Are PayPal username, password and signature secure and private? - paypal

I'm developing web-service, where one users (companies) can receive payments directly from another (company's customers). Currently company need to enter its PayPal username, password and signature to receive payments via express checkout api. Is it normal, that users (companies in my case) will enter their PayPal credentials on remote site or it's secure information? I can't find any information about it. But i found, that some services work in the same way:
http://www.getharvest.com/help/invoices-and-estimates/online-payment-and-gateways/paypal-website-payments-pro
http://support.getresponse.com/faq/how-find-api-login-data-paypal
help.wildapricot.com/display/DOC/PayPal+Payments+Pro
Also i found another way for receiving direct payments - generate button (on the PayPal site or manually), where you need only PayPal email of seller. What the differences between these methods, its advantages and disadvantages?

Yes, they are considered private. Since it grants you access to all API operations, it can also be used to empty your PayPal account.
What I would recommend instead of collecting API credentials, is to use 'third-party permissions'.
This means initially requesting permission from the account holder via a pop-up dialog. Once granted, you'll receive an access token. This access token can then be included in the HTTP header of your API calls to make calls on behalf of the customer.
Your users can either manually grant permissions to you (they'll need to log into their PayPal account and navigate to the right section within their Profile), or, if you want to make it easier, you can implement the 'Permissions API'.
I would suggest taking a look at https://developer.paypal.com/webapps/developer/docs/classic/products/permissions/ for more information.
To get started, sign up for an 'application' with PayPal via https://apps.paypal.com/.
Ensure you request access to the Permissions Service and receive an Application ID.
This will be the AppID for the Live environment. For Sandbox, you can use APP-80W284485P519543T.

Related

How to Integrate Azure API Management With Paypal

I've been integrating Azure API Management with Paypal.
Here is the current flow
User goes to APIM portal and Signs In
Azure B2C flow is executed
On Auth Success the Delegation endpoint is executed to evaluate the APIM operation (SignIn, Subscribe, etc)
When the operation is Subscribe, redirect to the corresponding Paypal subscription link
Paypal flow is executed
Paypal return to the delegation endpoint configured in Paypals returnurl
So far so good, the issue I'm having is that the ony thing I have access to from paypal is the referer, which is like this
https://www.sandbox.paypal.com/webapps/billing/subscriptions?ba_token=[BA_TOKEN]&country.x=US&locale.x=en_US&mode=member&token=[TOKEN]
I'm lost on how I could use those tokens to identify which product the user subscribed to.
In step 4, store the subscription link or its ID before redirecting the user, as a pending checkout/order.
When they return, note any additional parameters in the return URL.
This should give you enough information to match the return event with the original subscription redirection and user.
For the best experience, change your flow to use no redirection at all.
See the modern "in-context" JS buttons solution here, which keeps your site loaded in the background: https://developer.paypal.com/docs/subscriptions/integrate/#4-create-a-subscription
(If you don't know what that means, click the PayPal button in this demo and note the window that opens; that's essentially the experience: https://developer.paypal.com/demo/checkout/#/pattern/client )

Using the REST API to perform bulk payouts on behalf of our client

I am a long paypal API user and am trying to use the new(er) REST API for my app. I have been pleased with the quality of the docs and API over our existing integration with paypal masspay, but I fear I have misunderstood the use of the REST API.
I have done at least a dozen other OAuth2 integrations with a lot of different services, and every one of them sets up a connection and gives us (the 3rd party app owner) a token, which lets us act on their behalf.
When I discovered the "My Apps" and REST API of paypal, saw it generated a client_id/secret, naturally I assumed I could create an app, and integrate it into my software, so that my clients can 'add' the app (initiating an oauth connection), and then I have a token that I can use to create payouts on their behalf. What led to the confusion, in retrospect, is that I was able to obtain a token, and then make SOME REST API calls (specifically, the identity calls, which give me info about my clients paypal account), but even if I added the following oauth scopes:
https://api.paypal.com/v1/payments/.* https://uri.paypal.com/payments/payouts
I am getting permission denied whenever I try to initiate a payout, or use any API other than the identity calls.
So after further digging, I am coming to the conclusion that the REST API, and the whole 'apps' thing is simply for writing apps for your OWN account (except for identity), NOT for allowing my app to act on behalf of a 3rd party, as has been the case for every other oauth integration I have ever done.
Does this sound correct? Am I missing something that lets me identify what merchant I am acting on behalf of?
I'd really like to move off the masspay API as its very clunky. Please help!

Make PayPal REST API request on behalf of merchant via OAuth

I want to add PayPal REST API capabilities to our shop software. Unfortunately it seems there is no way to automate to process of connecting the merchants account to our system. It looks like if you use the REST API you need to ask for client ID and secret. Then you trade that information for an OAuth token. However this is not the normal OAuth flow, which has a step that asks for users permission and does not require credentials to begin with.
These two topics basically cover the same issue, but are rather stale:
paypal rest api credential via oauth
Is it possible to use `Log In with PayPal` to make REST api requests on behalf of the user?
Does anybody know if this is possible in the meantime? I find it rather strange to design a RESTful API with OAuth capabilities and then not using it by allowing people to automatically ask for access rights on behalf of the merchant? This makes is somewhat useless for all shop software doesn't it? Well at least inconvenient.
Or is there maybe a way one could use the old API to obtain an access token that can also be used with the REST API?
Have you looked into the Permissions API?

How do I get scope(s) when requesting token from 3rd party to do transaction list on their account?

My app allows third party users to login via PayPal and to authorise it to collect UserInfo such as name and address. I now want to get permission to do a transaction list on their account using the token they provide.
I get 401 Not Authorized using the current tokens and OAuth won't accept 'https://api.paypal.com/v1/payments/.*' as a scope.
Calling api.paypal.com/v1/Payments on behalf of third parties isn't currently supported using the REST APIs.
You can only get payment info (and transaction info) for yourself.
In order to get Transaction data on behalf of third parties, you need to use the Classic APIs, first using the Permission Services to request access, then use the Merchant API Services to get transaction data.
Edit: Jan 6th, 2016
To make requests on behalf of third-parties, you need to use the Permissions Services API to request the proper scope.
As far as I can tell (from reading the documentation), you still cannot request 3rd party payment data using the REST api. You must use the Classic Name-Value Pair/SOAP api.

Find paypal account information via API

After reading the PayPal API for quite some time, I fail to see how to obtain account / account holder information. For the Account for which I have the API Username / Passwort and Signature. This leads me to the following questions:
a) is it possible to obtain those information.
b) how would I accomplish this?
So just to clarify, you are wanting to receiving the account information for the account to which you have the API credentials for? What information are you wanting to retrieve and why? Typically, the account you have credentials for would be your own, and you would just log into access it. If you are wanting to retrieve information about transactions you could use the API's to do this. However, the API's won't return what information you have listed on your account, such as credit card number, email address, and things like that.
The GetPalDetails API returns the PayPal ID for the account who's API credentials you are using along with the country code.