURL:

  • Double check your First Data username, First Data Password, HMAC Key, and Key ID – Make sure you save them when you generate them
  • Double check your endpoint – Make sure you’re using the correct credentials for the correct endpoint (testing vs. live)
  • Check the CURL SSL settings as above

I hope this saves you some time.

7 thoughts on “First Data Unauthorized Request. Bad or missing credentials: Things are not always as they seem.”

  1. Pingback: First Data Global E4 Gateway API PHP Example - Cullen Web Services

  2. I am having this exact issue with Shopify and First Data right now. I forwarded their tech support (who could not help me) the link to this article.

  3. Help me ,i have check all credentials.All have no problem but i got this message..
    Invalid signature received ‘tcaBXa############’.

  4. Thank you very much! This got me in the right direction.
    You can also set/check for errors on the curl request using:
    curl_setopt($ch, CURLOPT_FAILONERROR, true);
    if (curl_errno($ch)) {
    $error_msg = curl_error($ch);
    }

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top