I'm in the process of migrating our software, which makes requests on behalf of merchants to PayPal using the PayPal SOAP API, to the PayPal REST API infrastructure.
I'm using the Client ID / Secret of my PayPal developer account to get a Bearer token from the Sandbox, using https://api.sandbox.paypal.com/v1/oauth2/token.
Then I'm doing a call to https://api.sandbox.paypal.com/v2/checkout/orders, using our the bearer token just got, to make requests on behalf of a merchant. I'm using the PayPal-Auth-Assertion header with the following (encoded) JWT-Token:
Header:
{
"typ": "JWT",
"alg": "HS256"
}
Body: {
"email": "[merchant e-mail]",
"iss": "[my client id]"
}
The "merchant e-mail" is one of the sandbox accounts I opened in https://developer.paypal.com/developer/accounts/
In return I get a (400) Bad Request {"error":"invalid_request","error_description":"No permissions to set target_client_id"}.
It seems like there must be an additional step for the sandbox account to grant permissions to the developer account. For the SOAP API, I could add the user name of a 3rd party in the following screen . Then I could use the same username as header value for X-PAYPAL-SECURITY-USERID. However, I cannot seem to link the sandbox account in the same way, because there is no "third party username" for the main account (the one I'm getting the Client ID from).
What exactly has to be configured to allow these types of 3rd party calls for REST API?
I'm using the PayPal-Auth-Assertion header with the following (encoded) JWT-Token:
You need to be a PayPal partner to be using that type of functionality. Contact PayPal if you want to be a partner.
If you want to use their generally-accessible APIs, you have two options.
Have every merchant create their own REST API App via https://www.paypal.com/signin?intent=developer&returnUri=https%3A%2F%2Fdeveloper.paypal.com%2Fdeveloper%2Fapplications , and copy paste their live client ID and secret into your configuration. This is the best solution, and it is the solution you should pursue.
Use the payee object: https://developer.paypal.com/docs/checkout/integration-features/custom-payee/ , which gives you less control (cannot capture authorizations or issue refunds, for example)
Related
I want to send emails with java and smtp using OAuth2 access_token
I am able to do it if I use OAuth2 type that prompts the user with a browser to allow access.
Now I want to use a google service account and send a jwt json file to get the access token
As documented here
https://developers.google.com/identity/protocols/oauth2/service-account
I get a response back from the token url (https://oauth2.googleapis.com/token) that has a access_token, but it does not return a scope attribute and also has a ton of trailing periods
When I use it to call the smtp it responds with a 400 error
My Question is does gmail api work with jwt tokens?
Do I need to also have a Google Workspace Account or can I just use a normal Gmail Account?
EDIT FOLLOW UP:
I called the token validator url and got this back
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxx
validateAccessToken response: {
"issued_to": "xxx",
"audience": "xxx",
"scope": "https://mail.google.com/",
"expires_in": 3599,
"access_type": "online"
}
Not sure if it is the issue but access_type = "online" instead of offline like when I do it with 3 leg auth that requires user approval for access. Doing the JWT way I do not see anywhere to define access_type when requesting token
Background
I'm building an Ads-Management application tailored towards both marketing / advertising agencies and individual advertisers (users)
To test marketing-api, I have setup a SandBox ad account
The very first thing that I'm testing is creating and uploading of custom audience (CSV file upload) and sharing it across ad accounts owned by different BusinessManagers.
From what I've gathered thus far, creating custom audience has 2 steps
Create an empty Custom Audience
Add (upload) users to a custom audience
For creating an empty Custom audience I follow using the cURL request from docs
curl -X POST \
-F 'name="My new Custom Audience"' \
-F 'subtype="CUSTOM"' \
-F 'description="People who purchased on my website"' \
-F 'customer_file_source="USER_PROVIDED_ONLY"' \
-F 'access_token=<ACCESS_TOKEN>' \
https://graph.facebook.com/v7.0/act_<AD_ACCOUNT_ID>/customaudiences
This gives me
{
"error": {
"message": "Permissions error",
"type": "OAuthException",
"code": 200,
"error_subcode": 1870050,
"is_transient": false,
"error_user_title": "Business Account Needed to Create/Edit This Audience",
"error_user_msg": "To create or edit a Custom Audience made from a customer list, your admin needs to add this ad account to a business.",
"fbtrace_id": "AsMXXXXXXXXXXXXXX-fXXXX"
}
}
What have I done already
Added my App (Test-App-1) to my BusinessManager (Test-Business-1)
Followed this discussion and added a Admin System User (Test-Admin-System-User-1) generated from my BusinessManager to my App
Generated access token (with all ads / business related permissions) for my Test-Admin-System-User-1 to use in API calls
Click on Connect to Business on my SandBox Ad Account and used Test-Admin-System-User to link it with my Test-Business-1 as told here
Where am I stuck
(in addition to the above mentioned error in API response)
Despite having done above mentioned things, the BusinessManager continues to say that my request for adding my sandbox ad-account (as identified by it's account_id) is still pending
And when I try to forcibly redo it, it tells me that
Your business has already sent this request. To follow up on the request, contact the business you're requesting access from.
I must add that I didn't face the issue of having to accept Terms of Service
Facebook - custom audience ToS for sandbox account
How to create a custom audience using facebook api and sandbox ad account?
In other words
I'm not 100% sure if I've accepted terms of service
But since the error I get is different, my best guess is that I must've done it at some point of time (can't recall though)
My questions are
Immediate question: How can I accept the request for adding my Sandbox ad account to my BusinessManager?
Main question(s)
where am i going wrong (understanding gap)?
How to test uploading and sharing custom audience using Sandbox Ad Account
I found a workaround! You can create Custom audiences through the Marketing API using a real, not Sandbox, Ad account. Here's how to do it:
Create or log in to the Business Manager with an Ad account.
NOTE: The newly created Businesses cannot create Custom audiences from the
list of users (Customer list) with names, emails, etc., as they must
run some Ads before this feature is unlocked (Facebook doesn't provide
information about the exact requirements for this). You can open the
Business Manager -> Audiences, then click "Create custom audience" and
check that the "Customer list" option is unlocked for this account.
Log in or create a Facebook app on the Meta for Developers portal. Ensure that your Facebook account with access to the Business (from point 1) has an Admin role on this Facebook app.
Normally, a Facebook app must pass an app review to be able to
create Custom audiences through the Marketing API. But the Facebook
app's Admins can use this API without app review. That's why it is
necessary to have an Admin role in the Facebook app.
Integrate the Login API, log in to your Facebook account, retrieve an access token, and exchange it for the long-term access token (according to Facebook's auth docs). With this long-term access token, you can create Custom audiences for a Business from point 1 using Marketing API.
I am a long paypal API user and am trying to use the new(er) REST API for my app. I have been pleased with the quality of the docs and API over our existing integration with paypal masspay, but I fear I have misunderstood the use of the REST API.
I have done at least a dozen other OAuth2 integrations with a lot of different services, and every one of them sets up a connection and gives us (the 3rd party app owner) a token, which lets us act on their behalf.
When I discovered the "My Apps" and REST API of paypal, saw it generated a client_id/secret, naturally I assumed I could create an app, and integrate it into my software, so that my clients can 'add' the app (initiating an oauth connection), and then I have a token that I can use to create payouts on their behalf. What led to the confusion, in retrospect, is that I was able to obtain a token, and then make SOME REST API calls (specifically, the identity calls, which give me info about my clients paypal account), but even if I added the following oauth scopes:
https://api.paypal.com/v1/payments/.* https://uri.paypal.com/payments/payouts
I am getting permission denied whenever I try to initiate a payout, or use any API other than the identity calls.
So after further digging, I am coming to the conclusion that the REST API, and the whole 'apps' thing is simply for writing apps for your OWN account (except for identity), NOT for allowing my app to act on behalf of a 3rd party, as has been the case for every other oauth integration I have ever done.
Does this sound correct? Am I missing something that lets me identify what merchant I am acting on behalf of?
I'd really like to move off the masspay API as its very clunky. Please help!
My app allows third party users to login via PayPal and to authorise it to collect UserInfo such as name and address. I now want to get permission to do a transaction list on their account using the token they provide.
I get 401 Not Authorized using the current tokens and OAuth won't accept 'https://api.paypal.com/v1/payments/.*' as a scope.
Calling api.paypal.com/v1/Payments on behalf of third parties isn't currently supported using the REST APIs.
You can only get payment info (and transaction info) for yourself.
In order to get Transaction data on behalf of third parties, you need to use the Classic APIs, first using the Permission Services to request access, then use the Merchant API Services to get transaction data.
Edit: Jan 6th, 2016
To make requests on behalf of third-parties, you need to use the Permissions Services API to request the proper scope.
As far as I can tell (from reading the documentation), you still cannot request 3rd party payment data using the REST api. You must use the Classic Name-Value Pair/SOAP api.
I'm developing web-service, where one users (companies) can receive payments directly from another (company's customers). Currently company need to enter its PayPal username, password and signature to receive payments via express checkout api. Is it normal, that users (companies in my case) will enter their PayPal credentials on remote site or it's secure information? I can't find any information about it. But i found, that some services work in the same way:
http://www.getharvest.com/help/invoices-and-estimates/online-payment-and-gateways/paypal-website-payments-pro
http://support.getresponse.com/faq/how-find-api-login-data-paypal
help.wildapricot.com/display/DOC/PayPal+Payments+Pro
Also i found another way for receiving direct payments - generate button (on the PayPal site or manually), where you need only PayPal email of seller. What the differences between these methods, its advantages and disadvantages?
Yes, they are considered private. Since it grants you access to all API operations, it can also be used to empty your PayPal account.
What I would recommend instead of collecting API credentials, is to use 'third-party permissions'.
This means initially requesting permission from the account holder via a pop-up dialog. Once granted, you'll receive an access token. This access token can then be included in the HTTP header of your API calls to make calls on behalf of the customer.
Your users can either manually grant permissions to you (they'll need to log into their PayPal account and navigate to the right section within their Profile), or, if you want to make it easier, you can implement the 'Permissions API'.
I would suggest taking a look at https://developer.paypal.com/webapps/developer/docs/classic/products/permissions/ for more information.
To get started, sign up for an 'application' with PayPal via https://apps.paypal.com/.
Ensure you request access to the Permissions Service and receive an Application ID.
This will be the AppID for the Live environment. For Sandbox, you can use APP-80W284485P519543T.