I'm trying to integrate paypal checkout in my website which has a deprecated paypal integration. I'm using server side SDK and I can create and capture a payment with no problems. To do so I'm using clientId and secret generated in paypal Dashboard.
However, in the official documentation it talks about an Access-Token to call APIs but I'm using clientId/secret to do so and until now I haven't had any problems, so what is it for or when is it used?
I also noticed that whenever I made a create order, one of the returned links has "token=XXXXXXX".
Please help.
The client ID and Secret are used to obtain an access token. They are not used for anything else.
An access token is then used for all other REST API calls.
If you are using a server-side SDK, handling of the access token is abstracted by it. You do not need to do anything.
Related
i created sandbox account login successfully but not find client token where it is.enter image description here
Full disclosure, I work at Braintree. If you have any further questions, I recommend contacting support
Braintree is a full-stack payments solution. In order to pass a client token on your client-side, you'll need to first generate a client token on your server, then pass it to your client. As an example, here's how you'd generate one in Ruby:
#client_token = gateway.client_token.generate
Alternatively, you can use a tokenization key for client authentication. This is a static key with reduced privileges, but still can authenticate your client to work with Braintree's servers. You can find your tokenization key in the Control Panel.
I recommend reviewing the [Getting Started documentation][get], as there is a lot of great information and images to help illustrate getting Braintree integrated. You could also check out some of the end-to-end examples for full-context of an example integration.
I am a long paypal API user and am trying to use the new(er) REST API for my app. I have been pleased with the quality of the docs and API over our existing integration with paypal masspay, but I fear I have misunderstood the use of the REST API.
I have done at least a dozen other OAuth2 integrations with a lot of different services, and every one of them sets up a connection and gives us (the 3rd party app owner) a token, which lets us act on their behalf.
When I discovered the "My Apps" and REST API of paypal, saw it generated a client_id/secret, naturally I assumed I could create an app, and integrate it into my software, so that my clients can 'add' the app (initiating an oauth connection), and then I have a token that I can use to create payouts on their behalf. What led to the confusion, in retrospect, is that I was able to obtain a token, and then make SOME REST API calls (specifically, the identity calls, which give me info about my clients paypal account), but even if I added the following oauth scopes:
https://api.paypal.com/v1/payments/.* https://uri.paypal.com/payments/payouts
I am getting permission denied whenever I try to initiate a payout, or use any API other than the identity calls.
So after further digging, I am coming to the conclusion that the REST API, and the whole 'apps' thing is simply for writing apps for your OWN account (except for identity), NOT for allowing my app to act on behalf of a 3rd party, as has been the case for every other oauth integration I have ever done.
Does this sound correct? Am I missing something that lets me identify what merchant I am acting on behalf of?
I'd really like to move off the masspay API as its very clunky. Please help!
I have a website allowing authenticated users to submit and edit data. I also want to offer a REST API as part of a chargeable service.
Now the problem is that a non-paying user could theoretically use the same calls my website uses as API for authentication and sending data from his external application since it is very easy in the browser to see the endpoint what and how exactly the data is being sent to a website.
How can I protect my website from such usage and force the user to use API for external access?
Actually you cannot prevent people making requests to a public API. You can just validate the user when a request arrives. So there are more than one approach to solve this problem.
I would provide a token per session for each user and validate the rest API request at back-end.
Use OAuth2. So you will give paid user secret id and key then they will ask for the access token to access the API's using secret id and key.
Read about public/private key encryption https://en.wikipedia.org/wiki/Public-key_cryptography
Read about oAuth
https://oauth.net/2/
I have used passport to implement oAuth2 in laravel. passport is oAuth2 implementation and available in other languages also.
I encounter an issue where I invoke eBay GetOrders API
<faultstring>Auth token is invalid.</faultstring>
<faultactor>http://www.ebay.com/ws/websvc/eBayAPI</faultactor>
<detail>
<FaultDetail>
<ErrorCode>931</ErrorCode>
<Severity>Error</Severity>
<DetailedMessage>Validation of the authentication token in API request failed.</DetailedMessage>
I am able to successfully get a token from eBay and refresh it, I tested the rest API with the same token and it seems to be working properly.
Any ideas how this can be resolved? or what can cause this error? eBay docs provide some hints about the token validity but this was tested and it does not seems to be the issue.
All is written using Java SDK
I managed to solve the issue. There are two ways to authenticate to ebay API, one is using oauth and the other is Auth n Auth. it appears that when you like to use the java soap api you need to get a token via auth n auth method and ask for a session id, once that you have the session id you need to ask for a token. the oauth method is suited for the REST API.
I hope that will help someone
Did You tried to test token by the ebay developer testing tool? There is a tool where You can test tokens, headers, requests etc.
PS. Make sure that You choose right enviroment - sandbox or production. Token for the sandbox is different as token for production environment.
I want to add PayPal REST API capabilities to our shop software. Unfortunately it seems there is no way to automate to process of connecting the merchants account to our system. It looks like if you use the REST API you need to ask for client ID and secret. Then you trade that information for an OAuth token. However this is not the normal OAuth flow, which has a step that asks for users permission and does not require credentials to begin with.
These two topics basically cover the same issue, but are rather stale:
paypal rest api credential via oauth
Is it possible to use `Log In with PayPal` to make REST api requests on behalf of the user?
Does anybody know if this is possible in the meantime? I find it rather strange to design a RESTful API with OAuth capabilities and then not using it by allowing people to automatically ask for access rights on behalf of the merchant? This makes is somewhat useless for all shop software doesn't it? Well at least inconvenient.
Or is there maybe a way one could use the old API to obtain an access token that can also be used with the REST API?
Have you looked into the Permissions API?