Get an access token

APICurrent


Your access token authorizes you to use the PayPal REST API server. To call a REST API in your integration, exchange your client ID and secret for an access token in an OAuth 2.0 token call. While there are a few ways to get a token, here are examples using both the Postman app and a cURL command.

Your own environment's HTTP library or function may have username and password fields or an auth parameter in which you pass your client ID and secret. You can also add your Base64 encoded client ID and secret in an Authorization: Basic <clientid:secret> header.

For more on OAuth 2.0 basic authentication, see RFC 2617 Basic Authentication Scheme.

Postman

  1. Download Postman for your environment.

  2. In Postman, select the POST method.

  3. Enter the https://api-m.sandbox.paypal.com/v1/oauth2/token request URL.

  4. On the Authorization tab, select the Basic Auth type.

    Type your client ID in the Username box, and type your secret in the Password box.

  5. On the Body tab, select x-www-form-urlencoded.

    Type grant_type in the key box, and type client_credentials in the value box.

  6. Click Send.

    In exchange for these credentials, the PayPal authorization server returns your access token in the access_token field:

    {
      "scope": "scope",
      "access_token": "Access-Token",
      "token_type": "Bearer",
      "app_id": "APP-80W284485P519543T",
      "expires_in": 31349,
      "nonce": "nonce"
    }

    Include this bearer token in the Authorization header with the Bearer authentication scheme in REST API calls to prove your identity and access protected resources. This sample request includes a bearer token:

    curl -v -X GET https://api-m.sandbox.paypal.com/v2/invoicing/invoices?total_required=true \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer <Access-Token>"
    

    Access tokens have a finite lifetime. The expires_in field contains the number of seconds after which the token expires. For example, an access token with an expiry value of 3600 expires in one hour from when the response was generated. In general, access tokens have a life of 15 minutes or eight hours depending on the scopes associated.

    To detect when an access token expires, write code to either:

    • Keep track of the expires_in value in the token response.
    • Handle the HTTP 401 Unauthorized status code. The API endpoint issues this status code when it detects an expired token.

    Re-use the access token until it expires. Then, get a new token.

cURL

  1. Download cURL for your environment.

    Note: On Windows, use a Bash shell to make cURL calls.

  2. Run this command, where <client_id> is your client ID and <secret> is your secret:

    curl -v https://api-m.sandbox.paypal.com/v1/oauth2/token \
      -H "Accept: application/json" \
      -H "Accept-Language: en_US" \
      -u "client_id:secret" \
      -d "grant_type=client_credentials"

    Note: If you use a command-line tool other than cURL, set the Accept header to application/x-www-form-urlencoded.

    In exchange for these credentials, the PayPal authorization server returns your access token in the access_token field:

    {
      "scope": "scope",
      "access_token": "Access-Token",
      "token_type": "Bearer",
      "app_id": "APP-80W284485P519543T",
      "expires_in": 31349,
      "nonce": "nonce"
    }

    Include this bearer token in the Authorization header with the Bearer authentication scheme in REST API calls to prove your identity and access protected resources. This sample request includes a bearer token:

    curl -v -X GET https://api-m.sandbox.paypal.com/v2/invoicing/invoices?total_required=true \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer <Access-Token>"
    

    Access tokens have a finite lifetime. The expires_in field contains the number of seconds after which the token expires. For example, an access token with an expiry value of 3600 expires in one hour from when the response was generated. In general, access tokens have a life of 15 minutes or eight hours depending on the scopes associated.

    To detect when an access token expires, write code to either:

    • Keep track of the expires_in value in the token response.
    • Handle the HTTP 401 Unauthorized status code. The API endpoint issues this status code when it detects an expired token.

    Re-use the access token until it expires. Then, get a new token.

Next, make REST API calls.