My requirement is that i need to use a Hosted (uk) solution to generate a reference transaction token that can then be called periodically without the user having to initiate the transaction again.
Currently, using the classic API I have something akin to a reference transaction working, however this requires the user to have a PayPal account - I also need to be able to accept card details (no PayPal account).
The only way to accept card details seems to be with the hosted (uk) solution however I have no idea how to set this up. So, I guess the questions are this:
1) Am I able to allow card AND PayPal account for the reference transactions?
or
2) How do I setup / configure a hosted solution? or is this simply a case of using the docs and an iframe with no config in the PayPal account?
For your second question - Yes it is straightforward. See the Hosted Docs and integrate.
As #DiceyRamp has stated the hosted solution is just a case of using the docs, no account specific setup is required.
To answer the first question :- it is NOT possible to use the PayPal Hosted API for Reference Transactions. You instead must use the Button API to create a reference token. In order to generate a token without a purchase you must go one further, generate an order and then immediately void it.
Credit where credit is due, this was answered for me over email by another developer. Im including his explanation here in the hope that it helps others.
Paypal button API Examples
The specific process is this:
We create an iframe url using the PayPal BMCreateButton method, with the BUTTONTYPE set to “PAYMENT” and the BUTTONCODE as “TOKEN”. We then set all the usual order parameters up (name, address, notify_url etc) and then url encode them. We then execute the BMCreateButton with the above arguments set, this gives us an iframe url which we render on the page.
To generate a token we use a dummy £1 order.
The code that executes on the “notify_url” basically takes the IPN message, and if the result is ‘VERIFIED’ then it stores the ‘txn_id’ as the token.
This can then be used later on a Paypal DoReferenceTransaction API call, using the txn_id as the “REFERENCEID” parameter. The notify_url code will NOT store the txn_id if the IPN states the order was a VOID, you can’t do a repeat against a void, so we never store the void txn_id as a token.
Related
I'm just now trying to get up to speed with PayPal Express Checkout (i.e. checkout.js), using the client-side REST integration described here. I see that when payment is complete, my onAuthorize function is invoked with a "payment" object.
I can't find any documentation on this object, but some poking at it reveals the following properties (at least today):
paymentToken
payerID
paymentID
intent
returnUrl
Now I need to redirect the user to the next step on my website, where I show a receipt confirming they've paid, etc. I guess I send the above data to the server, but since that step could be easily spoofed by a malicious user, I will need to verify those details in the PHP code, server side.
How do I do that?
You can make a GET call on your server side to /v1/payments/payment/PAY-XXXXXX with the paymentID and the payerID to get the payment details, and verify those details there.
https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/advanced-payments-api/show-payment-details/
See https://developer.paypal.com/docs/api/overview/#make-your-first-call for some basics on calling the REST api from your server
Assuming you are using PayPal Encrypted Buttons, you don't actually need to verify the amounts sent through server-side. Although a user could indeed manipulate the $_POST data, PayPal's got you covered, and won't allow the transaction to go through. This is because PayPal Encrypted Buttons are generated with your variables such as price built-in to the ID. If the variables don't align with those used to create the button, the transaction is denied.
Alternatively, if you are simply using your own code to make the request, you can secure the payments with PayPal's Instant Payment Notification. Again, this allows any $_POST data to be sent through for the payment. Afterwards, PayPal makes a call to your IPN page in order to validate that the parameters are correct. This is demonstrated in the following workflow:
When communicating with your IPN, if PayPal finds that the values don't match up, the order is cancelled. Assuming that the values match up, you can safely redirect them to your confirmation page.
Hope this helps! :)
I am implementing PayPal payment to my application.
I am using Laravel Framework and merchant-sdk-php package to handle NVP/SOAP API. I would accually prefer REST API, but i need customers to make Reference Transactions with various amount, in non regular time periods and as far as i know it's possible only with NVP/SOAP API.
The payment flow in shortcut:
1. Payer clicks "connect" button, which is to create billing agreement using "SetExpressCheckout" method. Amount is set to 0 and adding a Billing Agreement field to request. Customer is redirected to PayPal, log in to his account, agreeing to direct debit and finally redirected to my return url.
2. After response is come, return action is fired (the one, which is passed in returnurl field). Next using token from paypal resposne i use CreateBillingAgreement method to get "BillingAgreementID" which i store in database.
3. Using "BillingAgreementID" i make "DoReferenceTransaction" request. No prompt to login is occurring, everything is happening behind the scene. Finally i get response after transaction.
The thinks i want to know are:
1. Is there a way, to get an email address, which consumer used to log in when creating billing agreemenet? I want to show in application which PayPal account (related to mentioned email) is direct debit set to?
2. I want to make some action in databse both after "BillingAgreementID" and "DoReferenceTransaction". Is the response status "Success" and additionally in "DoReferenceTransaction" field "PaymentStatus" set to "Completed" enought to conclude, that transaction is fully completed, and i cant i.e. share some digital goods or should i wait for IPN from this request?
Thanks for all contributions!
Found solution to question 1.
After betting billing agreement id i had to make "GetBillingAgreementCustomerDetails" action. In response i got customer details including email.
Still watching for hint to second question
Basically I want my users to associate PayPal account in their accounts for identify verification purposes. I am developing a marketplace site and wanted to integrate paypal as my identity verification procedure.
Is there a way to verify email address, first name and last name using PHP like using $_GET variables or $_POST variables? If there is can you show me how?
I tried search and I get Adaptive Accounts GetVerifiedStatus API. But that totally new to me, I don't know where and how to start.
Your best bet here is to make them start, but not complete, an Express Checkout. A normal Express Checkout (referencing Classic but REST works the same way) looks like this
SetExpressCheckout - Tell PayPal you want to authorize $1.00 and have them log in and authorize the payment
GetExpressCheckoutDetails - Take the token from step 1 and get their PayPal account details. Included in this is PAYERSTATUS, which will tell you if their PayPal account is verified or not
DoExpressCheckout - You won't do this, but this is where you finish the process and get funds. Since the data you want is in Step 2, just ignore it and the session will expire.
You could implement GetVerifiedStatus API to determine whether the specified Paypal account's status is verified or unverified.
To use that API, you need to submit the application request to Paypal for approval first. Submission portal link here.
Then use the GetVerifiedStatus API call directly, refer to API request fields,link.
Sample SDK download link.
I'm looking for a way to build a web application using paypal payments standard. I'd like the user to get redirected to paypal, then fill out their information, and upon completion, add a value in our database saying that they successfully paid. I haven't found a solution or answer to this.
I found this thread for RoR, but didn't find anything for PHP
Paypal Website Payments Standard with a Ruby/Rails application
You can see instructions for a Payment Data Transfer at PayPal's site. Basically, you post the transaction amount and an ID token to their site, the customer pays on paypal.com, and then they're sent back to a pre-defined URL on your site with the transaction details.
I used the NVP API to do that.
I'm trying to link my 3rd party shopping cart to PayPal, and in the process I'm finding that my variables are extremely exposed, such that, if someone uses, say, Firebug, to manipulate the values of my variables, they can change the cost of the items in the transaction.
I'm very new to online carts and shopping, so my question is how do I keep this layer of exposure away from users and secure for the website?
The answer is in the Instant Payment Notification service.
Upon completing the transaction, PayPal notifies you, in a separate process, of the payment details for the last transaction.
You can check these details against the data you stored locally. If they match, all is fine. If they do not match, you will need to investigate the issue.
Never understood why PayPal does not allow the data to be signed with some sort of hash + shared secret... but that does not help you any further.
If you POST the variables to PayPal, you can encrypt the data. Unfortunately, this is not possible for a GET request, triggered from a redirect.
There is a way of getting PayPal to host the button variables on their side. Look out for PayPal Hosted Buttons in their documentation:
https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro#id093VD0JE0Y4
Otherwise verify with IPN as mentioned bu Jacco.
Use the PayPal NVP or SOAP API to create an encrypted button. Basically you set all the information using PHP and then the API gives you the HTML.
Alternatively if you only have a couple of products you can make custom buttons.
The API's are well documented and easy to use. Personally I used the NVP as it was recommended for less experienced programmers. You can also use both in with the IPN (Instant Payment Notification) system so that for example digital products can be automatically emailed.