Make Identity Calls on Behalf of a User

You get a user’s consent to make Identity API calls on their behalf by redirecting them to the authorization endpoint. For more information, see the Identity API.

Authorization endpoint:

  • Live

    https://www.paypal.com/signin/authorize
    
  • Sandbox

    https://www.sandbox.paypal.com/signin/authorize
    

Note: The live environment supports the optional ISO-3166-1 country code:

https://www.paypal.com/country-code/signin/authorize

If you include this two-letter code and translated content is available for the app and the language is left-to-right, a localized page appears.

Use the following URL with browser redirect (HTTP 302) to invoke the login flow from the application to Log In with PayPal:

Property Type Description
client_id string Unique client ID that is returned when you create an app. Required.
response_type string A valid value is:
  • code. Requests that an authorization code be sent to the application return URL. Recommended, as access tokens are not visible in the user-agent.
  • token. Returns a token. Typically used by public clients, such as JavaScript or mobile applications.
  • id_token. For session assertion associated with the user’s authentication. For example, used in remote procedure calls for explicit session management such as logout.
scope string URL-encoded, space-separated list of requested scope URIs. For example (URL-encoded): “profile+email+address”. For a list of possible values, see Log In with PayPal User Attributes.
redirect_uri string Application return URL where the authorization code is sent. The specified redirect_uri must match the return URL registered for your app on the My Apps & Credentials page of the PayPal Developer site. All parts of the specified redirect_uri, including protocol, host, port, context path, and query parameter names and values must match with the exception of the state parameter. You can use the state parameter to pass information that was not known at the time the return URL for your app was registered. The state parameter must be URL- and Base64-encoded.
nonce string An opaque, random ID to mitigate replay attacks. A simple function is: (timestamp + Base64 encoding (random\[16\])).
state string Any state parameter that the application might require to know the request context.

The Log In with PayPal authorization endpoint validates the authorization/authentication request and directs the user to log in. After successful login, a consent message is displayed to the user. A user consent grants the requesting application access to the user’s PayPal attributes, as indicated by the scope specified in the request.

Return to application

After the user grants consent, PayPal redirects (HTTP 302) the user to the return URL with an authorization code appended to the URL. Use the authorization code to get a refresh token and initial access token.

https://www.sandbox.paypal.com/signin/authorize?client_id=client_id&response_type=code&scope=profile+email+address+phone+https%3A%2F%2Furi.paypal.com%2Fservices%2Fpaypalattributes&redirect_uri=https://example.com/myapp/return.php
https://example.com/myapp/return.php?scope=profile+email+address+phone+https%3A%2F%2Furi.paypal.com%2Fservices%2Fpaypalattributes&code=authorization_code