The Paypal service provides two APIs: REST and IPN.
In this article we will consider the REST API, which allows to conveniently interact with all the Paypal entities.
API Paypal is a JSON API. Paypal provides two environments: the production, https://api.paypal.com/, and the sandbox, https://api.sandbox.paypal.com/.
To protect the requests Paypal use OAuth 2.0 authentication, so one have to get an access token. The token can be obtain by sending a POST-request to "v1/oauth2/token" path with the "grant_type" key and the "client_credentials" value. Also pass the "Authorization" header with the following value "Basic " . base64_encode("$clientId:$secret").
Now you will be able to sign all your requests with the token for some time.
$clientId and $secret one can find directly from the Paypal website account section. Also the section
can be used to change the application mode, production/sandbox. You can use JSON-formatted data to
send for all the routes except the OAuth 2.0 token route.
It is enought to have the token to use the Payments API. Therefore one can send payments, see payment history and so on. But by default the payment history is not accessible, you have to allow the access in the Paypal website account section. The sandbox environment payment history is empty by default, so you have to make some test payments to be able to test the refund functionality.
Some routes have the additional protection. You have to sign the request on more time. Pass the "PayPal-Auth-Assertion" header and use base64-encoded JSON-formatted arrays, ['alg' => 'none'] and ['iss' => $clientId, 'email' => $email], concatenated by a dot, ".".
The parameter $clientId we mentioned before and $email - is the email address, you register you Paypal account with. Be careful, in for the sandbox environment you should use a different test email, provided by Paypal, see the account section of the Paypal website.
Besides, you can also replace the "email" key and use the "payer_id" key with your account's "payer_id" as value. Also it should be noticed again that you have to use a dot to concatenate your base64-encoded string, so the result string have to include dots, the Paypal service will use it later as a delimiter.
For example in case of PHP the second signature generation method will look like this:
$joseHeader = base64_encode(json_encode(['alg' => 'none']));
$payload = base64_encode(json_encode([
'iss' => $clientId,
'email' => $email,
return $joseHeader . '.' . $payload;
To provide the error processing in the right way you should take into account that the Paypal service return two types of errors: access errors, if token is wrong for example, and validation errors. So you must have two mechanisms of errors messages reformatting.