Verify a mobile payment

Important: PayPal Mobile SDKs are now Deprecated and only existing integrations are supported. For all new integrations, use Braintree Direct or Express Checkout.

An important step in using the PayPal Android or iOS SDK is to verify the returned payment.

Note: For links to documentation pages on GitHub, see PayPal Mobile SDKs.

Why should I verify payments?

It's important to verify the returned payment to ensure your account has actually received the expected payment. If you do not verify payments, you open yourself to fraud.

To verify a payment, answer the following questions:

  • Is the proof of payment authentic?
  • Am I the recipient of the payment?
  • Are the amount and currency correct?
  • Has the payment been previously used?

Server-to-server calls to PayPal services can help confirm that the payment is authentic, for the expected amount and currency, and that you are the recipient of the payment. It is up to you to ensure that any given proof of payment only gets used once.

How do I verify payments with MSDK version 2.x?

The basic steps for making and verifying a payment with MSDK version 2.x, described below, are the following:

  1. Your app makes a successful payment with a PayPal Mobile SDK.
  2. Your app sends data about the payment to your server.
  3. Your server can store the payment id value in a database.
  4. From your server, you use the payment id value to look up the payment details with the REST API.
  5. You verify the payment details, as follows.

After a successful payment is made with the MSDK 2.x, the MSDK returns data to your app about the payment (received by the MSDK from the REST API). A sample response is:

    "product_name":"PayPal iOS SDK;"

Your server can store the unique payment id value from the above response.

Look up a payment by using the REST API

The REST API provides a simple way to integrate with PayPal. For descriptions of the available resources, see the REST API reference.

To make calls to the REST API, you first use your application's OAuth keys (a client_id and secret) to obtain an access token. See Make your first call for a sample.

After you have the access token, you can use it in the header of a request to look up a payment. From your server, use the payment id value (described previously) in a GET request to the endpoint for obtaining payment details. Make the following example call from your server to the REST API:

curl \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer accessToken"

Verify that the payment:

  • Is approved ("state": "approved").
  • Contains a transaction object that includes:
    • An amount with total and currency values that match your expectation.
    • A sale that is completed (in related_resources, with "state": "completed").

The live endpoint is{payment_id}.

To look up a payment, see look up a payment.