When I create an agreement for paypal payment, it return the REDIRECT link with a token.
The user must connect to paypal via this link and accept agreement, then I can execute agreement.
I want to know, how long the REDIRECT link (and its assoicated token) is valid ? I ask because I want top precompute agreement and put them in cache, so If user want to subscribe I use a cached REDIRECT link and it's fast. Create agreement call take 2 seconds, it's too long, speed is critical at checkout stage.
I use the REST API + Java.
Express Checkout tokens (which is what REST API returns for the Billing Agreement calls) expire after 3 hours.
Related
Is it possible to add or link PayPal to an account (get from paypal user access token or something like this ) to allow payments without authorization ( without log in and confirmation like with card if we have card number and cvc ) ?
And second question, I am using paypal sandbox and I cannot refresh the token when trying to execute the query
I get this answer
{
"error": "invalid_refresh_token",
"error_description": "No consent were granted"
}
Its possible they disabled this options on sandbox ?
Regards
Credit card company rules do not permit a cvc to be stored under any circumstances, so you would never "have" this information. It can only be transmitted when a card is first processed and then must be immediately discarded. As for storing card numbers themselves, there are many rules about that (PCI SAQ-D is a place to start, if you need to research it)
To your PayPal question, to be able to bill a PayPal account without the payer signing in (though they will always have to sign in for initial agreement/set up), the receiving PayPal account must have a feature called "reference transactions". The account owner can contact PayPal's general business support (not technical support) to explain the business need and inquire about being approved for enabling this feature. Once enabled, PayPal can guide you on which API to implement -- be it the older billing agreements API or a newer v2 or v3 vault one.
Refresh tokens are used by a Log in with PayPal integration to obtain a new access token when the old one (originally obtained from an authorization_code) is expired. If you are not integrating Log in with PayPal, refresh tokens are not applicable to what you are actually trying to do, and so the request in your screenshot won't be useful to you.
Refresh tokens are not used to obtain a regular REST API access token for authentication, which uses grant_type=client_credentials . If that's what you're actually trying to do, the documentation is here. The public PayPal Postman API collection sample takes care of this step for you, in the collection-level pre-execution script.
I am building a paypal subscription system but i have some difficulties to understand some points. When using sandbox i can't simulate a payment denial process so when the payment is made, paypal redirect me to my "approval url callback" and a billing agreement is created.
So i want to know , in a real situation, will paypal redirect me to the approval url and create this billing agreement even if the payment didn't occur yet ? or this one can be created if and only if the payment is accepted ? (So if paypal denied the payment the billing agreement will never be created)
In my case, my customers will need to access to some paid features of my website so, should i wait for the "ipn webhook notification (PAYMENT.SALE.COMPLETED)" which can take several minutes to be fired to my endpoint, or can i grant access immediately after the billing agreement is created ?
Which is the most secure thing to do ?
thanks.
If the user cancels the checkout, Paypal will redirect to your cancel URL.
But the failed payment cases are not clear to me either. I believe that the agreement will be created even if the payment fails, since it needs to exist for the payment attempt to be done, but I don't work at Paypal :).
My approach is to activate the subscription on a successful redirect no matter what, [edit: the execute response returns an agreement_details.next_billing_date in the past, so you can't use that] with a short initial subscription expiration (4h). When our webhook receives a PAYMENT.SALE.COMPLETED message, we fetch the agreement billing agreement details, and update the subscription expiration to the new agreement_details.next_billing_date. But if the webhook receives a PAYMENT.SALE.DENIED, we just let the subscription expire.
HTH.
2 questions for you regarding Paypal Hosted Checkout solution and the goal of the "Identity Token" or "Token ID".
1-
I've come accross several online Paypal docs (such as for Payflow integration) that talk about providing the "Identity Token" (or "Token ID", I think they're the same do they?), but I was wondering what's the goal of passing over this token ID, is it for my own security, or Paypal's one, or something else? Does anybody know exactly what's the purpose of that token ID, what Paypal is doing with it, and/or what the vendor shall be doing with it?
Asking this because when doing the form post to redirect the user to the Paypal hosted checkout, we have to first call the paypal gateway server to obtain the "secure token" and this API call is already secured through another method right, I need to pass my account credentials. So why posting only the "secure token" is not enough and we also need to post that "token ID"? Paypal should already have associated the secure token with my account information through the first API call no?
2-
Also, at the end of the flow, once Paypal returns the customer to my vendor website, does Paypal include any of those tokens (token ID or secure token) as part of their request (perhaps by adding url parameters to my given vendor return url)? If so, does Paypal recommands any sort of validation to be made on the vendor side, such as validating that the tokens match the ones that I, the vendor, stored in the user session prior to redirecting the customer through a form post to the Paypal hosted checkout? Basically, how can I ensure that the session was not hijacked between the time I redirect the customer to Paypal hosted checkout and the time Paypal returns the customer back to my site?
Reference: https://developer.paypal.com/docs/classic/payflow/integration-guide/#hosted-checkout-pages
Thanks a lot
As the previous user states, the Token id is used basically to identify an specific transaction process during it's workflow.
About your second question, in case of Express Checkout, the workflow does not ends when PayPal returns the user to your site. This step you are describing is probably when you send the user to PayPal to AUTHORIZE a payment that you will issue later. The last step is the DoExpressCheckoutPayment, in which you just inform paypal to make the transaction, for this you just pass to PayPal the token, so PayPal knows what you are "talking" about.
Is it good practice to validate the token, I would say yes. Somebody might be listening at your connection and injecting some invalid token. In any case, if you send an invalid token you will get an error message from paypal.
the following image illustrates very good the whole process:
As I understand it (and if reading this correctly), the Secure Token is for processing transactions on your own site instead of passing the user and order to paypal for processing. The Secure Token identifies that specific transaction and ensures the continuity of the order is not broken. You require a Token ID in order to obtain a Secure Token.
We are setting up new PayPal integration, and I am having some trouble getting the Billing Agreements. Here is our scenario:
Third party captures payment authorization
Third party sends us the Billing Agreement ID (they call it a Transaction Number)
We do a reference transaction to execute the payment, using that ID (this is done to renew a subscription, typically every 30 days or so)
What I am trying to do is actually write that third part. However, first it must be tested, and I am having trouble getting the billing agreement ID's for my test accounts. I assume that typically that part is handled through a web page that the customer has signed in to with PayPal, so the API knows what purchaser account is being linked. How do I do this programmatically? Or manually? I don't care, because we will never be making this call, I just need the ID's for the test accounts.
Any help is appreciated.
You can do this with Express Checkout. When you call SetExpressCheckout just make sure to include the billing agreement parameters.
Is there any way currently for Paypal's API to send my site an authorization request before completing a user's payment?
I think the answer here would be that there is no way to do this, but one can set "authorization" as a cart parameter instead of "sale". This still leaves the question of how to complete the authorization in the callback.
May be this would clarify your doubt up to a certain extent.
Authorization & Capture starts when your buyer authorizes a payment amount during checkout.
For example, you can use the PayPal Express Checkout API with the PAYMENTACTION element set to Authorization or Order.
After your buyer completes checkout, you can then use the payment’s transaction ID with Authorization & Capture APIs. You can:
Capture either a partial amount or the full authorization amount.
Authorize a higher amount, up to 115% of the originally authorized amount (not to exceed an increase of $75 USD).
Void a previous authorization.