Integrate Log in with PayPal

Add the Log in with PayPal button to your website or app

docscurrentLast updated: December 6th 2023, @ 7:15:17 am


Follow these steps to add the Log in with PayPal button to your website or app:

Know before you code

  • Complete the steps in Get started to get the following sandbox account information from the Developer Dashboard:
    • Your client ID
    • Your access token
    • Your business account credentials
    • Your personal account credentials
  • This integration uses the Identity API.

1. Enable Log in with PayPal

  1. Log into the Developer Dashboard.

  2. From Apps & Credentials, select your app.

  3. Under Other features, select the Log in with PayPal checkbox and then select Advanced Settings.

  4. Enter a Return URL. Your website or app redirects your users to this URL after they complete the Log in with PayPal flow.

  5. Select the user information you want shared with your website or app:

    • We recommend that you ask your users to share only the minimum amount of information that you need. The fewer permissions you ask for, the more likely it is your users will grant them.
    • If you intend to use payouts or money withdrawal, select the following:
      • Email
      • Account verification status
      • PayPal account ID (payer ID)

    Note: You'll have access to the values of the attributes that you select. However, this doesn't authorize you to email users. You must provide your users with a separate option to opt-in or opt-out of communications not related to purchases (such as marketing emails, newsletters, and offers).

  6. Enter your Privacy policy URL and User agreement URL.

    • For testing purposes, you can enter https://example.com.
    • When you go live, replace the example URLs with your live URLs. The PayPal privacy and security team reviews these URLs and they are necessary for activating Log in with PayPal for your website or app.

2. Add Log in with PayPal button

You have two options for adding the Log in with PayPal button to your website or app:

OptionUse case
Generate buttonIf you want the simplest integration, use the PayPal button generator to dynamically generate the necessary JavaScript.
Build buttonIf you want greater control and customization options, manually build the button and construct your own authorization endpoint and parameters.

3. Get access token

Exchange the authorization code for an access token so you can call PayPal's user profile service.

  1. Make a call to PayPal's tokenservice endpoint: https://api-m.sandbox.paypal.com/v1/oauth2/token.

  2. Pass the authorization code to the tokenservice endpoint with the following parameters:

ParameterSpecify inDescription
AuthorizationheaderSeparate your Base64-encoded client ID and secret credentials by a colon (:).
grant_typeform bodyThe type of credentials that you provide to obtain a refresh token. Set to authorization_code.
codeform bodyEnter the PayPal-generated authorization code.

Sample Request

1curl -X POST https://api-m.sandbox.paypal.com/v1/oauth2/token \
2 -H 'Authorization: Basic {Your Base64-encoded ClientID:Secret}' \
3 -d 'grant_type=authorization_code&code={authorization_code}'

Sample Response

{
   "scope": "openid profile https://uri.paypal.com/services/paypalattributes",
   "access_token": {access_token},
   "token_type": "Bearer",
   "expires_in": "28800",
   "refresh_token": {refresh_token},
   "nonce": {one_time_use_random_string}
}

Note: The access token expires after a short period of time, so you also receive a refresh token that you use to periodically refresh the access token. When you need to make a call to the user info service, use the refresh token first to get a new access token that you can then use to call the user info service.

FieldTypeDescription
scope: {scope}StringA list of space-separated permissions associated with the access token.
access_token: {access token}StringIdentifies the actual token used to call the user info endpoint.
token_type: {type}StringDefines the type of token, in this case the token type is Bearer.
expires_in: 28800StringIdentifies the number of seconds until the access token expires. Default is 28800 seconds or 8 hours.
refresh_token: {refresh token}StringIdentifies the actual token used to refresh the access token.
nonce: {nonce}StringA one-time use random string generated from server-specific data, used to prevent replay attacks.

access-token-flow

4. Exchange refresh token for access token

  1. Make a call to PayPal's tokenservice endpoint:

    https://api-m.sandbox.paypal.com/v1/oauth2/token

  2. Pass the refresh token to the tokenservice endpoint with the following parameters:

ParameterSpecify inDescription
AuthorizationheaderSeparate your Base64-encoded client ID and secret credentials by a colon (:).
grant_typeform bodySet to refresh_token.

Sample request

1curl -X POST https://api-m.sandbox.paypal.com/v1/oauth2/token \
2 -H 'Authorization: Basic {Your Base64-encoded ClientID:Secret}=' \
3 -d 'grant_type=refresh_token&refresh_token={refresh token}'

Sample response

1{
2 "scope": "openid profile https://uri.paypal.com/services/paypalattributes",
3 "token_type": "Bearer",
4 "expires_in": "28800",
5 "access_token": {access_token},
6 "nonce": {one_time_use_random_string}
7 }
FieldTypeDescription
scope: {scope}StringA list of space-separated permissions associated with the access token.
token_type: {type}StringDefines the type of token, in this case the token type is Bearer.
expires_in: 28800StringIdentifies the number of seconds until the access token expires. Default is 28800 seconds or 8 hours.
access_token: {access token}StringIdentifies the actual token used to call the user info endpoint.
nonce: {nonce}StringA one-time use random string generated from server-specific data, used to prevent replay attacks.

5. Get customer info

Call the Show user profile information method with the desired parameters to obtain the customer information.

6. Test

  1. Log in to the Developer Dashboard and create a new sandbox test account.
  2. Click your Log in with PayPal button.
  3. Log in to PayPal using the test buyer account you created.
  4. Make sure you received a non-empty authorization code in the return URL query parameter.
  5. Exchange the authorization code for a token as described in Get access token.
  6. Call the user info endpoint with the access token and verify that you received the correct user information.

7. Go live

App review

Because Log in with PayPal involves sharing customer data, PayPal must review your app and approve it, before it can go live. All scopes require PayPal's approval.

  • For live apps, once you finish configuring Log in with PayPal and select the Save button, your application is automatically submitted for review. The review process typically takes a few weeks.
  • For sandbox apps, you don't need to submit your app for review. Log in with PayPal is enabled once you finish configuring your app in the Developer Dashboard and select the Save button.

Note: The app review process typically takes a few weeks. Plan for the app approval process before your planned go live date.

Replace sandbox credentials with live credentials

  1. Button URL: change the endpoint from https://www.sandbox.paypal.com/connect? to https://www.paypal.com/connect?

Example

https://www.paypal.com/connect?flowEntry=static&client_id=CLIENT-ID&response_type=code&scope=openid%20profile%20email%20address&redirect_uri=https%3A%2F%2Fwww.google.com%3Fstate=123456
  1. Code to token: change the endpoint from https://api-m.sandbox.paypal.com/v1/oauth2/token to https://api-m.paypal.com/v1/oauth2/token
  2. User info: change the endpoint from https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo to https://api-m.paypal.com/v1/identity/oauth2/userinfo

Test a live user flow

  1. Click your Log in with PayPal button.
  2. Log in to the PayPal window using a real buyer account. If you don’t have a real PayPal buyer account, go to the PayPal website and click Sign Up.
  3. Click on the Log in with PayPal button to complete the consent.
  4. Make sure you received a non-empty authorization code in the return URL query parameter.
  5. Exchange the authorization code to token as described in Get access token.
  6. Call the user info endpoint with the access token and verify that you receive the correct user information.

Next steps

See also