I think the ReSt authorization API is broken, I don't get back the ID for the auth object when doing POST /payment with intent=authorize.
Even calling GET /v1/payments/payment/{id} I don't get an auth id.
Here's the http log: http://pastebin.com/e1bEjfBF
As you can see I get "related_resources":[{"authorization":{"create_time"... but there is no id.
The pastbin sample shows the lookup of a payment resource that has not been approved yet.
Generally, for a PayPal Payment in Rest, you will have to:
Create a PayPal payment (POST payment request to https://api.sandbox.paypal.com/v1/payments/payment)
Redirect the buyer to the returned Approval_URL (usually something like https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=)
Upon return of the buyer to the return_url you specified in step 1, execute the payment (POST the PayerID to https://api.sandbox.paypal.com/v1/payments/payment/PAY-xxxx/execute/)
When you now lookup the Pay-Key, you should see the state of the Pay-Key as "approved", included buyer details, an Authorization TXN-ID and authorization state of "Authorized".
The next step would be to call the appropriate HATEOAS links to capture, void or reauthorize the authorization.
I've uploaded a sample flow to http://pastebin.com/JWG8Gzuv
You can also refer to the developer documentation located under https://developer.paypal.com/webapps/developer/docs/integration/direct/capture-payment/
Related
I have a PayPal subscription set up on a Wordpress site. After the payment, the user is redirected back to domain.com/?token=ABCDABCDABCD
Can I use the token parameter in the URL to get the order/transaction info from the PayPal API? The documentation doesn't seem to help.
The only token that I can find in the docs is the authentication token, so I'm not sure what this one is supposed to be. I was under the impression that the return URL should have the subscription ID, but that looks like I-ABCDEFGH and it's not there even though the subscription is created successfully on PayPal.
I have implemented client side checkout as demo'd here https://developer.paypal.com/demo/checkout/#/pattern/client. Its working fine while testing with sandbox account. But I am concerned about how we can verify whether the payment has actually gone through from the server side?
For eg: if the user executed a payment for Order number 'X', I want to make sure that the payment has been successful. I noteiced the transaction Id which I understand is generated by paypal only if the payment has gone through and we can recieve that Id in the parameter for payment execute call back:
actions.payment.execute().then(function (payment) { // where payment.transactions[0].related_resources[0].sale.id is some value say 'xxx' });
The same Unique Id can be seen in the sandbox transaction details page (https://www.sandbox.paypal.com/webscr?cmd=_history-details-from-hub&id=xxx) as Unique Transaction IDxxx. Is there a way (a paypal endpoint) to verify this through a server side call? That is verfiy that the Transaction Id received at the server is a valid one from paypal.
Excuse my ignorance, are webhook events meant to do this?
You can use IPN/Webhooks, then PayPal will send a notification to you for every payment with the transaction id, payment details. You can use that information for verifying the payment.
Get an access token
First we need to have an oAuth token from paypal. For this we need to do a POST to https://api.sandbox.paypal.com/v1/oauth2/token (sandbox url) passing our PayPal app's client Id and Secret.
Details of the HttpClient object I used in C#:
DefaultRequestHeaders.Accept: application/json
DefaultRequestHeaders.AcceptLanguage: en_US
DefaultRequestHeaders.Authorization: AuthenticationHeaderValue of Basic scheme, parameter of Base64String of bytes encoded from (clientId:clientSecret).
The response will have the property access_token which has the access token we want to pass in the next request to get the status of the transaction. For more details on getting access token refer: https://developer.paypal.com/docs/api/overview/#get-an-access-token.
Get sale details
Now to make the request for sale/transaction details as said here: https://developer.paypal.com/docs/api/payments/v1/#sale_get.
Do a GET passing the access token as Bearer token in the Authorization header.
And the unique transaction Id as parameter for the sale id. The response will have the property "state". Having the value "COMPLETED" ensures the transaction has gone successfully.
2 questions for you regarding Paypal Hosted Checkout solution and the goal of the "Identity Token" or "Token ID".
1-
I've come accross several online Paypal docs (such as for Payflow integration) that talk about providing the "Identity Token" (or "Token ID", I think they're the same do they?), but I was wondering what's the goal of passing over this token ID, is it for my own security, or Paypal's one, or something else? Does anybody know exactly what's the purpose of that token ID, what Paypal is doing with it, and/or what the vendor shall be doing with it?
Asking this because when doing the form post to redirect the user to the Paypal hosted checkout, we have to first call the paypal gateway server to obtain the "secure token" and this API call is already secured through another method right, I need to pass my account credentials. So why posting only the "secure token" is not enough and we also need to post that "token ID"? Paypal should already have associated the secure token with my account information through the first API call no?
2-
Also, at the end of the flow, once Paypal returns the customer to my vendor website, does Paypal include any of those tokens (token ID or secure token) as part of their request (perhaps by adding url parameters to my given vendor return url)? If so, does Paypal recommands any sort of validation to be made on the vendor side, such as validating that the tokens match the ones that I, the vendor, stored in the user session prior to redirecting the customer through a form post to the Paypal hosted checkout? Basically, how can I ensure that the session was not hijacked between the time I redirect the customer to Paypal hosted checkout and the time Paypal returns the customer back to my site?
Reference: https://developer.paypal.com/docs/classic/payflow/integration-guide/#hosted-checkout-pages
Thanks a lot
As the previous user states, the Token id is used basically to identify an specific transaction process during it's workflow.
About your second question, in case of Express Checkout, the workflow does not ends when PayPal returns the user to your site. This step you are describing is probably when you send the user to PayPal to AUTHORIZE a payment that you will issue later. The last step is the DoExpressCheckoutPayment, in which you just inform paypal to make the transaction, for this you just pass to PayPal the token, so PayPal knows what you are "talking" about.
Is it good practice to validate the token, I would say yes. Somebody might be listening at your connection and injecting some invalid token. In any case, if you send an invalid token you will get an error message from paypal.
the following image illustrates very good the whole process:
As I understand it (and if reading this correctly), the Secure Token is for processing transactions on your own site instead of passing the user and order to paypal for processing. The Secure Token identifies that specific transaction and ensures the continuity of the order is not broken. You require a Token ID in order to obtain a Secure Token.
I have setup PayPal Sandbox test accounts, a Personal (buyer) and a Business (merchant).
I'd like to test a PayPal 'DoCapture' API Operation. The problem I'm encountering is that I need an AuthorizationID and don't know how to obtain it. If i run the 'DoExpressCheckoutPayment' API call, I do not get an AuthorizationID returned, using the merchant API credentials, though I do get an 'ACK' of success. Do I need to be using the buyer credentials with the 'DoExpressCheckOutPayment' call? I don't see the API credentials in the PayPal Sandbox profile for the Personal account.
Express Checkout example with authorization and capturing you can find here.
Short answer - according with DoCapture documentation
AuthorizationID ... This is the transaction ID returned from DoExpressCheckoutPayment...
According with DoExpressCheckout documentation you need field from response, attention, PaymentInfo#TransactionId
... this value is your AuthorizationID for use with the Authorization & Capture APIs.
This is what you need to do to implement the capture API.
Create Payment: set intent as authorize in its request to get payment Id
Show Payment Details: to get approval_url. The customer will use this URL to pay for the order.
Execute approved PayPal payment: Use this API after customer successfully pays for the order. This API returns authorization-id along with capture link.
Use Capture API: use the URL obtained from step 3 to capture.
Use this link and check payments API.
https://developer.paypal.com/docs/api/payments/#payment_execute
Hope this helps to someone who stumbles upon here.
I am using PayPal Adaptive payments (chained payments).
If I set:
1. CREATE payment
2. In the SetPaymentOptions -> Requires shipping address selection = true
3. When I redirect user for the https://www.sandbox.paypal.com/webscr&cmd=_ap-payment&paykey=[PA KEY] user after authentication is not shown any prompt for shipping address
why?
Accordingly to the
https://www.x.com/developers/paypal/documentation-tools/api/pay-api-operation
when using CREATE I should do: CREATE – Use this option to set up the payment instructions with SetPaymentOptions and then execute the payment at a later time with the ExecutePayment.
But as soon as I try to run ExecutePayment I get the following information:
This payment request must be authorized by the sender
How can I set additional payment options then?
The ExecutePayment call would only be used if you're utilizing delayed chained payments. Otherwise, the payment still happens as soon as the buyer logs in and approves it, so there is no need for ExecutePayment. Calling it at that point results in the error you're getting, that the paykey was already used.
Did the sender actually authorize the payment?
The flow should be like:
Call Pay API operation with actionType as CREATE
If paymentExecStatus=CREATED and ack=SUCCESS, obtain payKey (here, keep detailLevel=ReturnAll in RequestEnvelope field of your Pay API request)
Redirect user to Paypal https://www.sandbox.paypal.com/webscr?cmd=_ap-payment&paykey=YOUR_PAYKEY_ABOVE
If user approves payment, you will be redirected to your returnURL sent as a part of Pay API request
Verify approval status using PaymentDetails API operation
Later you can execute the payment thus setup in step 4 using ExecutePayment API operation. Send the same payKey you obtained in step 2.
You have got error code 550001 since the user approval seems to be not yet done successfully. It may be due to:
The application did not redirect user/sender to Paypal for authorization
OR
The user did not enter correct login details
OR
There were not sufficient funds available
etc.