Create and Manage NVP/SOAP API Credentials

When you call PayPal NVP/SOAP APIs, you must authenticate each request through a set of API credentials. PayPal associates these credentials with a PayPal account. You can generate credentials for any PayPal Business or Premier account.

Important:

All PayPal API certificate credentials that were created before February 4, 2016 are 1024-bit, SHA-1 certificates that expire after 10 years.

As of February 4, 2016, all PayPal API certificate credentials are 2048-bit, SHA-256 certificates that expire every three years. Consequently, PayPal requires all merchants to upgrade to the new 2048-bit certificates before September 2018.

If you currently connect to PayPal through API certificate credentials, you must generate an API certificate through your account profile and use it for all API requests. To prevent an interruption in API services, you must renew your certificate before it expires. Note that the certificate lifetime is now three years.

For detailed information about the certificate upgrade, see the Merchant API Certificate Credentials Upgrade.

Types of credentials

The NVP/SOAP APIs support:

  • API certificates

    Contain the API user name and password and the certificate.

    PayPal recommends that you use certificate credentials for security reasons. See API certificates.

  • API signatures

    Contain the API user name and password and the signature. See API signatures.

Note: All Adaptive platform APIs require that you supply an appID with your signature or certificate credentials. The Adaptive APIs include Adaptive Payments, Adaptive Accounts, Permissions Service, and Invoicing Service.

API certificates

Learn how to create and manage certificate API credentials.

Create API certificates

Note: If your API certificate is expiring, proceed to Renew an API certificate.

  1. For live credentials, log in to your PayPal business account at www.paypal.com.

    For test credentials, log in to the PayPal sandbox at www.sandbox.paypal.com with a sandbox merchant account.

  2. Click the settings icon at the top of your PayPal account page and then click Profile and settings.

  3. Click My selling tools.

  4. In the Selling online section, click Update for the API access item.

  5. To generate the certificate set, click Request API Credentials on the API Access page in the NVP/SOAP API Integration section.

    Note: If you have already generated an API certificate, the API Access page shows the View API Certificate link. If you must generate an API certificate, delete the existing certificate. If your live application does not use the existing certificate, click View API Certificate. To delete the certificate, click Remove Certificate.

  6. On the Manage API certificate page, select Request API certificate.

    Then, click Agree and Submit.

    The Manage API Certificate page appears.

  7. Click Download Certificate.

The cert_key_pem.txt file contains the certificate. Save the file to a secure location.

PayPal formats the API certificate file in PEM format. The file contains both your public certificate and the associated private key. Although the PEM certificate is not human readable, the file is not encrypted. For details, see Encrypt your certificate.

Renew API certificates

The renewal process generates a certificate that you can install to replace any expiring certificate.

  1. For live credentials, log in to your PayPal business account at www.paypal.com.

    For test credentials, log in to the PayPal sandbox at www.sandbox.paypal.com with a sandbox business account.

  2. Click the settings icon at the top of your PayPal account page and then click Profile and settings.

  3. Click My selling tools.

  4. In the Selling online section, click Update for the API access item. Then, click View API Certificate.

  5. On the Manage API certificate page, check the status of your API certificate to verify whether it is Active or Expires soon.

  6. If the status is Expires soon, click Renew certificate.

    This action generates an additional certificate with the Active status. The Manage API certificate page shows both certificates.

  7. On the certificate marked as Active, click Download Certificate and follow the steps to download a certificate.

After you import the new API certificate, test your integration to ensure it works with the certificate. Distribute your certificate to all affected partners. After the old certificate expires, click Remove Certificate to remove the certificate.

Encrypt API certificates

The PayPal SDKs for Java and ASP.NET require that you encrypt the certificate into PKCS12 format before you can use it with the SDKs.

Note: The PayPal SDK for PHP does not require SSL encryption.

Tip: If you use encryption, ensure that you encrypt both your sandbox and live API certificates.

The steps to encrypt your certificate require the OpenSSL encryption tool. While UNIX users likely have this tool installed with their operating system, Windows users must download OpenSSL. To install OpenSSL, accept the defaults.

  1. In a command prompt, ensure that the OpenSSL bin directory is in your system path. If not, add it to your path.

  2. Change directories to the location of the certificate to encrypt (cert_key_pem.txt) and run:

    openssl pkcs12 -export -in cert_key_pem.txt -inkey cert_key_pem.txt -out paypal_cert.p12
    

Note: When you encrypt a certificate, you are prompted for a password to use to decrypt the file. At the Enter Export password prompt, enter a password. Store it in a secure location.

The paypal_cert.p12 file contains your encrypted API certificate.

Install API certificates for ASP.NET

If you are developing with the PayPal SDK for ASP.NET, Windows requires that you:

For more information, see the PayPal How do I import my certificate into the Windows key store? knowledge base article.

API signatures

To create an API signature:

  1. For live credentials, log in to your PayPal business account at www.paypal.com.

    For test credentials, log in to the PayPal sandbox at www.sandbox.paypal.com with a sandbox business account.

  2. Click the settings icon at the top of your PayPal account page and then click Profile and settings.

    Note: If you do not see the profile icon on the top right, select Profile, which appears in the top menu on the My Account tab.

  3. From the left menu, click My selling tools.

  4. In the Selling online section, click the Update link for the API access item.

  5. On the API Access page, click Manage API credentials.

    Note: If you have already generated an API signature, the API Access page shows a View API Signature link. If you must generate an API signature, delete the existing API signature. If your live application does not use the existing API signature, click View API Signature. Then, click Remove to delete the signature.

  6. Select Request API signature. Then, click Agree and Submit.

Feedback