Permissions Service - Frequently Asked Questions

Permission Service FAQs

Important: Adaptive Accounts and Adaptive Payments are no longer available for new integrations. PayPal provides documentation for these APIs to support existing integrations.

What is PayPal's Permissions Service?

Permissions Service APIs enable you to request and obtain API execution permission from PayPal account holders. After being granted the permissions, the API caller may make API calls on behalf of the granting account.

Why the Permissions Service?

With Permissions Service APIs, an API caller obtains permissions in a programmatic way. This is faster, easier, and cleaner than instructing the granting party to go to his/her PayPal account Profile and grant a group of third-party permissions manually in there.

Where can I go for help?

If you have problems with the Permission API services, open a support ticket at Developer Technical Services (DTS).  Be sure to provide the following information:

  • Endpoint of the API call
  • Header and body of the API HTTP request
  • Body of  HTTP response
  • Other details of your application's flow

Track responses to your ticket under the My Profile tab on the DTS website.

What permissions are granted by the API?

You can use the Permissions API to obtain authority to utilize most PayPal APIs.

How can I enable the Permissions service for my app?

To enable the Permissions service for your app:

  • Log in above
  • Click the Dashboard tab.
  • Click My Apps & Credentials on the left nav menu.
  • Click Create and manage NVP/SOAP API apps under the NVP/SOAP API apps heading.
  • Fill in the required information about your app.
  • Under Services used by app, expand the 3rd Party Permissions drop-down list.
  • Check the boxes of the permissions that you want to enable, on behalf of your customers, for your app.
  • Click Submit App.

After you click Submit App, your app goes through a review process. For more information, see Go Live with Your App.

How do I use an access token?

To obtain permissions from a customer, first call RequestPermissions. Then complete an HTTP redirect to PayPal and call GetAccessToken to enable the customer to approve the request for permissions and get a verification code.

For example, if you want to use the SetExpressCheckout API call, you can write a Java program that calls OAuthSignature.getAuthHeader(). It generates a signature and a time stamp. Once you obtain the signature and time stamp, you can construct the X-PP-AUTHORIZATION header field in the HTTP request of the API call. If you use this method, you do not need to include the USER, PWD, and SIGNATURE fields in the HTTP body.

What is the difference between a request token and an access token?

The request token is the first token obtained by the application from the API server. The app uses it in the redirect URL to display the requested permission list. The request token is good for about 15 minutes.

The request token is passed during login, and when the customer is authenticated, the request token is passed back to the application along with a verification code. This enables the application to request a permanent access token from the API server.

The application uses the access token to generate a signature and timestamp, which are used in the X-PP-AUTHORIZATION header to make authorized API calls.