FPA API Integration guide
DocsCurrent
Last updated: Feb 5th, 9:51pm
The following guide describes information for partners to use Orders API endpoints to integrate with Fraud Protection Advanced (FPA).
APIs for FPA
Use the following endpoints from the Orders v2 API to get information about fraud protection for your merchant’s transactions:
Know before you code
Your merchants must meet the following integration requirements:
- Have PayPal Complete Payments (PPCP) capability enabled.
- Have integrated with Orders v2 API.
- Have Risk as a Service (RaaS) product provisioned.
-
Have FPA as the chosen fraud protection tool under RaaS. They should have also set up FPA for their PayPal business account.
- For more information on how to activate FPA for your PayPal business account, see Activating FPA through partner merchants.
- For more information on how to set up FPA for your PayPal business account, see following guides:
Essential prerequisites for optimal setup
To enhance risk and fraud management, we strongly recommend that your merchants provide additional data. This data is incorporated into PayPal’s machine learning models, allowing them to analyze historical transactions and to improve the model’s efficiency in detecting fraud. This approach optimizes the performance of your merchant’s risk and fraud management processes. To include this data, your merchant must pass the following fields to all requests sent to the Orders v2 API for processing.
Create order
The following table shows the required parameters for optimal FPA performance when making a POST call to the Create order endpoint of the Orders v2 API.
Device ID
- If your merchant is integrated through PayPal JS SDK, the device ID will be passed by default.
- If your merchant is integrated through APIs, they would need to do the following so that the device ID is passed in the request:
- Integrate Fraudnet if they are on a browser. The device ID is sent as
PAYPAL-CLIENT-METADATA-IDin the request data. - Integrate Magnes if they are on an app.
- If merchants do not want to use Fraudnet or Magnes, they can pass the device ID information directly through the Orders API requests in the
PAYPAL-CLIENT-METADATA-IDfield. For more information, see the Client-Metadata-Id in the Create order endpoint of the Orders v2 API.
- Integrate Fraudnet if they are on a browser. The device ID is sent as
Header
| Field name | Description | Type | Notes |
PayPal-Client-Metadata-Id |
The device ID for this purchase. See the parameter definition for more information. | String |
|
Body
| Field name | Description | Type | Notes |
payment_source.card.attributes.customer.email_address |
Email address of the buyer as provided to the merchant or on file with the merchant. Email Address is required if you are processing the transaction using PayPal Guest Processing, which is offered to select partners and merchants. For all other use cases, we do not expect partners or merchant to send email_address of their customer. See the parameter definition for more information. |
string |
|
payment_source.card.attribues.customer.phone |
The phone number of the buyer as provided to the merchant or on file with the merchant. The phone.phone_number supports only national_number. See the parameter definition for more information. |
object | |
payment_source.card.billing_address |
The billing address for this card. Supports only the address_line_1, address_line_2, admin_area_1, admin_area_2, postal_code, and country_code properties. See the parameter definition for more information. |
object | |
purchase_units.shipping.address |
The address of the person to whom to ship the items. Supports only the address_line_1, address_line_2, admin_area_1, admin_area_2, postal_code, and country_code properties. See the parameter definition for more information. |
object | |
purchase_units.items |
An array of line items that the customer purchases from the merchant. See the parameter definition for more information. | array of objects |
Capture payment for order
| Field name | Description | Type | Notes |
payment_source.card.name |
The cardholder's name as it shows up on the card. See the parameter definition for more information. | string |
|
payment_source.card.number |
The primary account number (PAN) for the payment card. See the parameter definition for more information. | string |
|
Supported payment methods
This integration supports the following payment methods:
- Credit card/Debit card transactions
- Apple Pay
- Google Pay
To test the Orders V2 API, refer to the Get Started guide for sandbox login credentials and access token information.
Identifying fraud filter activations
Use endpoints from the Orders v2 API to get response which contains the fraud filter failures, if any. For example, use the endpoint Create Order with the intent CAPTURE.
Sample request and response for Create Order endpoint
- Request
- Response
1{2 "request": {3 "method": "POST",4 "path": "v2/checkout/orders",5 "headers": {6 "Content-Type": "application/json",7 "PayPal-Request-Id": "7b92603e-77ed-4896-8e78-5dea2050476a",8 "PayPal-Client-Metadata-Id": "pay_ses_1pa68ngmzk5"9 "Authorization": "Bearer ACCESS-TOKEN"10 },11 "body": {12 "intent": "CAPTURE",13 "purchase_units": [14 {15 "reference_id": "d9f80740-38f0-11e8-b467-0ed5f89f718b",16 "amount": {17 "currency_code": "USD",18 "value": "100.00"19 },20 "shipping": {21 "address": {22 "address_line_1": "2211 N First Street",23 "address_line_2": "Building 17",24 "admin_area_2": "San Jose",25 "admin_area_1": "",26 "state": "",27 "postal_code": "95131",28 "country_code": "US"29 }30 },31 "supplementary_data": {32 "risk": {33 "customer": {34 "ip_address": "192.158.1.38"35 }36 }37 }38 }39 ],40 "payment_source": {41 "card": {42 "number": "4111111111111111",43 "expiry": "2025-02",44 "name": "John Doe",45 "billing_address": {46 "address_line_1": "2211 N First Street",47 "address_line_2": "17.3.160",48 "admin_area_1": "CA",49 "admin_area_2": "San Jose",50 "postal_code": "95131",51 "country_code": "US"52 },53 "attributes": {54 "customer": {55 "id": "n9a9sd",56 "email_address": "test123@gmail.com",57 "phone": {58 "phone_type": "MOBILE",59 "phone_number": {60 "country_code": "1",61 "national_number": "4083855946"62 }63 }64 }65 }66 }67 }68 }69 }70}
Modify the request code
- Change
ACCESS-TOKENto your access token. - Change the value of
PayPal-Client-Metadata-Idto your Device Id. - Ensure to send the following data fields to help with better risk evaluation. For more information, see essential prerequisites for optimal setup.
- Change
email_addressin the customer object to the email address of the customer. - Change
phone_numberin thecustomer.phoneobject to the phone number of the customer. - Change
addressin the shipping object to the shipping address of the customer. - Change the
billing_addressfields to the billing address information of the customer. - Change the
numberandnamein thepayment_source.cardobject to the card number and name of the card holder. - Change
ip_addressin thesupplementary_data.risk.customerobject to your customer’s IP address.
Response parameters
- The
statusof the response is set to201 Created. - The
captures.statusis set toCOMPLETED. In the case of an authorize scenario,authorizations.statusis set toCREATED. - The
links.hrefcontains the GET Order URL. Use this URL to get order details. - No risk assessment object will be returned in the response.
Note: If your merchant has not enabled any risk filters, the response will be the same as in a standard Capture Order scenario.
Get order details - no risk filters enabled
Use the Show order details endpoint to get the details on the failed risk filters along with the rest of the order details. The response will be the same as in a standard Capture Order scenario.
- Sample request
- Sample response
1{2 "request": {3 "method": "GET",4 "path": "v2/checkout/orders/{orderId}",5 "headers": {6 "Content-Type": "application/json",7 "Authorization: "Bearer ACCESS-TOKEN"8 }9 }10}
Modify the request code
- Change
ACCESS-TOKENto your access token. - Replace the
orderIdwith the one corresponding to your customer’s order.
Sample response for approved transaction
The Orders API returns the following response for an approved transaction:
1{2 "response": {3 "status": "201 Created",4 "headers": {5 "Content-Type": "application/json"6 },7 "body": {8 "id": "1B3121425K9657222",9 "intent": "CAPTURE",10 "status": "COMPLETED",11 "payment_source": {12 "card": {13 "name": "txn1",14 "last_digits": "6237",15 "expiry": "2026-01",16 "brand": "VISA",17 "available_networks": [18 "VISA"19 ],20 "type": "CREDIT",21 "bin_details": {22 "bin": "430591983",23 "issuing_bank": "SIERRA CENTRAL CREDIT UNION",24 "bin_country_code": "US"25 }26 }27 },28 "purchase_units": [29 {30 "reference_id": "REF123",31 "amount": {32 "currency_code": "USD",33 "value": "13.00"34 },35 "payee": {36 "email_address": "RaaS-DirectMerchant-FT01@abc.com",37 "merchant_id": "YQVPMPGKSQUMW"38 },39 "soft_descriptor": "NATURESKEEP",40 "payments": {41 "captures": [42 {43 "id": "6M8275308Y428715L",44 "status": "COMPLETED",45 "amount": {46 "currency_code": "USD",47 "value": "13.00"48 },49 "final_capture": true,50 "seller_protection": {51 "status": "NOT_ELIGIBLE"52 },53 "seller_receivable_breakdown": {54 "gross_amount": {55 "currency_code": "USD",56 "value": "13.00"57 },58 "paypal_fee": {59 "currency_code": "USD",60 "value": "0.83"61 },62 "net_amount": {63 "currency_code": "USD",64 "value": "12.17"65 }66 },67 "links": [68 {69 "href": "https://api.paypal.com/v2/payments/captures/6M8275308Y428715L",70 "rel": "self",71 "method": "GET"72 },73 {74 "href": "https://api.paypal.com/v2/payments/captures/6M8275308Y428715L/refund",75 "rel": "refund",76 "method": "POST"77 },78 {79 "href": "https://api.paypal.com/v2/checkout/orders/1B3121425K9657222",80 "rel": "up",81 "method": "GET"82 }83 ],84 "create_time": "2024-09-13T14:02:23Z",85 "update_time": "2024-09-13T14:02:23Z",86 "network_transaction_reference": {87 "id": "497635885629824",88 "network": "VISA"89 },90 "processor_response": {91 "avs_code": "Y",92 "cvv_code": "M",93 "response_code": "0000"94 }95 }96 ]97 },98 "risk_assessment": {99 "fraud_filter_details": {100 "status": "ALLOW",101 "filters_applied": [102 "Test Approve"103 ]104 }105 }106 }107 ],108 "create_time": "2024-09-13T14:02:23Z",109 "update_time": "2024-09-13T14:02:23Z",110 "links": [111 {112 "href": "https://api.paypal.com/v2/checkout/orders/1B3121425K9657222",113 "rel": "self",114 "method": "GET"115 }116 ]117 }118 }119}
Response parameters for approved transaction
- The
statusof the response is set to201 Created. - The
captures.statusis set toCOMPLETED. In case of an authorize scenario,authorizations.statusis set toCREATED. - The
links.hrefcontains the GET Order URL. Use this URL to get order details. - A
risk_assessment.fraud_filter_detailsobject will be returned specifying the following fraud filter details:statusof the risk assessment, value of which will always beALLOW.filters_applieddescribes filters applied during risk checks. These are typically set up and enabled by your merchants. For more information, see Create and set up filters.
Get order details for approved transaction
Use the Show order details endpoint to get the details on the failed risk filters along with the rest of the order details.
- Sample request
- Sample response
1{2 "request": {3 "method": "GET",4 "path": "v2/checkout/orders/{orderId}",5 "headers": {6 "Content-Type": "application/json",7 "Authorization": "Bearer ACCESS-TOKEN"8 }9 }10}
Modify the request code
- Change
ACCESS-TOKENto your access token. - Replace the
orderIdwith the one corresponding to your customer’s order.
Subscribe to CHECKOUT.ORDER.DECLINED Webhook event
To receive information about transactions declined due to pre-authorization risk filters, subscribe to the CHECKOUT.ORDER.DECLINED Webhook event. A sample response for this event is shown below. In this example, the transaction was declined because the custom TRANSACTION_AMOUNT_FILTER, configured by the merchant, failed.
1{2 "response": {3 "status": "200 OK",4 "headers": {5 "Content-Type": "application/json"6 },7 "body": {8 "id": "WH-COC11055RA711503B-3W074927CF383080E",9 "create_time": "2024-01-16T21:21:49.000Z",10 "event_type": "CHECKOUT.ORDER.DECLINED",11 "resource_type": "checkout-order",12 "resource_version": "2.0",13 "summary": "Checkout Order Declined due to Risk Fraud Filter failures",14 "resource": {15 "id": "3W074927CF383080E",16 "status": "CREATED",17 "payment_source": {18 "card": {19 "last_digits": "1111",20 "expiry": "2025-10",21 "brand": "VISA",22 "type": "CREDIT"23 }24 },25 "purchase_units": [26 {27 "reference_id": "d9f80740-38f0-11e8-b467-0ed5f89f718b",28 "shipping": {29 "address": {30 "address_line_1": "2211 N First Street",31 "address_line_2": "Building 17",32 "admin_area_2": "San Jose",33 "admin_area_1": "CA",34 "postal_code": "95131",35 "country_code": "US"36 }37 },38 "risk_assessment": {39 "fraud_filter_details": {40 "status": "DENY",41 "filters_applied": [42 "TRANSACTION_AMOUNT_FILTER"43 ]44 }45 }46 }47 ],48 "links": [49 {50 "href": "https://api-m.paypal.com/v2/checkout/orders/3W074927CF383080E",51 "rel": "self",52 "method": "GET"53 }54 ]55 },56 "links": [57 {58 "href": "https://api-m.paypal.com/v1/notifications/webhooks-events/WH-COC11055RA711503B-3W074927CF383080E",59 "rel": "self",60 "method": "GET"61 },62 {63 "href": "https://api-m.paypal.com/v1/notifications/webhooks-events/WH-COC11055RA711503B-3W074927CF383080E/resend",64 "rel": "resend",65 "method": "POST"66 }67 ],68 "zts": 1494957670,69 "event_version": "1.0"70 }71 }72}
Subscribe to CHECKOUT.ORDER.COMPLETED Webhook event
To receive information about transactions declined due to post-authorization risk filters, subscribe to the CHECKOUT.ORDER.COMPLETED Webhook event. A sample response for this event is shown below. In this example, the transaction was declined because the filters AVS_ZIP_MISMATCH and CVV_MISMATCH, configured for the merchant, failed.
1{2 "id": "WH-34M010001R114212F-8LR00246M4043391E",3 "event_version": "1.0",4 "create_time": "2024-09-11T09:11:03.200Z",5 "resource_type": "checkout-order",6 "resource_version": "2.0",7 "event_type": "CHECKOUT.ORDER.COMPLETED",8 "summary": "Checkout Order Completed",9 "resource": {10 "create_time": "2024-09-11T09:10:18Z",11 "purchase_units": [12 {13 "reference_id": "REF123",14 "amount": {15 "currency_code": "USD",16 "value": "6.00",17 "breakdown": {18 "item_total": {19 "currency_code": "USD",20 "value": "6.00"21 },22 "shipping": {23 "currency_code": "USD",24 "value": "0.00"25 },26 "handling": {27 "currency_code": "USD",28 "value": "0.00"29 },30 "insurance": {31 "currency_code": "USD",32 "value": "0.00"33 },34 "shipping_discount": {35 "currency_code": "USD",36 "value": "0.00"37 }38 }39 },40 "payee": {41 "email_address": "p4pmp_99c58fac-be6b-48f7-ad20-63e7f9f0268a@paypal.com",42 "display_data": {43 "brand_name": "INC"44 }45 },46 "soft_descriptor": "DEMO",47 "payments": {48 "captures": [49 {50 "id": "7SW18441P6357352M",51 "status": "DECLINED",52 "status_details": {53 "reason": "DECLINED_BY_RISK_FRAUD_FILTERS"54 },55 "amount": {56 "currency_code": "USD",57 "value": "6.00"58 },59 "final_capture": true,60 "disbursement_mode": "INSTANT",61 "seller_protection": {62 "status": "NOT_ELIGIBLE"63 },64 "seller_receivable_breakdown": {65 "gross_amount": {66 "currency_code": "USD",67 "value": "6.00"68 },69 "net_amount": {70 "currency_code": "USD",71 "value": "6.00"72 }73 },74 "links": [75 {76 "href": "https://api.paypal.com/v2/payments/captures/7SW18441P6357352M",77 "rel": "self",78 "method": "GET"79 },80 {81 "href": "https://api.paypal.com/v2/payments/captures/7SW18441P6357352M/refund",82 "rel": "refund",83 "method": "POST"84 },85 {86 "href": "https://api.paypal.com/v2/checkout/orders/8EY32815388724808",87 "rel": "up",88 "method": "GET"89 }90 ],91 "create_time": "2024-09-11T09:10:27Z",92 "update_time": "2024-09-11T09:10:27Z",93 "network_transaction_reference": {94 "id": "895546237854296",95 "network": "VISA"96 },97 "processor_response": {98 "avs_code": "A",99 "cvv_code": "D",100 "response_code": "0000"101 }102 }103 ]104 },105 "risk_assessment": {106 "fraud_filter_details": {107 "status": "DENY",108 "filters_applied": [109 "AVS_ZIP_MISMATCH",110 "CVV_MISMATCH"111 ]112 }113 }114 }115 ],116 "links": [117 {118 "href": "https://api.paypal.com/v2/checkout/orders/8EY32815388724808",119 "rel": "self",120 "method": "GET"121 },122 {123 "href": "https://api.paypal.com/checkoutnow?token=8EY32815388724808",124 "rel": "approve",125 "method": "GET"126 },127 {128 "href": "https://api.paypal.com:18824/v2/checkout/orders/8EY32815388724808",129 "rel": "update",130 "method": "PATCH"131 },132 {133 "href": "https://api.paypal.com:18824/v2/checkout/orders/8EY32815388724808/capture",134 "rel": "capture",135 "method": "POST"136 },137 {138 "href": "https://api.paypal.com:18824/v2/checkout/orders/8EY32815388724808/confirm-payment-source",139 "rel": "confirm",140 "method": "POST"141 }142 ],143 "id": "8EY32815388724808",144 "payment_source": {145 "card": {146 "name": "txnREFUND_AND_REVERSAL",147 "last_digits": "9084",148 "expiry": "2026-01",149 "brand": "VISA",150 "available_networks": [151 "VISA"152 ],153 "type": "CREDIT",154 "bin_details": {155 "bin": "407055807",156 "issuing_bank": "SIERRA CENTRAL CREDIT UNION",157 "bin_country_code": "US"158 }159 }160 },161 "intent": "CAPTURE",162 "status": "CREATED"163 },164 "links": [165 {166 "href": "https://api.paypal.com/v1/notifications/webhooks-events/WH-34M010001R114212F-8LR00246M4043391E",167 "rel": "self",168 "method": "GET"169 },170 {171 "href": "https://api.paypal.com:14084/v1/notifications/webhooks-events/WH-34M010001R114212F-8LR00246M4043391E/resend",172 "rel": "resend",173 "method": "POST"174 }175 ]176}
How to test your integration
You must onboard to the RaaS product and integrate with Advanced card processing before you test this integration.
For more information on how to activate FPA for your merchants, see Activating FPA through partner merchants.
For more information on how to upgrade your merchants to from Fraud Protection Standard (FPS) tool to FPA, see Upgrade to FPA.
For more information on how your merchant can set up filters, see Create and set up filters.
Test for pre-authorization filter failures
Set up your FPA with the appropriate filters and conditions, and apply these conditions in your request.
An example:
- You can configure a
TRANSACTION_AMOUNT_FILTERwhich fails if the transaction amount exceeds 1000. - Create an order which exceeds the amount 1000.
- Use
Authorize Order/Capture Order/and you will get aHTTP 422 UNPROCESSABLE ENTITYand the risk assessment status will be set toDENY.
Test for post authorization filter failures
Note: The following simulation rules will also work if you’ve integrated with PayPal’s SDK and you pass the values through SDK’s hosted fields.
Use the simulation rule specific CVV and address names. To ensure the AVS filter fails, set the address_line_1 in your Orders API request as shown in the following sample:
1"payment_source": {2 "card": {3 "number": "4111111111111111",4 "expiry": "2025-02",5 "name": "John Doe",6 "billing_address": {7 "address_line_1": "AVS_A_971",8 "admin_area_1": "CA",9 "admin_area_2": "San Jose",10 "postal_code": "95131",11 "country_code": "US"12 }13 }14 }
To ensure the CVV filter fails, set the security_code in your Orders API as shown in the following sample:
1"payment_source": {2 "card": {3 "number": "4111111111111111",4 "expiry": "2025-02",5 "name": "John Doe",6 "security_code" : 116,7 "billing_address": {8 "address_line_1": "2211 N First Street",9 "address_line_2": "17.3.160",10 "admin_area_1": "CA",11 "admin_area_2": "San Jose",12 "postal_code": "95131",13 "country_code": "US"14 }15 }16 }
Go live
For instructions to go live in PayPal’s production environment, see Production Environment.