Get an Access Token - cURL
-
Download cURL for your environment.
Note: On Windows, use a Bash shell to make cURL calls.
-
Run this command, where
<client_id>
is your client ID and<secret>
is your secret:curl -v https://api.sandbox.paypal.com/v1/oauth2/token \ -H "Accept: application/json" \ -H "Accept-Language: en_US" \ -u "client_id:secret" \ -d "grant_type=client_credentials"
Note: If you use a command-line tool other than cURL, set the
Accept
header toapplication/x-www-form-urlencoded
.In exchange for these credentials, the PayPal authorization server returns your access token in the
access_token
field:{ "scope": "scope", "access_token": "Access-Token", "token_type": "Bearer", "app_id": "APP-80W284485P519543T", "expires_in": 31349, "nonce": "nonce" }
Include this bearer token in the
Authorization
header with theBearer
authentication scheme in REST API calls to prove your identity and access protected resources. This sample request includes a bearer token:curl -v -X GET https://api.sandbox.paypal.com/v1/invoicing/invoices?page=3&page_size=4&total_count_required=true \ -H "Content-Type: application/json" \ -H "Authorization: Bearer Access-Token"
Access tokens have a finite lifetime. The
expires_in
field contains the number of seconds after which the token expires. For example, an access token with an expiry value of3600
expires in one hour from when the response was generated.To detect when an access token expires, write code to either:
- Keep track of the
expires_in
value in the token response. - Handle the HTTP
401 Unauthorized
status code. The API endpoint issues this status code when it detects an expired token.
Re-use the access token until it expires. Then, get a new token.
- Keep track of the
Next, make REST API calls.