this is not related to this repo (Clarification on Transaction Auth Token behavior after secret key rotation) #26
Description
I’ve been testing with the Virtual Pinpad and noticed something unexpected in how transaction auth tokens are validated.
Steps I followed:
On a fresh Virtual Pinpad, I paired and received a secret key. Using this, I successfully requested a transaction auth token, received a token, and completed a transaction.
I deleted the HalStoragePrivate_DefaultPinpad file, re-paired via Postman, received a new secret key, requested a transaction auth token, and successfully completed another transaction.
However, when I use the old secret key (stored in my app), I can still generate a transaction auth token. The issue is:
The generated token is accepted by the API.
But when I try to perform a transaction with that token, I get a 401 Unauthorized error.
My expectation was that the system should not issue a transaction auth token when using an invalid/old secret key. Instead, it’s only failing at the transaction stage.
Could you clarify if this is the expected behavior? Or is the token generation endpoint supposed to reject requests signed with an old/invalid secret key?