Justransform
Request access
Resources · EDI Essentials

What is AS2?

EDIINT AS2 — secure, reliable B2B messaging over the public internet using HTTP.

Applicability Statement 2 (AS2), also known as EDIINT AS2, is an IETF protocol for secure, reliable messaging over HTTP. Data is sent over the internet using HTTP or HTTPS. AS2 reuses the signing, encryption, and MDN conventions from AS1. AS2 is widely deployed point-to-point; it adds verification and security through receipts and digital signatures, with real-time transactions and acknowledgements. Walmart helped drive AS2 adoption in retail.

How AS2 works

To establish AS2 you need two endpoints (server and client roles) connected over the internet. AS2 wraps the payload in an envelope that enables secure transmission using digital certificates and encryption.

AS2 message flow between trading partners over HTTP, with encryption, signing, and MDN receipt.
AS2 secure messaging overview

What is an AS2 MDN?

A Message Disposition Notification (MDN) is an electronic acknowledgement sent back to the sender after a message is transmitted, confirming successful receipt.

The MDN confirms:

  1. The AS2 transfer completed successfully.
  2. The message arrived at the intended recipient without change.

Typical MDN flow

  1. Sender transmits an encrypted, signed EDI message.
  2. Message travels over the internet via AS2.
  3. Recipient decrypts and verifies the sender’s signature.
  4. Recipient builds the requested MDN, signs it, and returns it to the sender.
  5. Sender receives the MDN and verifies the recipient’s signature.

What you need for AS2

  1. AS2-capable software on both sides.
  2. An AS2 identifier (AS2 name) and typically one certificate per partner relationship.
  3. Public keys for all partner certificates in use.

AS2 certificates

Certificates secure the exchange. Organizations may use self-signed certificates or, preferably, certificates from a trusted certificate authority. Public certificates are exchanged with partners before go-live.

Definitions

Signed receipt
Receipt carrying a digital signature.
Synchronous receipt
Returned in the same HTTP session as the original message.
Asynchronous receipt
Returned in a different session than the original message.
MDN
Internet messaging format for a receipt (used interchangeably with “receipt”).
Non-repudiation of receipt (NRR)
Legal/operational outcome when the sender can prove receipt using a signed MDN and retained evidence (message ID, MIC/hash, etc.).
Non-repudiation of origin (NRO)
Assurance the sender cannot credibly deny sending a transaction after the partner receives a successful MDN.
S/MIME
Format/protocol for signatures and encryption on MIME messages.
CMS (Cryptographic Message Syntax)
Encapsulation for signing, digesting, authenticating, or encrypting messages.
SHA-1 / MD5
Hash algorithms used with digital signatures in AS2 contexts (SHA-1 has been common; prefer modern guidance from your security team).
MIC
Message integrity check (digest) used with the signature.
User agent (UA)
Application that processes the AS2 request.

Security permutations (summary)

Twelve common combinations cover unsigned/signed, encrypted/plain, and receipt options — from “no receipt” through “encrypted, signed, signed receipt.” Your trading agreement defines which permutation you must use.

  1. Unencrypted, no receipt.
  2. Unencrypted, unsigned receipt.
  3. Unencrypted, signed receipt.
  4. Encrypted, no receipt.
  5. Encrypted, unsigned receipt.
  6. Encrypted, signed receipt.
  7. Signed payload, no receipt.
  8. Signed payload, unsigned receipt.
  9. Signed payload, signed receipt.
  10. Encrypted and signed, no receipt.
  11. Encrypted and signed, unsigned receipt.
  12. Encrypted and signed, signed receipt.
Next step

From reference to running system.

Request accessEnterprise programs