REST API -PAYPAL DEVELOPER

https://developer.paypal.com/docs/api/overview/

The PayPal APIs are HTTP-based RESTful APIs that use OAuth 2.0 for authorization. API request and response bodies are formatted in JSON.

Important: You cannot run the sample requests in this guide as-is. Replace call-specific parameters such as tokens and IDs with your own values.

If you are a non-US developer, see International Developer Questions.

For definitions of common REST API terms, see the Glossary.

Authentication and authorization

The PayPal REST API uses the OAuth 2.0 protocol to authorize calls. OAuth is an open standard that many companies use to provide secure access to protected resources.

When you create an app, PayPal generates a set of OAuth client ID and secret credentials for your app for both the sandbox and live environments. You pass these credentials in the Authorization header in a get access token request.

In exchange for these credentials, the PayPal authorization server issues access tokens called bearer tokens that you use for authorization when you make REST API requests. A bearer token enables you to complete actions on behalf of, and with the approval of, the resource owner.

The access_token field in the get access token response contains a bearer token, indicated by the token_type of Bearer:

{
  "scope": "scope",
  "nonce": "nonce",
  "access_token": "Access-Token",
  "token_type": "Bearer",
  "app_id": "APP-80W284485P519543T",
  "expires_in": 32398
}

Include this bearer token in API requests in the Authorization header with the Bearerauthentication scheme.

This sample request uses a bearer token to list invoices for a merchant:

curl -v -X GET https://api.sandbox.paypal.com/v1/invoicing/invoices?page=3&page_size=4&total_count_required=true \
  -H "Content-Type:application/json" \
  -H "Authorization: Bearer Access-Token"

Access tokens have a finite lifetime. The expires_in field in the get access token response indicates the lifetime, in seconds, of the access token. For example, an expiry value of 3600indicates that the access token expires in one hour from the time the response was generated.

To detect when an access token expires, write code to either:

Keep track of the expires_in value in the token response. The value is expressed in seconds.
Handle the HTTP 401 Unauthorized status code. The API endpoint issues this status code when it detects an expired token.

Before you create another token, re-use the access token until it expires. See the rate limiting guidelines.

API requests

To construct a REST API request, combine these components:

Component	Description
The HTTP method	`GET`. Requests data from a resource. `POST`. Submits data to a resource to process. `PUT`. Updates a resource. `PATCH`. Partially updates a resource. `DELETE`. Deletes a resource.
The URL to the API service	Sandbox. `https://api.sandbox.paypal.com` Live. `https://api.paypal.com`
The URI to the resource	The resource to query, submit data to, update, or delete. For example, `v1/invoicing/invoices`.
Query parameters	Optional. Controls which data appears in the response. Use to filter, limit the size of, and sort the data in an API response.
HTTP request headers	Includes the `Authorization` header with the access token.
A JSON request body	Required for most `GET`, `POST`, `PUT`, and `PATCH` calls.

This sample request cancels a billing agreement:

curl -v -X POST https://api.sandbox.paypal.com/v1/payments/billing-agreements/I-1TJ3GAGG82Y9/cancel \
  -H "Content-Type:application/json" \
  -H "Authorization: Bearer Access-Token" \
  -d '{
    "note": "Canceling the profile."
    }'

Query parameters

For most REST GET calls, you can specify one or more optional query parameters on the request URI to filter, limit the size of, and sort the data in an API response. For filter parameters, see the individual GET calls.

To limit, or page, and sort the data that is returned in some API responses, use these, or similar, query parameters:

Note: Not all pagination parameters are available for all APIs.

Parameter	Type	Description
`count`	integer	The number of items to list in the response.
`end_time`	integer	The end date and time for the range to show in the response, in Internet date and time format. For example, `end_time=2016-03-06T11:00:00Z`.
`page`	integer	The zero-relative start index of the entire list of items that are returned in the response. So, the combination of `page=0` and `page_size=20` returns the first 20 items. The combination of `page=20` and `page_size=20` returns the next 20 items.
`page_size`	integer	The number of items to return in the response.
`total_count_required`	boolean	Indicates whether to show the total count in the response.
`sort_by`	string	Sorts the payments in the response by a specified value, such as the create time or update time.
`sort_order`	string	Sorts the items in the response in ascending or descending order.
`start_id`	string	The ID of the starting resource in the response. When results are paged, you can use the `next_id` value as the `start_id` to continue with the next set of results.
`start_index`	integer	The start index of the payments to list. Typically, you use the `start_index` to jump to a specific position in the resource history based on its cart. For example, to start at the second item in a list of results, specify `?start_index=2`.
`start_time`	string	The start date and time for the range to show in the response, in Internet date and time format. For example, `start_time=2016-03-06T11:00:00Z`.

For example, the Invoicing API returns details for four invoices beginning with the third invoice and includes the total count of invoices in the response:

curl -v -X GET https://api.sandbox.paypal.com/v1/invoicing/invoices?page=3&page_size=4&total_count_required=true \
  -H "Content-Type:application/json" \
  -H "Authorization: Bearer Access-Token"

HTTP request headers

The commonly used HTTP request headers are:

Header	Description
Accept	Required for operations with a response body. Specifies the response format. The syntax is: Accept: application/`format` Where `format` is `json`.
Authorization	Required to get an access token or make API calls. To get an access token, set this header to your `client_id` and `secret`credentials. Note: If you use cURL, specify `-u "client_id:secret"`. To make REST API calls, include the bearer token in the `Authorization`header with the `Bearer` authentication scheme: Authorization: Bearer `Access-Token`
Content-Type	Required for operations with a request body. Specifies the request format. The syntax is: Content-Type: application/`format` Where `format` is `json`.
PayPal-Auth-Assertion	Specifies an API client-provided JSON Web Token (JWT) assertion that identifies the merchant. When an API client acts on behalf of multiple merchants at the same time, it becomes difficult and expensive to generate and manage multiple access tokens. Instead, API clients can use this header to provide a JWT assertion that identifies the merchant when the API is called. Prerequisite: To use this header, you must get consent to act on behalf of a merchant. In the header, specify one of these JSON Web Token sub-forms: JSON Web Encryption (JWE), in JWS Compact Serialization format. JSON Web Signature (JWS), in JWE Compact Serialization format. Supports both secure and unsecured JWT. An unsecured JWT specifies an `alg` of `none` in the `JOSE` header and an empty string for the signature. Unsecured JWT example: JOSE header: {"alg": "none"} Payload can contain `email`, `client_id`, and `payer_id`. Example payload: {"iss": "client_id","email":"my-email@example.com"} Signature. Use `""` for the unsigned case. Resulting unsecured JWT after Base64 and simple concatenation: eyJhbGciOiJub25lIn0.eyJlbWFpbCI6Im15QGVtYWlsLmNvbSJ9 All API endpoints support this header.
PayPal-Client-Metadata-Id	Optional. Verifies that the payment originates from a valid, user-consented device and application. Reduces fraud and decreases declines. Transactions that do not include a client metadata ID are not eligible for PayPal Seller Protection. To initiate a pre-consented payment from a mobile device, see future payments.
PayPal-Partner-Attribution-Id	Optional. Indicates that you are a PayPal partner. To receive revenue attribution, specify a unique build notation (BN) code. BN codes provide tracking on all transactions that originate or are associated with a particular partner. To learn more or to request a BN code, contact your partner manager or visit the PayPal Partner Portal.
PayPal-Request-Id	Optional. Contains a unique user-generated ID that you can use to enforce idempotency. Notes: If you omit this header, the risk of duplicate transactions increases. Not all APIs support this header. To determine whether your API supports it, see the API reference for your API.

API responses

PayPal API calls return HTTP status codes. Some API calls also return JSON response bodies that include information about the resource including one or more contextual HATEOAS links. Use these links to request more information about and construct an API flow that is relative to a specific request.

HTTP status codes

Each REST API request returns a success or error HTTP status code.

Success

In the responses, PayPal returns these HTTP status codes for successful requests:

Status code	Description
`200 OK`	The request succeeded.
`201 Created`	A `POST` method successfully created a resource. If the resource was already created by a previous execution of the same method, for example, the server returns the HTTP `200 OK` status code.
`202 Accepted`	The server accepted the request and will execute it later.
`204 No Content`	The server successfully executed the method but returns no response body.

Error

In the responses for failed requests, PayPal returns HTTP 4XX or 5XX status codes.

For all errors except Identity errors, PayPal returns an error response body that includes additional error details in this format:

{  
  "name": "ERROR_NAME",
  "message": "ERROR_DESCRIPTION",
  "information_link": "ERROR_DOCUMENTATION_LINK",

  // Some types of errors also include a details array:
  "details": [
    {
      "field": "field_name",
      "issue": "problem_with_field"
    }
  ]
}

The response body for Identity errors includes additional error details in this format:

{
  "error": "ERROR_NAME",
  "error_description": "ERROR_DESCRIPTION"
}

In the responses, PayPal returns these HTTP status codes for failed requests:

HTTP status code	Typical error code and error message	Cause
`400 Bad Request`	`INVALID_REQUEST`. Request is not well-formed, syntactically incorrect, or violates schema.	See Validation errors. The server could not understand the request. Indicates one of these conditions: The API cannot convert the payload data to the underlying data type. The data is not in the expected data format. A required field is not available. A simple data validation error occurred.
`401 Unauthorized`	`AUTHENTICATION_FAILURE`. Authentication failed due to invalid authentication credentials.	See Authentication errors. The request requires authentication and the caller did not provide valid credentials.
`403 Forbidden`	`NOT_AUTHORIZED`. Authorization failed due to insufficient permissions.	The client is not authorized to access this resource although it might have valid credentials. For example, the client does not have the correct OAuth 2 scope. Additionally, a business-level authorization error might have occurred. For example, the account holder does not have sufficient funds.
`404 Not Found`	`RESOURCE_NOT_FOUND`. The specified resource does not exist.	The server did not find anything that matches the request URI. Either the URI is incorrect or the resource is not available. For example, no data exists in the database at that key.
`405 Method Not Allowed`	`METHOD_NOT_SUPPORTED`. The server does not implement the requested HTTP method.	The service does not support the requested HTTP method. For example, `PATCH`.
`406 Not Acceptable`	`MEDIA_TYPE_NOT_ACCEPTABLE`. The server does not implement the media type that would be acceptable to the client.	The server cannot use the client-request media type to return the response payload. For example, this error occurs if the client sends an `Accept: application/xml`request header but the API can generate only an `application/json` response.
`415` `Unsupported` `Media` `Type`	`UNSUPPORTED_MEDIA_TYPE`. The server does not support the request payload’s media type.	The API cannot process the media type of the request payload. For example, this error occurs if the client sends a `Content-Type: application/xml`request header but the API can only accept `application/json` request payloads.
`422 Unprocessable Entity`	`UNPROCCESSABLE_ENTITY`. The API cannot complete the requested action, or the request action is semantically incorrect or fails business validation.	The API cannot complete the requested action and might require interaction with APIs or processes outside of the current request. No systemic problems limit the API from completing the request. For example, this error occurs for any business validation errors, including errors that are not usually of the `400` type.
`429 Unprocessable Entity`	`RATE_LIMIT_REACHED`. Too many requests. Blocked due to rate limiting.	The rate limit for the user, application, or token exceeds a predefined value. See RFC 6585.
`500 Internal Server Error`	`INTERNAL_SERVER_ERROR`. An internal server error has occurred.	A system or application error occurred. Although the client appears to provide a correct request, something unexpected occurred on the server.
`503 Service Unavailable`	`SERVICE_UNAVAILABLE`. Service Unavailable.	The server cannot handle the request for a service due to temporary maintenance.

Validation errors

For validation errors, PayPal returns the HTTP 400 Bad Request status code.

To prevent validation errors, ensure that parameters are of the right type and conform to these constraints:

Parameter type	Description
Character	Names, addresses, phone numbers, and so on have maximum character limits.
Numeric	Credit cards, amounts, card verification value (CVV), and so on must use non-negative numeric values and have required formats. For example, a CVV must be three or four numbers while a credit card number must contain only numbers.
Required	Must be included in the request. For example, when you provide credit card information, you must include a postal code for most countries.
Monetary	Must use the right currency.

For information about parameter types and constraints, see the REST API reference.

Authentication errors

For authentication errors, PayPal returns the HTTP 401 Unauthorized status code. See authentication and authorization.

Access token-related issues often cause authentication errors.

Ensure that the access token is valid and present and not expired.

HATEOAS links

Hypermedia as the Engine of Application State (HATEOAS) is a constraint of the REST application architecture that distinguishes it from other network application architectures.

This excerpt from a sample response shows an array of HATEOAS links:

{  
  "links": [{
    "href": "https://api.paypal.com/v1/payments/sale/36C38912MN9658832",
    "rel": "self",
    "method": "GET"
  }, {
    "href": "https://api.paypal.com/v1/payments/sale/36C38912MN9658832/refund",
    "rel": "refund",
    "method": "POST"
  }, {
    "href": "https://api.paypal.com/v1/payments/payment/PAY-5YK922393D847794YKER7MUI",
    "rel": "parent_payment",
    "method": "GET"
  }]
}

You can use the links in this example, as follows:

Use the self link to get more information about the request. Combine the method and the target URL to make the call:
```
GET https://api.paypal.com/v1/payments/sale/36C38912MN9658832
```

Use the refund link to request a refund:

POST https://api.paypal.com/v1/payments/sale/36C38912MN9658832/refund

Use the parent_payment link to get information about the parent payment:

GET https://api.paypal.com/v1/payments/payment/PAY-5YK922393D847794YKER7MUI

The elements in the link object are:

Element	Required	Description
`href`	Required	The target URL.
`rel`	Required	The link relationship type.
`method`	Optional	The HTTP method. Default is `GET`.

The href element

The href element contains the complete target URL, or link, to use in combination with the HTTP method to make the related call. href is the key HATEOAS component that links a completed call with a subsequent call.

The rel element

The rel element contains the link relationship type, or how the href link relates to the previous call.

For a complete list of the link relationship types, see Link Relationship Types.

The method element

Optional. The method element contains an HTTP method. If present, use this method to make a request to the target URL. If absent, the default method is GET.

The HTTP methods are:

Method	Description
`DELETE`	Deletes a resource.
`GET`	Shows details for a resource or lists resources.
`PATCH`	Partially updates a resource.
`POST`	Creates or manages a resource.
`PUT`	Updates a resource.
`REDIRECT`	Not an HTTP method but specifies that the target URL is a redirect URL to which to redirect payers to approve a PayPal account payment.

Make your first call

To make REST API calls, create a PayPal REST app and get an access token:


1.	Create a PayPal app. When you create an app, PayPal generates a set of OAuth credentials.
2.	Get an access token. Pass the OAuth credentials in a get access token call. In response, the PayPal authorization server issues an access token.
3.	Make REST API calls. Use the access token for authentication when you make REST API calls.

Create a PayPal app

On the My Apps & Credentials page, click Log into Dashboard.

In the REST API apps section, click Create App.

PayPal generates a set of OAuth 2.0 client_id and secret credentials for your app for both the sandbox and live environments.

Get an access token

The get access token endpoint is /v1/oauth2/token.

To get an access token, you pass your OAuth credentials in a get access token call. To make this call, you can use either cURL on the command line or the Postman app.

In response, the PayPal authorization server issues an access token.

Re-use the access token until it expires. See our rate limiting guidelines. When it expires, you can get a new token.

cURL example

Tips:

If you use Windows, use a Bash shell to make cURL calls.

If you use a command-line tool other than cURL, set content-type to application/x-www-form-urlencoded.

Download cURL for your environment.

From the command line, run this command:

curl -v https://api.sandbox.paypal.com/v1/oauth2/token \
   -H "Accept: application/json" \
   -H "Accept-Language: en_US" \
   -u "client_id:secret" \
   -d "grant_type=client_credentials"

Where:

`/v1/oauth2/token`	The get access token endpoint.
`client_id`	Your client ID.
`secret`	Your secret.
`grant_type`	The grant type. Set to `client_credentials`.

View the sample response.

Postman example

Download the latest version of Postman for your environment, and open Postman.
Select the POST method.
Enter the https://api.sandbox.paypal.com/v1/oauth2/token request URL.
On the Authorization tab, select the Basic Auth type and enter this information:

Username Your client ID.

Password Your secret.
On the Body tab, select x-www-form-urlencoded and enter this information:

key grant_type

value client_credentials
Click Send.
View the sample response.

Sample response

{
  "scope": "https://uri.paypal.com/services/subscriptions https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card https://uri.paypal.com/services/applications/webhooks openid https://uri.paypal.com/payments/payouts https://api.paypal.com/v1/vault/credit-card/.*",
  "nonce": "2017-06-08T18:30:28ZCl54Q_OlDqP6-4D03sDT8wRiHjKrYlb5EH7Di0gRrds",
  "access_token": "Access-Token",
  "token_type": "Bearer",
  "app_id": "APP-80W284485P519543T",
  "expires_in": 32398
}

Where:

`access_token`	Your access token.
`expires_in`	The number of seconds after which the token expires. Request another token when the current one expires.

Make REST API calls

With a valid access token, you can make REST API calls.

This sample call creates a PayPal account payment and uses only the required input parameters. The access token in the call is an OAuth bearer token.

Note: Payments API calls are always made by an actor, such as email, on behalf of a subject, or the payer. The actor specifies a bearer token in the Authorization: Bearerrequest header. A bearer token is an access token that is issued to the actor by an authorization server with the approval of the resource owner, or payer. In this case, the actor uses the bearer token to make a payments request on behalf of the subject.

curl -v https://api.sandbox.paypal.com/v1/payments/payment \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer Access-Token" \
  -d '{
  "intent": "sale",
  "redirect_urls": {
    "return_url": "https://example.com/your_redirect_url.html",
    "cancel_url": "https://example.com/your_cancel_url.html"
  },
  "payer": {
    "payment_method": "paypal"
  },
  "transactions": [{
    "amount": {
      "total": "7.47",
      "currency": "USD"
    }
  }]
}'

A successful call returns a JSON-formatted response body with payment details.

REST APIs

Glossary