Is it possible to add or link PayPal to an account (get from paypal user access token or something like this ) to allow payments without authorization ( without log in and confirmation like with card if we have card number and cvc ) ?
And second question, I am using paypal sandbox and I cannot refresh the token when trying to execute the query
I get this answer
{
"error": "invalid_refresh_token",
"error_description": "No consent were granted"
}
Its possible they disabled this options on sandbox ?
Regards
Credit card company rules do not permit a cvc to be stored under any circumstances, so you would never "have" this information. It can only be transmitted when a card is first processed and then must be immediately discarded. As for storing card numbers themselves, there are many rules about that (PCI SAQ-D is a place to start, if you need to research it)
To your PayPal question, to be able to bill a PayPal account without the payer signing in (though they will always have to sign in for initial agreement/set up), the receiving PayPal account must have a feature called "reference transactions". The account owner can contact PayPal's general business support (not technical support) to explain the business need and inquire about being approved for enabling this feature. Once enabled, PayPal can guide you on which API to implement -- be it the older billing agreements API or a newer v2 or v3 vault one.
Refresh tokens are used by a Log in with PayPal integration to obtain a new access token when the old one (originally obtained from an authorization_code) is expired. If you are not integrating Log in with PayPal, refresh tokens are not applicable to what you are actually trying to do, and so the request in your screenshot won't be useful to you.
Refresh tokens are not used to obtain a regular REST API access token for authentication, which uses grant_type=client_credentials . If that's what you're actually trying to do, the documentation is here. The public PayPal Postman API collection sample takes care of this step for you, in the collection-level pre-execution script.
Related
I have got a Paypal order, with a order id (O-123213XXXX) from Paypal. I am trying to Authorize it via Hybris Storefront. Hybris will pass the payload to third party when user clicks on place order button, that third party will authorize the payment by communicating to PayPalExpress processor.
My payment is reaching till the processor and I am getting the response like [cart] 10002 Security Header not valid. I searched online and came to know that its something related to invalid API Credentials. They are suggesting not to get confused with live Paypal credentials with sandbox credentials.
I have cross-checked everything,
1) I have a Paypal button at my Hybris Storefront which user click when they wish to pay using Paypal. This will create the order.
2) After which, I am logging in using my sandbox test user account of type personal to approve the order via Paypal popup window.
3) Next, I execute that order. Before that, I need the bearer access-token using my online store's "Sandbox" Client ID and Secret Key combination in another REST call. (Just to mention... this online store/app is associate with a sandbox account of type "Business")
Once I get the token, I execute the order via another REST call using that access-token.
4) Now I get the Order Id from Paypal so that once the order is placed in Hybris, it will be Authorized and then Captured at a later stage. (Thats the plan...)
I have noticed in the Paypal developer account that the Business account associated with my online store/app has some credentials such as Username, Password and Signature.. But I am not using them anywhere in my flow.
(Those are for SOAP/NVP Calls that what they say in docs..)
and now I am getting 10002 Security header invalid response from processor.
As per my understanding I am not using any live credentials anywhere but the sandbox.
or am I missing something related to those mentioned credentials I am not using anywhere??
There is a code returned by the credit card processor when the transaction is approved, usually 5-6 digits. I'm trying to retrieve this code with REST API in their sandbox.
If you are using PayPal Payflow you can see this on the transaction result page when logged in to your Payflow account. This number is also on a printed receipt when you go to a store, it's a very common number to have after an approved CC payment. I have yet to accept a real payment through REST API, just working with sandbox so far. Looking at the response for the sandbox payment and the sale transaction I cannot see anything that looks like the processor authorization code.
Documentation for this authorization code is difficult to research and I don't want to lead anyone astray; I'm not looking for anything related to the auth code used for access and refresh tokens, same name but completely different.
2 questions for you regarding Paypal Hosted Checkout solution and the goal of the "Identity Token" or "Token ID".
1-
I've come accross several online Paypal docs (such as for Payflow integration) that talk about providing the "Identity Token" (or "Token ID", I think they're the same do they?), but I was wondering what's the goal of passing over this token ID, is it for my own security, or Paypal's one, or something else? Does anybody know exactly what's the purpose of that token ID, what Paypal is doing with it, and/or what the vendor shall be doing with it?
Asking this because when doing the form post to redirect the user to the Paypal hosted checkout, we have to first call the paypal gateway server to obtain the "secure token" and this API call is already secured through another method right, I need to pass my account credentials. So why posting only the "secure token" is not enough and we also need to post that "token ID"? Paypal should already have associated the secure token with my account information through the first API call no?
2-
Also, at the end of the flow, once Paypal returns the customer to my vendor website, does Paypal include any of those tokens (token ID or secure token) as part of their request (perhaps by adding url parameters to my given vendor return url)? If so, does Paypal recommands any sort of validation to be made on the vendor side, such as validating that the tokens match the ones that I, the vendor, stored in the user session prior to redirecting the customer through a form post to the Paypal hosted checkout? Basically, how can I ensure that the session was not hijacked between the time I redirect the customer to Paypal hosted checkout and the time Paypal returns the customer back to my site?
Reference: https://developer.paypal.com/docs/classic/payflow/integration-guide/#hosted-checkout-pages
Thanks a lot
As the previous user states, the Token id is used basically to identify an specific transaction process during it's workflow.
About your second question, in case of Express Checkout, the workflow does not ends when PayPal returns the user to your site. This step you are describing is probably when you send the user to PayPal to AUTHORIZE a payment that you will issue later. The last step is the DoExpressCheckoutPayment, in which you just inform paypal to make the transaction, for this you just pass to PayPal the token, so PayPal knows what you are "talking" about.
Is it good practice to validate the token, I would say yes. Somebody might be listening at your connection and injecting some invalid token. In any case, if you send an invalid token you will get an error message from paypal.
the following image illustrates very good the whole process:
As I understand it (and if reading this correctly), the Secure Token is for processing transactions on your own site instead of passing the user and order to paypal for processing. The Secure Token identifies that specific transaction and ensures the continuity of the order is not broken. You require a Token ID in order to obtain a Secure Token.
I am working on a website in which a facility pays us for membership. Their membership payment is the only money we receive. This payment is done via Paypal Website Payments Pro using the DoDirectPayment API.
These members then rent out their facility to customers by listing available blocks of time on our website. The customer would pay for this time block via credit card, also via DoDirectPayment, but this time the payment goes directly to the member's Paypal account.
I have found a lack of clear direction on what needs to be done to enable this. I know I could require all members to have a Paypal Payments Pro account ($30 per month) and store their API credentials (including passwords and signatures) in our system and those payments could be handled directly. But I am vaguely aware of the Third-Party app authorization option... I just can't find info on how it should be set up.
Is it possible to only store the member's Paypal email address and just ask them to authorize our app in their profile?
Also, I saw someone suggest the thrid-party payment recipient wouldn't even need a Pro account. If that is the case, what do I need to change about the API call (I'm using the NVP method) so that our Pro account is leveraged but payment is given to the member?
First, your members will need their own Pro account. The only way to try and get around that would be to have all of the funds come into your account and then disperse them accordingly. This is frowned upon by PayPal and will result in a suspended account.
You could indeed have users enter their API credentials into your application and store them with your customer's profile so that you can include them in API calls for that particular member. You'll want to make sure to encrypt these values if you end up doing that.
The proper way to handle it (since you're a hosted solution) would be using Permissions. You would use your own API credentials, but then pass an additional parameter to flag what account you're making that call on behalf of. This is where the Permissions come into play. Your members will need to Grant API Permission for your app to make the DoDirectPayment call on their behalf.
This can be done manually from within the PayPal account under API Access, or programatically via the Permissions API.
OK, I discovered the answer. I am sharing the detail here for others looking for this very elusive information:
My account (hosted solution) must be a Pro account.
Members who will be selling to customers on my site must also have Pro accounts. I tested the same code with a regular business account and the error said "This transaction cannot be processed due to an invalid merchant configuration."
Members do not have to give me all their API credentials.
The DoDirectPayment call is the same as if I were doing my own payment (almost). I use my own username, password, and signature. The way to send the money to another account is to include one more parameter called SUBJECT which should be the email address associated with the member's Paypal account (not their API username).
The member must grant my (third-party app) account permission. In my case I only needed the one Paypal labels "Process your customers credit or debit card payments." which should correspond to DIRECT_PAYMENT in API terminology.
Andrew's answer gave me some additional keywords to use in searches, and I appreciate the tip off to the Permission API. It did not directly answer the question, but that will be a nice feature to add to my app instead of making users go through their Paypal profile's to grant permission.
I need to simulate a buyer transaction in my paypal sandbox environment. Essentially, a buyer is a user that decides to subscribe to my service, which is done using the Paypal NVP API method: DoDirectPayment.
Reading the documentation, I gather that a buyer in this case will essentially be a Personal account, and basically to make any kind of api call, I require API credentials. However, the PAYPAL Developer website does not show any kind of API credentials for this personal account :
I do have a business account, and that does state the corresponding API credentials. The link I am referring to is :
https://www.x.com/developers/paypal/documentation-tools/ug_sandbox#credentials
where it states that the API credentials are specified for all accounts.
The only rationale I have behind this are :
a) personal accounts do not get API credentials,
b) I need to simulate a DoDirectPayment API with my business account API credentials, but documentation states that to simulate a buyer transaction I must use a personal account.
c) I need to set API credentials manually somehow.
Any leads?
You would use your API credentials from your business account in the API call. As for the buyer, you would not be paying with a PayPal account if you are using the DoDirectPayment API. You would be using a credit card. You should be able to use any of the card numbers below to test with. I juse use a Mod 10 check to generate the card numbers. You can just use any valid future date for the exp date, and use 123 for the card security code.
Visa
4539261585419872
4532063588063153
4024007125711126
4916126222581496
4916335290325039
4929693226575720
4916573003035640
4485204470227566
4024007102338976
4024007148183980