Category Archives: Engineering

Feature Release: Credential Rotation on Developer Portal to Enhance App Security

By

At PayPal, we take security seriously. Since the client-secret in the API world is akin to your password in the web world, it is a well-known security best practice to regularly change the client-secret that your application uses. Regularly scheduled changes to the client-secret keeps the attackers at bay and ensures that your app is less vulnerable to being compromised.

To simplify the credential rotation process, we have now enabled this capability as a self-service feature on the developer portal. We hope that this feature will provide greater flexibility to our developers in rotating credentials per their own schedule.

Lifecycle of a client-secret at PayPal

Continue reading

Webhooks for Payouts

By

Today, we are delighted to launch the much awaited Webhooks support for Payouts. Payouts is a highly convenient mechanism for processing mass payments across multiple accounts in a single API call. With this feature, you can now initiate a payout transaction and receive notifications on your webhook URLs for Processing, Success and Denied scenarios.

Merchants and Developers can now subscribe and receive notifications for the following events

  1. Payment payoutsbatch processing
  2. Payment payoutsbatch success
  3. Payment payoutsbatch denied

Payouts Processing

Continue reading

Introducing the Webhooks Dashboard

By

Today, we’re excited to announce the Webhooks Dashboard release, which is now available on PayPal Developer Portal. The dashboard comes with a rich feature set providing developers the necessary tools for easier integrations.

With this release, developers can now perform the following functions on the dashboard:

  1. Search Webhook events based on an application
  2. Resend a notification on a single click
  3. Access the payload on an event click
  4. Filter events based on a selected date range
  5. Robust pagination to simplify navigation across events

Search Webhook events based on an Application

Continue reading

The New API Transactions Dashboard

By

The new Transactions dashboard, launched recently, is also referred to as “API call history”. It provides histories of the transactions (API calls) made by applications in the sandbox and live environments. It provides details such as the date of the transaction, type of the transaction, status, amount, as well as the details of the API call, such as the request and response messages.

The new dashboard has many features:

  • Displays history of all PayPal REST APIs.
  • Shows API call details like HTTP status code, request, response and headers to help with diagnostics.
  • Provides the ability to browse and find details quickly through pagination and filters.
  • Has 10x better performance.

Live Transactions Dashboard

An example of the live transactions dashboard is shown below

Live Transactions Dashboard

The live dashboard displays the following:

  • HTTP status
  • Resource URI that was invoked
  • Transaction ID
  • Transaction Date

You can browse transactions for all your applications and filter transactions based on the application name. The dashboard also gives you the ability to view the details of a transaction. By clicking a transaction in the table above, you will see a popup like the below:

Live Transactions Metadata

It has the following fields:

  • Metadata – Metadata about the transaction Request
  • HTTP request, including headers Response
  • HTTP response, including headers

Sandbox Transactions Dashboard

An example of the sandbox transactions dashboard is shown below:

Sandbox Transactions Dashboard

The sandbox transaction dashboard is similar to the live transaction dashboard, except that you can also filter the transactions based on the sandbox account. Since a developer can have multiple sandbox accounts associated with multiple sandbox applications, filtering on the basis of either a sandbox account email or an application can help you quickly find the transaction you are looking for.

Miscellaneous Information

The new dashboard can be accessed via the following links:

Rahul PanjrathAuthor: Rahul Panjrath
About the author: I am Software Engineer @Braintree|PayPal since April 2014, part of the team responsible for https://developer.paypal.com. Coding is my passion and I love to break things daily ;). I graduated from San Jose State University and I have been in the software industry coding for almost 9 years and I am still learning new things everyday. That’s the best part which makes me love the work I do. I specialize in web programming, REST APIs development, TDD etc.

I can be reached at:

PayPal’s API Style Guide

By

Jason HarmonAbout the author: Jason is the former head of the API Design team at PayPal, helping development teams design high quality, usable APIs across the platform. He blogs at apiux.com, and has a Youtube channel API Workshop (https://www.youtube.com/channel/UCKK2ir0jqCvfB-kzBGka_Lg).

Since 2013, PayPal has been developing a new generation of APIs, using REST semantics. While our public API developer community has seen the outward effects of this, internally we’ve been using the same strategy. Since 2013, we’ve defined most of the PayPal platform using REST APIs.

As part of the team guiding this engineering-wide project (we call it PPaaS aka “PayPal as a Service”), our API Design team has had the privilege to work with a huge number of development teams. We consult with development teams on API design to ensure the broadest consistency, sound usability, and a myriad of other concerns.

During the process of collaborating on hundreds of API designs, we’ve developed a detailed set of internal standards. With the size of our team it’s important to provide some level of detail. This provides our developers building APIs clear guidance. However with all the detail we’ve provided, it can get a little tough to get started learning what good API designs look like. In an attempt to capture the basics, and provide an overview of our Standards, we’ve composed our API Style Guide. Rather than keeping this within our internal developer community, we removed any internal or proprietary references, and made it something anybody could use as a set of API design guidelines. A handful of other organizations, such as Heroku and The White House have shared their standards as well.

The hope is that more organizations that are passionate about APIs will share their design guidelines. This can only improve the consistency of the API space. While there are many books on the subject, looking at popular APIs is often the first place new API developers get started. Often this leads to guessing why a design works the way it does. By providing Standards or a Style Guide, new API developers can get a better sense of the rationale behind a functioning design.

We’ve published PayPal’s API Style Guide on Github. Most of the examples provided are based on our REST APIs, which you can find out more about on developer.paypal.com.

PayPal SSL Certificate Changes

By

To continue our policy of ensuring the highest level of security for our merchants, developers, and consumers, PayPal is making upgrades to the SSL certificates on all web and API endpoints.

Merchants and developers will need to ensure that all required upgrades are implemented, as described below, to prevent an outage to your payment processing, Instant Payment Notifications (IPN) services, or other API service connections.

Why are These Changes Needed?

Due to security concerns over advances in computing power, the industry is phasing out 1024-bit SSL certificates (G2) in favor of 2048-bit certificates (G5), and is moving towards a higher strength data encryption algorithm to secure data transmission, SHA-2 (256) over the older SHA-1 algorithm standard.

Since Chrome is deprecating support for SHA-1 by the end of 2015, and all support for SHA-1 will be deprecated by the end of 2016, we need to act soon to implement these changes.

During the upgrade, we will ensure that all SSL certificates meet the following standards:

  • Discontinue support for secure connections that require validation with the VeriSign G2 Root Certificate; only validate with the VeriSign G5 Root Certificate.
  • Use a stronger algorithm by upgrading from SHA-1 to SHA-2 (256).

Who will be Impacted?

The main impact of these changes is to merchants and developers with an integration that does not use the new VeriSign G5 Root Trust Anchor, or those whose hardware / software does not support the SHA-256 signing algorithm.

If you are unsure if you fall into one of these categories, please contact the company / developer who assisted with your original integration. Typically these integrations may come through a 3rd party cart system (e.g. Zen Cart), hosting company (e.g. GoDaddy), or individual developer.

Please click here for a complete rollout schedule for the upgrades on PayPal.

How to Update to Prevent Service Outage

To prepare for these changes, please use the checklist below to ensure everything has been upgraded completely:

  • Talk to the technical contact or 3rd party partner that you used to create the checkout.
  • Save the VeriSign G5 Root Trust Anchor in your keystore.
  • Upgrade your environment to support the SHA-256 signing algorithm.
  • Perform end-to-end testing of the integration against the Sandbox / Payflow Pilot environment (including Instant Payment Notifications (IPN), Payment Data Transfer (PDT), and Silent Posts).

Upgrading is not required if you are using Website Payments Standard (the “Buy Now” buttons), or Payflow webapps only.

Testing Your SSL Certificate Upgrade

Any tests that are currently run against PayPal Sandbox endpoints will require a VeriSign G5 root certificate, so you can test your upgrades by making requests against the Sandbox environment by using the following steps:

Testing Your SHA-256 Algorithm Upgrade

SHA-256 testing is available as of April 8th using the Payflow Pilot, or testing will also be available against the PayPal Sandbox in Q1 2016.

Need More Information, or Running into Problems Upgrading?

For technical upgrade information, please see the merchant security system upgrade guide.

Every integration is unique, and unexpected issues can always arise. If you are running into problems with the upgrade, PayPal MTS is available to assist with any specific errors or problems that might arise.