API Requests

To make a REST API request, you combine the HTTP GET, POST, PUT, PATCH, or DELETE method, the URL to the API service, the URI to a resource to query, submit data to, update, or delete, and one or more HTTP request headers.

The URL to the API service is either:

  • Sandbox. https://api.sandbox.paypal.com
  • Live. https://api.paypal.com

Optionally, you can include query parameters on GET calls to filter, limit the size of, and sort the data in the responses.

Most GET, POST, PUT, and PATCH calls require a JSON request body.

This sample request lists invoices:

curl -v -X GET https://api.sandbox.paypal.com/v1/invoicing/invoices?page=3&page_size=4&total_count_required=true \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer Access-Token"

Query parameters

For most REST GET calls, you can include one or more query parameters on the request URI to filter, limit the size of, and sort the data in an API response. For filter parameters, see the individual GET calls.

To limit, or page, and sort the data that is returned in some API responses, use these, or similar, query parameters:

Note: Not all pagination parameters are available for all APIs.

Parameter Type Description
count integer The number of items to list in the response.
end_time integer The end date and time for the range to show in the response, in Internet date and time format. For example, end_time=2016-03-06T11:00:00Z.
page integer The zero-relative start index of the entire list of items that are returned in the response. So, the combination of page=0 and page_size=20 returns the first 20 items. The combination of page=20 and page_size=20 returns the next 20 items.
page_size integer The number of items to return in the response.
total_count_required boolean Indicates whether to show the total count in the response.
sort_by string Sorts the payments in the response by a specified value, such as the create time or update time.
sort_order string Sorts the items in the response in ascending or descending order.
start_id string The ID of the starting resource in the response. When results are paged, you can use the next_id value as the start_id to continue with the next set of results.
start_index integer The start index of the payments to list. Typically, you use the start_index to jump to a specific position in the resource history based on its cart. For example, to start at the second item in a list of results, specify ?start_index=2.
start_time string The start date and time for the range to show in the response, in Internet date and time format. For example, start_time=2016-03-06T11:00:00Z.

For example, the Invoicing API returns details for four invoices beginning with the third invoice and includes the total count of invoices in the response:

curl -v -X GET https://api.sandbox.paypal.com/v1/invoicing/invoices?page=3&page_size=4&total_count_required=true \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer Access-Token"

HTTP request headers

The commonly used HTTP request headers are:

Accept
 

The response format, which is required for operations with a response body. The syntax is:

Accept: application/format

Where format is json.

Authorization
 

Required to get an access token or make API calls:

  • Get an access token

    When you create a REST API app, PayPal generates a set of OAuth 2.0 client ID and secret credentials for the sandbox and live environments. When you make a get an access token call, set the Authorization header to these credentials for your environment.

    In exchange for these credentials, the PayPal authorization server issues a bearer access token that you use for authorization when you make REST API requests.

    A bearer token enables you to complete actions on behalf and with the approval of the resource owner.

  • Make REST API calls

    Include the access token in the Authorization header with the Bearer authentication scheme:

    Authorization: Bearer Access-Token
Content-Type
 

The request format, which is required for operations with a request body. The syntax is:

Content-Type: application/format

Where format is json.

PayPal-Auth-Assertion
 

An API client-provided JSON Web Token (JWT) assertion that identifies the merchant. To use this header, you must get consent to act on behalf of a merchant.

You might want to use a JWT if you act on behalf of multiple merchants at the same time, because it is difficult and expensive to generate and manage multiple access tokens. Instead of managing multiple access tokens, you can use this header to provide a JWT assertion that identifies the merchant when you call the API.

Constructing the JWT

While you can use either a signed or unsigned (unsecured) JWT, PayPal recommends using the unsigned JWT for simplicity because the information you pass with the JWT is not sensitive data.

A JWT consists of three parts:

  • Header—Identifies the algorithm that generated the signature. Because PayPal recommends an unsigned JWT, pass an alg of none for the header.
  • Payload—Defines a set of claims, or statements, about an entity. In the case of the PayPal-Auth-Assertion header, the entity is typically the merchant. The payload can contain iss, which identifies the third-party calling the API, and one of the following to identify the merchant for whom the call is made: email, payer_id, or client_id.
    Note: Because a merchant's email address can change, PayPal recommends using payer_id or client_id to specify a merchant.
  • Signature—Validates the token and consists of the encoded header, the encoded payload, a secret, and the algorithm. Because PayPal recommends an unsigned JWT, pass an empty string for the signature.
    Note: If you prefer a signed JWT, you can sign it using your secret from your API credentials.

Example:

  • JOSE header:

    {
      "alg": "none"
    }
  • Payload:

    {
      "iss": "client_id",
      "payer_id": "merchant_payer_id"
    }
  • Signature. Use "" for the unsigned case.

To pass the JWT easily in HTTP environments, use Base64 to encode all three parts of the JWT separately, then concatenate them with a period (.). The following code shows the previous example after Base64 encoding and compact serialization (or concatenation):

ew0KICAiYWxnIjogIm5vbmUiDQp9.ew0KICAiaXNzIjogImNsaWVudF9pZCIsDQogICJwYXllcl9pZCI6ICJtZXJjaGFudF9wYXllcl9pZCINCn0=.

Refer to Issue a Refund in the PayPal Commerce Platform documentation for an example of using the PayPal-Auth-Assertion header in an API call.

PayPal-Client-Metadata-Id
 

Optional. Verifies that the payment originates from a valid, user-consented device and application. Reduces fraud and decreases declines. Transactions that do not include a client metadata ID are not eligible for PayPal Seller Protection.

PayPal-Partner-Attribution-Id
 

Optional. Identifies the caller as a PayPal partner. To receive revenue attribution, specify a unique build notation (BN) code. BN codes provide tracking on all transactions that originate or are associated with a particular partner. To learn more or to request a BN code, contact your partner manager.

PayPal-Request-Id
 

Optional. Contains a unique user-generated ID that the server stores for a period of time. Use this header to enforce idempotency on REST API POST calls. You can make these calls any number of times without concern that the server creates or completes an action on a resource more than once. You can retry calls that fail with network timeouts or the HTTP 500 status code. You can retry calls for as long as the server stores the ID.

For example, a user calls refund captured payment with the PayPal-Request-Id header that contains a unique user-provided ID. The user can make the call again with the same ID in the PayPal-Request-Id header for up to 45 days because the server stores this ID for this long for this call.

If the initial call fails with the HTTP 500 status code but the server has already refunded the payment, the caller does not need to worry that the server will refund the payment again.

Note: Not all APIs support this header. To determine whether your API supports it and for information about how long the server stores the ID, see the reference for your API.

Additional information

Feedback