# Create and Manage NVP/SOAP API Credentials (/api/nvp-soap/apiCredentials)



> **Note:** **Deprecation notice**: PayPal's NVP/SOAP APIs are legacy APIs, but PayPal continues to support them. To access the most current features and security:
>
> * For new integrations, [start with the latest tools](/).
>
> * For existing integrations, [visit the upgrade hub](/upgrade/).

When you call PayPal NVP/SOAP APIs, you must authenticate each request through a set of *API credentials*. PayPal associates these credentials with a PayPal account. You can generate credentials for any PayPal Business or Premier account.

## Types of credentials [#types-of-credentials]

All PayPal API certificate credentials are 2048-bit, SHA-256 certificates that expire every three years.

The NVP/SOAP APIs support:

* API certificates

  Contain the API user name and password and the certificate.

  PayPal recommends that you use certificate credentials for security reasons. See [API certificates](#api-certificates).

* API signatures

  Contain the API user name and password and the signature. See [API signatures](#api-signatures).

> **Note:** **Note:** All Adaptive platform APIs require that you supply an `appID` with your signature or certificate credentials. The Adaptive APIs include Adaptive Payments, Adaptive Accounts, Permissions Service, and Invoicing Service.

## API certificates [#api-certificates]

Learn how to create and manage certificate API credentials.

### Create API certificates [#create-api-certificates]

> **Note:** **Note:** If your API certificate is expiring, proceed to [Renew an API certificate](#renew-api-certificates).

1. For live credentials, log in to your PayPal business account at [www.paypal.com](https://www.paypal.com).

   For test credentials, log in to the PayPal sandbox at [www.sandbox.paypal.com](https://www.sandbox.paypal.com) with a [sandbox merchant account](/sandbox-testing/accounts).

2. Hover over your name and then click **Account Settings** from the dropdown menu.

3. On the **Account access** page, click **Update** for the **API access** item.

4. Click **Manage API Credentials** in the &#x2A;*NVP/SOAP API Integration (Classic)** section.

   > **Note:** **Note:** If you have already generated an API certificate, clicking **Manage API Credentials** displays the certificate information. If you must generate an API certificate, click **Remove Certification** to delete the existing certificate.

5. On the **Request API certificate** page, select **Request API certificate**.

   Then, click **Agree and Submit**.

   The **Manage API certificate** page appears.

6. Click **Download Certificate**.

The `cert_key_pem.txt` file contains the certificate. Save the file to a secure location.

PayPal formats the API certificate file in PEM format. The file contains both your *public certificate* and the associated *private key*. Although the PEM certificate is not human readable, the file is not encrypted. For details, see [Encrypt your certificate](#encrypt-api-certificates).

### Renew API certificates [#renew-api-certificates]

To prevent an interruption in API services, you must renew and replace your certificate before it expires.

1. For live credentials, log in to your PayPal business account at [www.paypal.com](https://www.paypal.com).

   For test credentials, log in to the PayPal sandbox at [www.sandbox.paypal.com](https://www.sandbox.paypal.com) with a [sandbox business account](/sandbox-testing/accounts).

2. Hover over your name and then click **Account Settings** from the dropdown menu.

3. On the **Account access** page, click **Update** for the **API access** item.

4. Click **Manage API Credentials** in the &#x2A;*NVP/SOAP API Integration (Classic)** section.

5. Check the status of your API certificate to verify whether it is **Active** or **Expires soon**.

6. If the status is **Expires soon**, click **Renew Certificate**.

   This action generates an additional certificate with the **Active** status. The **Manage API certificate** page shows both certificates.

7. On the certificate marked as **Active**, click **Download Certificate** and follow the steps to [download a certificate](#download-cert).

After you import the new API certificate, test your integration to ensure it works with the certificate. Distribute your certificate to all affected partners. After the old certificate expires, click **Remove Certificate** to remove the certificate.

### Encrypt API certificates [#encrypt-api-certificates]

The PayPal SDKs for Java and ASP.NET require that you encrypt the certificate into PKCS12 format before you can use it with the SDKs.

> **Note:** **Note:** The PayPal SDK for PHP does not require SSL encryption.

> **Note:** **Tip:** If you use encryption, ensure that you encrypt both your sandbox and live API certificates.

The steps to encrypt your certificate require the OpenSSL encryption tool. While UNIX users likely have this tool installed with their operating system, Windows users must download OpenSSL. To install OpenSSL, accept the defaults.

1. In a command prompt, ensure that the OpenSSL `bin` directory is in your system path. If not, add it to your path.

2. Change directories to the location of the certificate to encrypt (`cert_key_pem.txt`) and run:

   ```text lineNumbers
   openssl pkcs12 -export -in cert_key_pem.txt -inkey cert_key_pem.txt -out paypal_cert.p12
   ```

> **Note:** **Note:** When you encrypt a certificate, you are prompted for a password to use to decrypt the file. At the **Enter Export password** prompt, enter a password. Store it in a secure location.

The `paypal_cert.p12` file contains your encrypted API certificate.

#### Install API certificates for ASP.NET [#install-api-certificates-for-aspnet]

If you are developing with the PayPal SDK for ASP.NET, Windows requires that you:

* Import the certificate into the Windows certificate store.

  For more information, see the Microsoft [Import or export certificates and private keys](https://support.microsoft.com/en-us/products/windows?os=windows-10) support article.

* Grant the user executing your web application access to your private key.

  For more information, see [Grant third-party permissions](/api/nvp-soap).

For more information, see the PayPal [How do I import my certificate into the Windows key store?](https://www.paypal.com/us/smarthelp/article/how-do-i-import-my-certificate-into-the-windows-key-store-ts1004) knowledge base article.

## API signatures [#api-signatures]

To create an API signature:

1. For live credentials, log in to your PayPal business account at [www.paypal.com](https://www.paypal.com).

   For test credentials, log in to the PayPal sandbox at [www.sandbox.paypal.com](https://www.sandbox.paypal.com) with a [sandbox business account](/sandbox-testing/accounts).

2. Hover over your name and then click **Account Settings** from the dropdown menu.

3. On the **Account access** page, click **Update** for the **API access** item.

4. Click **Manage API Credentials** in the &#x2A;*NVP/SOAP API Integration (Classic)** section.

   > **Note:** **Note:** If you have already generated an API signature, clicking **Manage API Credentials** displays the signature information. If you must generate an API signature, click **Remove** to delete the existing API signature.

5. Select **Request API signature**. Then, click **Agree and Submit**.
