Paypal Developer API NVP - api

I am using the standard paypal developer API (NVP) to get current inventory levels:
https://api-3t.paypal.com/nvp?METHOD=BMGetInventory&VERSION=95.0&USER=____&PWD=____&SIGNATURE=____&HOSTEDBUTTONID=_____
But, I have a concern... If the api is enabled and the key is compromised somehow, what is the worst case scenario? For example: it looks like it is possible to send payments using the API. Is there a second tier of verification of payments that happens outside the API?
I have spent around 30 minutes researching the topic without any clarity in terms of what kind of financial damage could be done if an api information is compromised.

If your PayPal API credentials are compromised then someone can make API calls on your behalf. This includes sending and/or withdrawing money from your account.
There are some ways to limit the permissions of a PayPal API credential on the pages where you set the credential up, so you might be able to create a key that is somewhat less dangerous. It has changed over time so I can't offer details; google and/or log in to your account and look.
And yes, PayPal has lots of fraud detection that it runs internally on payments, but they have no legal responsibility to figure out that your API has has been stolen and I would strongly recommend not relying on them to save your bacon in such a case.
Protect your keys, especially ones with access to your money.

Related

Long living Shopify token

We are working on a system which retrieves data from customers' Shopify shops and provides some services based on this data. In order to make it as convenient as possible for an end-user we would like to update this data on a daily\weekly\monthly basis.
For now we only came up with a solution of implementing unlisted app, prompt a user to provide all necessary permissions for the app to access their shops and fetch the data. But the token we get doesn't seem to be valid for a long time and we probably won't be able to reuse it a day later.
We appreciate it if you can share any success cases of implementing this kind of approach.
You provide an App to the merchant they can install using oAuth. When the merchant is prompted to approve the App, Shopify will then provide your App with a long-lived access token you can use as much as you want, for as long as you want. I use a custom App from my Partner App dashboard to create these kinds of one-off Apps. It is superior to the one where the merchant has to tick off scopes and permissions IMO.
There are two kinds of token you can ask for and receive. One is considered for offline access, or long-lived. It works for everything. It is for webhooks as an example, or other access where no person is involved. But, there is also, online access tokens! Say a person clicks into the App from Shopify to do some work. You can request an online token for them to do their thing, and that token is only good for say 24 hours.
So you have options!

Payment Request API: Getting the buyer's address

I am currently looking into the W3C Payment Request API as part of a project for a new e-commerce checkout flow (mostly for supporting faster check-out using Apple Pay and Google Pay).
From looking at the API specification's change history, it looks like this change instituted earlier this year removes support for requesting the buyer's address with a payment request. The documentation of our payment service provider still shows this option, and it seems to work for now. That being said, I don't want to rely on a feature that browsers might start dropping soon because it's no longer in the standard, breaking our checkout flow.
Does anyone know if there is a recommended new way to handle this via the API, or if it is advisable to move the collection of the buyer's billing and shipping addresses back to a form on our page even when using the payment request API?
As far as the Payment Request API is concerned, I think there three primary options:
Apple Pay
Google Pay
basic-card
As you may have seen, basic-card is being deprecated (https://blog.chromium.org/2021/10/sunsetting-basic-card-payment-method-in.html) so you probably want to avoid this option.
Both Apple Pay and Google Pay provide access to billing and shipping address, and can be accessed as payment methods in the Payment Request API, and both provide their own alternate APIs (Apple Pay JS API and Google Pay Online API).
I don't know about Apple Pay, but the advice for Google Pay is to use Google Pay Online API (which makes use of the Payment Request API when available). Google Pay provides a consistent API for browsers that do and don't support the Payment Request API.
Does anyone know if there is a recommended new way to handle this via the API, or if it is advisable to move the collection of the buyer's billing and shipping addresses back to a form on our page even when using the payment request API?
The guidance for Google Pay is to place the Google Pay button above manual entry fields and to collect shipping information from Google Pay so that users can users don't start filling in the form before realizing there was a faster checkout option available.
So prioritize the digital checkout options for users that choose to use it, and make use of billing/shipping information from the digital wallet APIs. Make manual form fields available (suggest that form fields also make correct use of autofill attributes) for users who don't have access to or choose not to use the other payment options.
Demo site available with this in action: https://paydemo.withgoogle.com
FYI, if you're looking to integrate Google Pay into your site and are using a JavaScript framework, consider using the framework specific components from Google Pay for easier integration: https://github.com/google-pay/google-pay-button

What are the differences between Paypal's API and BrainTrees v.zero API, and Which would work more efficiently for a Node.JS Marketplace Website? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Please explain the difference between all the different PayPal API's that are offered, and why they have so many different ones. If you were to build a new marketplace website in comparison to Amazon or Etsy, or an SaaS such as Volusion or Shopify, and you were to charge a per-sale fee, could it be done using PayPal's services? Also, do they offer OAuth, such as login with google, I see they have a permissions API what does this entale. And above all else, What is different between PayPal and Braintree they appear to be very similar from the outside?
I want to start off by saying, that even though your question regards PayPal I would probably off the top of my head tell you to look at a different service...(Stripe http://www.stripe.com was what I’d recommended originally, but I’ll teach that another day). But regardless, for now I’m going to limit my response to PayPal and what sort of Application Programming Language Interfaces (API)’s they offer; as that what you asked about, and that in and of its self is a good sized undertaking.
Over the years PayPal’s API has gone from being a very simple system to one of the best in the industry. It encompasses so many things that it’d be easy to get confused. So while your question is broad, I believe I can provide some bit of guidance.
It sounds to me that what you are asking for is how can you do split payments or mass payouts to your customers. I also must say, that it sounds very similar to a so called marketplace service, such as Amazon.com or many other major ecommerce sites. These sites generally act in a bit of a collaborative way, allowing customers to buy products from them, as well as sell products themselves. That’s not the rule, but rather just what has evolved in the online economy over the years.
First we need to understand what is an API, and what does it do, and how can it be utilized. We’ll also need to have a good basic understanding of how data driven websites work, and the concepts of how they talk to each other. In addition, you’ll want to have an understanding of the underlying languages needed to use an API. If you don’t possess this knowledge, I would suggest you’ll want to start there.
But in talking about PayPal’s API, it supports a wide variety, and includes NVP/Soap (which would be considered their “classic” API) as well as their shiny new REST API. Depending on what language your web application is being developed in, you’ll want to choose the appropriate language.
Next, you’ll need to understand the functions of what their API can do, and how it can be utilized to make your business work more efficiently and provide better services to your customers. Once you understand the functionality, you’ll be able to better understand how to achieve your end goal, and you’ll probably find some other things along the way, which you didn’t think of until you dive into it.
As you know, PayPal can In-fact provide the service which you’re looking for. In order to achieve that functionality, I think you’re going to want to research and become familiar with a few things. First, you’ll want to think about how many customers you will have, as this will be something that is important as you develop your service. For example, there are account limits on certain functions, and occasionally you may find that understanding what technology is available, will allow you to come up with better, more creative plans while in the architecture phase of your application.
As I said earlier, they offer quite a variety of different API’s to choose from, however, if your goal is to act as either a “marketplace” website such as Amazon or Sears.com, or if you want to act as a SaaS solution such as Amazon Web Stores, Shopify or Volusion. I assume that either way you go, you’re going to be wanting to allow your customers to get paid, and that to be realistic we need to assume that in order for your service to be considered as a realistic option, you’ll need to offer more ways to pay than only PayPal. Credit Cards, Checks, Bank Transfers, BitCoin, Etc. The list goes on. You might be sitting there thinking “Uh Oh” I just am not sure where to begin with that!” Regardless the fact that the original PayPal might not offer every method, as we learn when they say
“Our payments technology lets you accept credit cards, debit cards, and PayPal payments via mobile devices, computers, and storefronts”paypal
I assure you that there is no reason to panic. PayPal got its success originally by providing a service to small sellers such as someone selling on eBay and that was their niche for many years. As a result of being so successful in their niche PayPal to me is one of the services that has really helped contribute to making the internet be the internet we see today, they helped millions of people build businesses, and consequently they have grown over the years, and now offer a whole variety of payment services, each of them marketed as separate “products” and a couple that are even their own brands. While technically they are not a bank, (if we don’t count their subsidiaries), they are absolutely to be considered a giant in the payment industry. Yet when we compare their website to the sites of some of the larger banking institutions, we find it to be much more user friendly. In spite of the user friendly design, with so much to choose from, a novice can easily get
overwhelmed, and so for quick reference sake, join me for a semi-quick flyover of what services PayPal offers which can help an aspiring marketplace, or software as a service company.
Let’s start by reviewing some of the most common and in my opinion important services to be familiar with when it comes to using PayPal, and let me give a brief overview of what each is. When we’re done with that, we will go over which of these services will be best to use if you want to run a company with a web application that does split-payments, marketplace services, or any other service where by one might need to accept money from a third party, keep a percentage and forward the rest onto his client.
PayPal for a beginner who needs to accept payments from someone, but
may not need any sort of API access to integrate with.
PayPal Business – Used by the individual who starts selling more than he can on his personal account.
PayPal Here – Used to accept payments on your phone with a card
reader.
PayPal POS Solutions – Used as a cash register in a physical store.
PayPal Online Invoicing – Used to send email invoices to your
customers
The products we just listed may be a viable solution for some sellers, however this is about which API’s to use and which services can an e-commerce website, or a marketplace website utilize best and find the most benefits from. There are only certain options for API access. So as to not be confused, we will quickly go through them as well. So if your goal with using PayPal is to create the new Amazon.com Etsy or EBay, these are the services you should learn to use, and learn more about.
PayPal Accounts and Services for a more developed company, a start up
with a more complex application or workflow, or anyone who needs to
integrate PayPal’s services into their computer systems in some way:
** Paypal Payments Standard ** – This one is pretty self-descriptive,
however it is PayPal’s most e-commerce capable service. Learn more by
visiting this link
Express Checkout - Allows you to let a customer check out through PayPal from your shopping cart, and also allows you to build a shopping cart of
sorts within PayPal. Limited API access
PayPal Payments Pro is the type
of account that many e-commerce companies find they need in order to
utilize PayPal’s services, and it offers pretty good API access. If
you have a PayPal Payments Pro account, there are also a couple of
services which you can get in addition for a small extra monthly fee.
PayPal Virtual Terminal - Allows you to take a “phone order” from a customer and to enter charge card info in manually. Does not require a customer to know you are using PayPal.
Payflow Payment Gateway Fully Integrated Payment solution, comparable to a regular merchant account. Pay Flow, can actually be utilized with your own banks merchant services account but that’s a subject for another time.
While all of the services I listed above only allow you to accept the most common payment methods, in today’s online economy, we usually do want to accept more types, and as I said earlier, there is much more to PayPal than meets the eye, and they definitely have been spending their time and money spreading their wings. Thanks to a new service they recently rolled out, called Braintree, PayPal has evolved, they’re no longer the restrictive payment service that they seemed doomed to become for a period of time. Braintree is just one of their many “extracurricular” service offerings that they now have, and I while I don’t have time to go over them all today, I will touch on the few of those lesser known PayPal services that I find most useful to an e-commerce store, or marketplace website.
Braintree zero – Braintree was acquired from PayPal not that long ago, and has been touted as an “open source” payment system. They’re goal is to re-invent how payments are exchanged, allowing the process to become more seamless. It has very advanced API functionality as well, which we’ll discuss, and is definitely “the new kid on the block”
Paydiant – This one is complex, but allows for mobile payments, loyalty programs, and more. It is marketed to merchants, Banks, and Partners. To learn more go here. It’s not going to be covered in this post, but may be worth looking at.
PayPal also has services such as the service that was mentioned by the person who asked the question prompting this post, such as the way shopify has you give permissions to them. While I’m not sure of Shopify’s exact use for it, I can think of many. The way they describe it is
“PayPal offers several services to help merchants easily manage authentication for their customers in a secure way. PayPal services enable merchants to set up PayPal accounts for customers, configure and manage permissions for customers, store customer credit card details with PayPal, and also streamline the login process.”
Paypal Authentication Security Docs
The services that are available through the Authentication API include:
PayPal Vault – This service allows you to securely store your customer credit card and transaction information whether or not you’re payment processor is PayPal, Braintree, or your own bank. They describe it as
*”The Vault API provides a secure way to store customer credit cards. By storing cards with PayPal, you can avoid storing them on your servers.” *
While whether or not it can be used to directly accept card payments varies by country, it is still a service that can be a valuable asset no matter what.
The Identity API or Log In With PayPal – With this Customers can use
Log In with PayPal buttons to log in to your website with their
PayPal credentials. It is used for a few different things including:
Log In With PayPal – which allows you to authenticate customers into
your system through their credentials with PayPal, similar to the
Login with Google or other Open Auth systems on the market.
Seamless Checkout – If you use Login with PayPal, you can
also use seamless checkout, allowing as they describe it
“The PayPal Identity API supports the seamless checkout feature, which
gives customers the ability to directly checkout using their PayPal
account. Once logged in to your website through Log In with PayPal,
the buyer can seamlessly checkout with PayPal without the need to log
in to PayPal again.”
PayPal Adaptive Accounts API – “Use the Adaptive Accounts
API to build applications that create and manage PayPal accounts.
Merchants and developers can use the API to create PayPal accounts,
add payment methods to accounts, and verify a PayPal account status."
Permissions API – Last but not least, PayPal’s Permissions API,
allows
“…you to request and obtain authorization to make API calls
and take action on behalf of your customers. The service is automated
and easy to use, walking customers through the permissions being
granted and what they mean, minimizing the time required. Permissions
are organized in groups that are self-descriptive and help lower the
barrier to on-board your customers. When the customer finishes the
permissions flow, they are redirected back to your site.”
Permissions API is used for many things, which you can learn more
about through the link, but the most common are getting permissions
in a workflow, Disbursements or Payouts, Refunds, Recurring Payments,
Obtaining Transaction Information and Tracking Group Dues. For a
complete overview, see the PayPal Permissions Service Integration
Guide.
The final services I will cover are the payout services. These are the services that PayPal Offers to let a company that is a marketplace, such as a split pay transaction, or other business that needs to pay many people, disburse funds to them through a variety of methods.
Permissions API - One way as we mentioned earlier is to authenticate into the customer’s account and send disbursements within PayPal.
Payouts API - The Payouts API is a REST interface that enables you to not only send up to 500 disbursements in one API call, but also ensures you can easily send, track, and search for previously issued payouts. In order to get started with the Payout API, you should visit, and For More information as far as integrating it into your website, see Payouts documentation and Payouts REST API reference
PayPal Mass Pay API - With Mass Pay, you can submit mass payments
directly from your PayPal account or use the Mass Pay API to submit
them. Mass Pay includes NVP/SOAP API operations that enable you to
easily create a set of payouts by identifying each individual
recipient and the amount of each payout. With Mass Pay, you can take
care of commissions, rebates and rewards, and even make all the
general payouts that come with running a business. It’s important to
note, that with the Payouts API you do not necessarily have to be a
PayPal seller to use it, but with the Mass Pay API, you need to be.
PayPal Mass Pay API is one of the best options for a
marketplace business. Merchants use the Mass Pay API to send money
instantly to up to 250 recipients at once. To send payments to
multiple recipients, merchants only need the recipient's PayPal
account email address, the payment amount, and the currency code.
Merchants can manually upload a file listing payments or create them
programmatically using the Mass Pay API.
To get started with Mass Pay API, you should visit the “getting
started guide”
For more information on integrating it in your web application, you
should see: the Mass Payments User Guide
the Mass Pay NVP API Documentation
Or if using SOAP API, the SOAP API Documentation
You can also check out their section for Sample Apps at GitHub
Finally, let me go into some more detail regarding PayPal’s new service Braintree v.Zero. What is Braintree you might ask? Well, as paypal describes it, it is
“…a full-stack payments platform that makes it easy to accept payments
in your app or website. Our service replaces the traditional model of
sourcing a payment gateway and merchant account from different
providers. From one touch payments to mobile SDKs and foreign currency
acceptance, we provide everything you need to start accepting payments
today.”
So after reading that you might be thinking “This sounds pretty good, what types of payments can I accept with the Braintree service?” They also answer that question in a different point stating:
“Merchants in the US can use Braintree to accept PayPal, Apple Pay,
Android Pay, Venmo, Bitcoin and most credit and debit cards, including
Visa, MasterCard, American Express, Discover, JCB and Diner’s
Club.”
You will find while reading that question that you might have concerns about your locality and whether it’s available in your country or not. They give us that answer in pretty clear terms, stating
“Your business must operate out of a US, Canadian, Australian, Europe,
Singapore, Hong Kong, Malaysia, New Zealand-based office. You must
also have a bank account with a US, European, Australian, Canadian,
Singapore, Hong Kong, Malaysia or New Zealand-chartered bank. The
location of your customers has no effect on where you are domiciled.”
So after reading all that, I’d imagine you’re thinking, okay that sounds pretty good. So then which API do I use in order to integrate with it?” If we read a little bit more through PayPal and Braintree’s website, we will be able to learn that the Braintree V.Zero API supports a multitude of languages including:
“On the client side, we have a JavaScript library for mobile and
desktop web, plus mobile SDKs for iOS, Android, and Windows Phone. On
the server side, we have libraries in six languages: Ruby, Python,
PHP, Java, Microsoft .Net, and Node.js.”
And if you needed one last reason to seriously consider using PayPal’s new Braintree v.Zero API, it also seems that if you succeed in building your SaaS as you describe, you could become a so called “partner” with them, and be featured on their websites, and that’s something that definitely won’t hurt your SEO. To learn more about that just visit the links.
While looking at Braintree’s documentation, I see that if you want to run a marketplace or do split payments with them, that you will need to notify them and contact sales, but beyond that there is not a whole lot. From my experience, starting your account with PayPal and migrating into Braintree is the easiest approach. They actually let you know exactly what your responsibilities and their responsibilities are in that type of relationship by saying
“You maintain the relationships with the customers of your
marketplace, and Braintree will be there to support you every step of
the way. That means that you will work directly with your customers to
provide refunds and handle any chargebacks or disputed charges. You’ll
also be responsible for knowing who your sellers are, and ensuring
that they deliver products/services that don’t break any laws.
Braintree will back you up with all of the reports and information you
need to support your customers.”
PayPal also details how the Braintree API can be used for payouts, stating:
Braintree Marketplace streamlines payments for your market-style
business, enabling you to effortlessly split payments between you and
your providers. Marketplace is transparent and built for mobile
first, empowering you to build an elegant, custom checkout experience
on any platform.
Learn more about Braintree Marketplace features.
To learn more about the Braintree Marketplace services
visit
For the Developer Documentation on the Braintree Marketplace
API Visit Here
The last service I’ll cover are for larger accounts, and for paying out large numbers of customers at once.
PayPal’s Adaptive Payments API
With the Adaptive Payments API, merchants and developers can create applications that manage payments, payment pre-approvals, and
refunds. Merchants and developers also can send money peer-to-peer,
and can split payments in both parallel and chained models. The
Adaptive Payments API is robust enough to support numerous use cases,
including distributing payroll online, managing a storefront for
physical or digital goods, and tracking payments of group dues. Learn
more about the use cases supported by Adaptive Payments and how to
get started.
You can find developer documentation for Adaptive Payments Here
PayPal’s Adaptive Payments API
I hope you found my overview of PayPal helpful, and I hope this gives you somewhere to start while planning how to build your new web application. If you find that PayPal is not the service provider for you, you may also want to consider Stripe.com With all of the services PayPal has to offer, you may find it hard to believe there are companies that have certain solutions that might be better suited, however, in the case of stripe vs PayPal, I would say it’s a fair match.
Good Luck.

PayPal Developer Account & API ..what happens if account is limited?

I have a hypothetical question about my PayPal developer account. Since the app I developed uses an API Username (myname-facilitator_api1.mydomain.com), API Password and API Signature to do the transactions, I am wondering what happens with the API access if my PayPal account for whatever reason becomes limited?
I've had my account limited in the past because I did a large withdrawal and PayPal asked me to send in documents to lift the limits ...but what happens during that time to the API access? Would customers also not be able to do transactions through my app during this time or how would it be affected?
There are multiple types of account limitations. For most limitations you can continue to accept payments. In other cases not.
If PayPal is uncertain about whether an account may have been compromised, or lacks a required piece of paperwork, they will generally only limit withdrawals so that the merchant can continue their business with as little impact as possible while they resolve the issue.
If PayPal determines that an account is fraudulent, or engaged in some type of enterprise for which PayPal cannot process the payments, they will block acceptance as well in order to protect the payers -- the alternative being to accept but then reverse all the transactions.
Usually, when your accounts becomes limited you can still receive payments. You can't withdraw though.

Can the Yodlee API be used to retrieve the transactions on any credit card?

A client I work with wants to know if it's possible to use the Yodlee API to look up recent transactions on any credit card.
They'd like it to work without the user needing to be signed up with Yodlee, either directly at the site, or indirectly through a branded partner.
I assume this would be possible if the credit card company itself shared it's transaction data with Yodlee directly, and made it available to their API customers, but I haven't been able to figure this out from the docs available on their website, and haven't been able to reach anyone at Yodlee themselves to ask.
I work for Yodlee. Sorry to hear you're having a hard time getting a hold of us. To answer your question, yes the user has to explicitly authorize any application that leverages the Yodlee API and explicitly add access to their financial accounts for that application.
Best,
Grace
Yodlee screenscrapes websites to retrieve it's information.
Which means that they physically (but in an automated fashion) visit the website in a browser (IE8). Thus to pull any information down they have to visit the website, log in successfully, (optionally but more so on more banks; authenticate the computer) and then they can see all of the information that the user sees. Their API acts as a real time bridge between you (the end user using your website or app) and this browser.
So you have to either implement their very much so convoluted Yodlee API or use one of their generic hosted pages and direct the user to it where upon he/she enters the necessary information. You also have to have an agreement with them too. You also have to convince the user to do it :)