Once you've finished coding and debugging your application (including testing all your PayPal NVP/SOAP API calls in the Sandbox), go live by moving your application to PayPal's production environment.
To take your application live:
- Ensure your application adheres to the PayPal Application Policies and Guidelines.
- Update the Sandbox API credentials in your PayPal calls to those assigned to a live PayPal account.
- Update your PayPal endpoints from the Sandbox to the PayPal production servers.
- Register your application with PayPal.
- If your application makes use of Adaptive operations, obtain a live AppID.
- Go Live!
This document describes how to move your application to the live PayPal environment and how to create an application that provides a secure and dependable user experience. It covers the following sections:
- Obtaining your live PayPal credentials
- Using the PayPal production endpoints
- Registering your application with PayPal
- Go Live checklist
Obtaining your live PayPal credentials
All calls to PayPal operations are made through the application account, which is a PayPal account that is controlled by the application owner. Every PayPal service request needs a set of API credentials to make the call. PayPal assigns a set of API credentials (a User ID, Password, and Signature) to an account upon request.
In addition to the API credentials, calls to the Adaptive API operations also require an AppID value. When testing in the Sandbox, developers can use the global Sandbox AppID value. However, to move your application into production, you must obtain a live AppID value from PayPal. See Registering your application with PayPal for more information.
Tip: To obtain live PayPal credentials, you must have a verified Premier or verified Business PayPal account.
Obtain your live API credentials as described in Creating and Managing NVP/SOAP API Credentials.
If you have existing API credentials, you can use this shortcut to review them: https://www.paypal.com/us/cgi-bin/webscr?cmd=_profile-api-signature
Tip: Remember, the AppID you use for Sandbox testing is not supported by the PayPal production servers.
Using the PayPal production endpoints
Depending on the API operations you call and how you call them, you might use several PayPal endpoints in your application. Ensure you're using the correct production endpoints in all your PayPal API calls. For a complete list of available endpoints, see the NVP/SOAP API Endpoints page.
Registering your application with PayPal
The biggest change when going live is the fact that you're moving from virtual test accounts in the Sandbox to live accounts owned by real people who hold balances containing real money. While this profound change should not require updates to the routines in your application, it stands out as a fundamental change in processing.
PayPal is a global leader in online payments. As such, one of our main goals is to offer a safe, secure, and reliable environment for all of our users. To make sure we fulfill this goal, PayPal requires that you register your applications with PayPal before you can go live and access the PayPal production servers.
Important: Before registering your PayPal application, make sure the status of the PayPal account used to submit the application is verified.
The PayPal Developer agreement highlights all the points with which your application must comply. Be sure to read and fully understand this document before submitting your application to PayPal: PayPal Developer Agreement
Submitting your application
To submit your website or mobile application to PayPal:
Log into the PayPal Developer website using the credentials of the PayPal account registered to the application owner.
Note: The PayPal account associated with the application must be a verified Premier or verified Business account.
Click Dashboard at the top of the page to open the My Apps & Credentials page. (Alternately, you can go directly to the My Applications page by navigating to the My Apps & Credentials page on the Developer website.)
Registering a REST API app
- In the REST API apps section, click Create app.
- See creating an app for more information.
Registering an NVP/SOAP API app
- Click Dashboard at the top of the page to open the My Apps & Credentials page.
- Click the Create and manage NVP/SOAP API apps link at the bottom of the page.
- Click New App on the left nav bar to access the App Information form.
- Complete the form and click the Submit App button. To ensure the fastest possible application review, supply as much information as possible when completing the submittal form.
Tip: When filling out the application, be sure to provide the e-mail address that corresponds to the PayPal account that is used make API calls.
The type of API operations used in your application dictates the review process applied to your application. PayPal divides applications into three distinct review categories:
- Merchant APIs include Express Checkout, Website Payments Pro, Button Manager, Mass Pay, Recurring Payments, and all of the Informational APIs.
- Adaptive APIs include Adaptive Payments, Adaptive Accounts, the Permissions Service, and the Invoicing Service. Calls to these APIs require an AppID value.
- Mass Pay includes only the
Reviewing applications with Merchant API calls
If your application makes calls to the PayPal Merchant APIs (such as Express Checkout), you can begin making production calls using the credentials assigned to your PayPal account as soon as you register your application. PayPal reviews your application within 24 – 72 hours of your submission to ensure it complies with all requirements. After the review, PayPal grants final approval to your application.
PayPal will contact you only if there are any questions or concerns raised during the review process. If you do not hear from PayPal, either during or after the review period, you can assume your application was reviewed without concern and you may continue using the credentials assigned to you. If the review process does surface questions, these must be addressed before you can continue making production calls from your application.
Reviewing applications with Adaptive API calls
The Adaptive APIs consist of the operations in Adaptive Payments, Adaptive Accounts, and the Permissions and Invoicing Services. PayPal issues a unique AppID for each application that makes calls to Adaptive API operations. To make calls to the Adaptive APIs, use the AppID value in conjunction with the API credentials that are issued to the application owner.
You can use the Global AppID value to test your applications in the Sandbox. To go live, however, you must use the live AppID that PayPal generates for your application. This means you need to submit to PayPal for review any application that uses Adaptive API operations in order to obtain a live AppID that's specifically assigned to that application.
When you submit your application for review, PayPal scans your application and sets the Application Status to one of the following states:
PayPal issues an AppID for the production servers at the time you submit the application.
PayPal classifies select operations within Adaptive Payments, Adaptive Accounts, and the Permissions Service as advanced operations. If your application uses certain advanced operations, PayPal Conditionally approves your application and issues an AppID within two business days. In addition, PayPal might require you supply other information after you place your application into production.
Certain operations and business models might require your application to be subjected to a two-phase review process. For example, Personal Payments, chained payments, and pre-approval operations, or complex business models (such as crowdfunding) can trigger a two-phase review.
When your Application Status is set to Open, PayPal first reviews the application from a buyer's perspective to make sure it follows the correct payments flow when utilizing the PayPal APIs. In the second phase, PayPal reviews the application's business model to ensure the safety and protection of our PayPal customers. PayPal also uses this phase to ensure your application adheres to the PayPal Developers Network guidelines and terms of service.
PayPal will contact you within five business days as part of the Open status review process. The total length of the application review process depends on how quickly you respond to questions about your application, and the complexity of your business model. Your application is assigned an AppID for the production servers after the second phase of the Open review is completed. While it is possible for a two-phased review to be completed in as little as 10-14 days, it normally takes longer than this to complete the review and it's not uncommon for full reviews to span several weeks.
If your Application Status is other than any of the states listed above, or if the state is listed as In Development, it is likely the application is not fully submitted. Please review the submittal form and click the Submit for Approval button to finalize the submission.
Keep these tips in mind when planning your application submission:
- If your application is Automatically Approved, but you need to integrate additional Adaptive API operation calls, retire your current AppID value and submit an updated application containing all the needed Adaptive API calls.
- The most complex business models might require several weeks for a complete two-phase review. Please plan ahead and submit your application early to ensure adequate time for the review process.
Reviewing applications with Mass Pay API calls
If your application uses the Mass Pay operation, you must white-list your application before you can move it to the live environment. To enable Mass Pay, reference transactions, and address verify on your account, contact PayPal Customer Service.
About the review process
When you register your application, a PayPal agent reviews it to ensure it meets the criteria outlined by PayPal. Reviewers might require additional information or they might have questions about your application. If reviewers have questions, they will post them to the account that submitted the application.
During the time your application is in review, check the submission page often; the review process will be held until all questions or requests are answered. If questions are posted, a notification will be sent to the e-mail address associated with the PayPal account that was used to submit the application. If you don't have access to this e-mail, check the Developer site. It's also a good idea to check your junk mail folder to insure that legitimate PayPal messages are not being marked as spam.
All reviews are performed on a first-come, first-serve basis and there is no expedited review process available. Review times can vary and you should make sure to take the review time into account in your business planning. The amount of time it takes to review your application depends on a number of factors, including the different PayPal APIs in your application, the uniqueness and complexity of your business model, and whether you are submitting a PayPal application or are applying for Business Payments. The PayPal reviewers might have many questions, or perhaps they will have none—it all depends on the application you submit.
Upgrading your application
PayPal offers an integrated suite of powerful APIs to help you throughout your transaction processing. It can behoove you to consider the full range of PayPal's APIs when you first create the accounts receivable aspect of your business. For example, if your business handles a high volume of transactions, you might benefit from integrating a refund feature into the flow of your application by taking advantage of the PayPal API that handles refunds.
Using the tried-and-tested solutions from PayPal helps to provide a robust base upon which you can build your business. Leveraging the PayPal APIs in your accounts receivables module frees you from the worry associated with the implementation of this important part of your application. With the nitty-gritty details of transaction processing soundly handled by PayPal, you are free to focus your energies on the other important features of your service.
If you add new Adaptive operation calls to an application that was previously "Automatically Approved," you need to retire your current AppID and obtain a new one by submitting your application for review. Be aware that your modified application might require a full review be completed in order to test any new payment models or application flows.
However, if your application has already been reviewed and approved, contact Developer Technical Services at the following site for instructions on how to proceed with your newly enhanced application: https://www.paypal.com/dts
Managing your applications
Manage your existing PayPal apps through the the PayPal Developer website My Apps & Credentials page.
Managing REST API apps
In the REST API apps section of the PayPal Developer website My Apps & Credentials page, click the name of your app. From there you can:
- View your Sandbox and Live credentials.
- Add a webhook.
- Modify your app settings.
Registering an NVP/SOAP API app
Click the link at the bottom of the PayPal Developer website My Apps & Credentials page to Create and manage NVP/SOAP API apps. From there you can:
Manage the users who have access to your app.
Use this feature to share app ID values with the other developers on your team.
View status messages associated with your app.
View the app history.
Retire the app from use.
Go Live checklist
After you've finished testing your application in the PayPal Sandbox, move it into the production environment so you can process live transactions. This quick-reference checklist provides an overview of how to successfully take your application live.
Review the items below to make sure you're ready to Go Live!:
Ensure your PayPal account is verified before you register it to go live.
Configure your live PayPal account settings and profile.
Make sure your Seller Preferences settings match those that you used during your Sandbox testing (or are appropriate for production use). For example, you might have configured an IPN listener or customized your invoice settings while testing. You want to be sure to duplicate these settings in your live PayPal account. It can help to keep things organized if you use an email address similar to the following:
Make sure your PayPal API calls are directed at PayPal's production environment.
Get your live API credentials and use them wherever you call PayPal API operations.
Do not to confuse your live API credentials with those generated in your Sandbox. While you can use either a signature or API certificate, PayPal recommends you use your PayPal-assigned signature to authenticate PayPal API calls.
If you use any Adaptive APIs, obtain your live AppID from PayPal, and use it in all your Adaptive calls.
Configure any needed third-party authorizations.
If you're making API calls on behalf of a merchant, make sure to replicate the third-party authentication you set up in the Sandbox in your live account.
If you're using the PayPal SDKs, create an SDK API profile.
If your application uses the PayPal SDKs, create an API Profile object that contains the details of your live account. This includes making sure the environment field is set to live, and configuring your live API credentials where they are defined.
Update your firewalls with the PayPal IP addresses.
If necessary, add PayPal's IP addresses to any list of trusted IP addresses needed by your firewall, or any other network devices.