Create and Manage NVP/SOAP API Credentials

API

Last updated: Sept 18th, 5:50pm

Important: NVP/SOAP is a legacy integration method. We accept new integrations and support existing integrations, but there are newer solutions. If you're starting an integration, we recommend our latest solutions.

When you call PayPal NVP/SOAP APIs, you must authenticate each request through a set of API credentials. PayPal associates these credentials with a PayPal account. You can generate credentials for any PayPal Business or Premier account.

Types of credentials

All PayPal API certificate credentials are 2048-bit, SHA-256 certificates that expire every three years.

The NVP/SOAP APIs support:

API certificates

Contain the API user name and password and the certificate.

PayPal recommends that you use certificate credentials for security reasons. See API certificates.

API signatures

Contain the API user name and password and the signature. See API signatures.

Note: All Adaptive platform APIs require that you supply an appID with your signature or certificate credentials. The Adaptive APIs include Adaptive Payments, Adaptive Accounts, Permissions Service, and Invoicing Service.

API certificates

Learn how to create and manage certificate API credentials.

Create API certificates

Note: If your API certificate is expiring, proceed to Renew an API certificate.

For live credentials, log in to your PayPal business account at www.paypal.com.

For test credentials, log in to the PayPal sandbox at www.sandbox.paypal.com with a sandbox merchant account.

Hover over your name and then click Account Settings from the dropdown menu.

On the Account access page, click Update for the API access item.

Click Manage API Credentials in the NVP/SOAP API Integration (Classic) section.

Note: If you have already generated an API certificate, clicking Manage API Credentials displays the certificate information. If you must generate an API certificate, click Remove Certification to delete the existing certificate.

On the Request API certificate page, select Request API certificate.

Then, click Agree and Submit.

The Manage API certificate page appears.

Click Download Certificate.

The cert_key_pem.txt file contains the certificate. Save the file to a secure location.

PayPal formats the API certificate file in PEM format. The file contains both your public certificate and the associated private key. Although the PEM certificate is not human readable, the file is not encrypted. For details, see Encrypt your certificate.

Renew API certificates

To prevent an interruption in API services, you must renew and replace your certificate before it expires.

For live credentials, log in to your PayPal business account at www.paypal.com.

For test credentials, log in to the PayPal sandbox at www.sandbox.paypal.com with a sandbox business account.

Hover over your name and then click Account Settings from the dropdown menu.

On the Account access page, click Update for the API access item.

Click Manage API Credentials in the NVP/SOAP API Integration (Classic) section.

Check the status of your API certificate to verify whether it is Active or Expires soon.

If the status is Expires soon, click Renew Certificate.

This action generates an additional certificate with the Active status. The Manage API certificate page shows both certificates.

On the certificate marked as Active, click Download Certificate and follow the steps to download a certificate.

After you import the new API certificate, test your integration to ensure it works with the certificate. Distribute your certificate to all affected partners. After the old certificate expires, click Remove Certificate to remove the certificate.

Encrypt API certificates

The PayPal SDKs for Java and ASP.NET require that you encrypt the certificate into PKCS12 format before you can use it with the SDKs.

Note: The PayPal SDK for PHP does not require SSL encryption.

Tip: If you use encryption, ensure that you encrypt both your sandbox and live API certificates.

The steps to encrypt your certificate require the OpenSSL encryption tool. While UNIX users likely have this tool installed with their operating system, Windows users must download OpenSSL. To install OpenSSL, accept the defaults.

In a command prompt, ensure that the OpenSSL bin directory is in your system path. If not, add it to your path.

Change directories to the location of the certificate to encrypt (cert_key_pem.txt) and run:

1openssl pkcs12 -export -in cert_key_pem.txt -inkey cert_key_pem.txt -out paypal_cert.p12

Note: When you encrypt a certificate, you are prompted for a password to use to decrypt the file. At the Enter Export password prompt, enter a password. Store it in a secure location.

The paypal_cert.p12 file contains your encrypted API certificate.

Install API certificates for ASP.NET

If you are developing with the PayPal SDK for ASP.NET, Windows requires that you:

Import the certificate into the Windows certificate store.

For more information, see the Microsoft Import or export certificates and private keys support article.

Grant the user executing your web application access to your private key.
For more information, see Grant third-party permissions.

For more information, see the PayPal How do I import my certificate into the Windows key store? knowledge base article.

API signatures

To create an API signature:

For live credentials, log in to your PayPal business account at www.paypal.com.

For test credentials, log in to the PayPal sandbox at www.sandbox.paypal.com with a sandbox business account.

Hover over your name and then click Account Settings from the dropdown menu.

On the Account access page, click Update for the API access item.

Click Manage API Credentials in the NVP/SOAP API Integration (Classic) section.

Note: If you have already generated an API signature, clicking Manage API Credentials displays the signature information. If you must generate an API signature, click Remove to delete the existing API signature.

Select Request API signature. Then, click Agree and Submit.