DoAuthorization returns "Permission denied" error

0
votes

We're developing a marketplace where buyers and sellers meet to trade (something similar to Ebay). We want to support paying via PayPal and we don't intend to take any service fees. Since we're a startup any overhead paperwork for us is excess so we've decided that any PayPal transaction is between buyers and sellers directly.

However, we want to have accept/deny mechanism for sellers so they have to manually approve each and every order (in case some items are out of stock in their physical store etc.). After order is accepted, money should be transferred to the seller.

After a lot of thinking and reading PayPal documentation, we've decided to go with Express Checkout using auth/capture and parallel payment concepts. We've successfully integrated Express Checkout and everything works until calling DoAuthorization API which unfortunately fails. Everything we've done so far is inside PayPal Sandbox.

To give you a picture how our communication with PayPal's endpoint works, here is what we're doing (only important fields will be shown):

  1. call SetExpressCheckout having PAYMENTREQUEST_0_PAYMENTACTION=Order and PAYMENTREQUEST_0_SELLERPAYPALACCOUNTID={seller's PayPal email address}
  2. redirect buyer to RedirectURL to authorize payment
  3. call GetExpressCheckoutDetails to get info about payment
  4. call DoExpressCheckoutPayment having PAYMENTREQUEST_0_PAYMENTACTION=Order

Here we got info about transaction with status "Pending" which seems that everything is OK up to this point (transaction is also visible in the seller's PayPal account with the status "Pending"). Now according to documentation available we need to call DoAuthorization in order to complete auth process. However, after calling DoAuthorization we're facing an error saying:

[L_ERRORCODE] => 10007
[L_SHORTMESSAGE] => Permission denied
[L_LONGMESSAGE] => You do not have permissions to make this API call
[L_SEVERITYCODE] => Error

Here is what we're sending and receiving with DoExpressCheckoutPayment and DoAuthorization API calls (only important sections will be displayed):

DoExpressCheckoutPayment

Request

[REQUESTDATA] => Array
    (
        [USER] => {our API username}
        [PWD] => {our API password}
        [VERSION] => 98.0
        [BUTTONSOURCE] => AngellEYE_PHPClass
        [SIGNATURE] => {our API signature}
        [METHOD] => DoExpressCheckoutPayment
        [TOKEN] => {token we got from SetExpressCheckout}
        [PAYERID] => {payer ID we got from GetExpressCheckoutDetails}
        [RETURNFMFDETAILS] => 1
        [NOSHIPPING] => 1
        [PAYMENTREQUEST_0_AMT] => 123
        [PAYMENTREQUEST_0_ITEMAMT] => 23
        [PAYMENTREQUEST_0_SHIPPINGAMT] => 100
        [PAYMENTREQUEST_0_CURRENCYCODE] => EUR
        [PAYMENTREQUEST_0_DESC] => Order #54
        [PAYMENTREQUEST_0_SELLERPAYPALACCOUNTID] => {seller's PayPal email address}
        [PAYMENTREQUEST_0_PAYMENTACTION] => Order
    )

Response

[PAYMENTS] => Array
    (
        [0] => Array
            (
                [TRANSACTIONID] => {we get some transaction ID here}
                [TRANSACTIONTYPE] => expresscheckout
                [PAYMENTTYPE] => None
                [ORDERTIME] => 2014-01-15T22:43:19Z
                [AMT] => 123.00
                [FEEAMT] =>
                [SETTLEAMT] =>
                [TAXAMT] => 0.00
                [EXCHANGERATE] =>
                [CURRENCYCODE] => EUR
                [PAYMENTSTATUS] => Pending
                [PENDINGREASON] => order
                [REASONCODE] => None
                [PROTECTIONELIGIBILITY] => None
                [ERRORCODE] => 0
            )
    )

DoAuthorization

Request

[REQUESTDATA] => Array
    (
        [USER] => {our API username}
        [PWD] => {our API password}
        [VERSION] => 98.0
        [BUTTONSOURCE] => AngellEYE_PHPClass
        [SIGNATURE] => {our API signature}
        [METHOD] => DoAuthorization
        [TRANSACTIONID] => {transaction ID we got from DoExpressCheckoutPayment}
        [AMT] => 123
        [CURRENCYCODE] => EUR
    )

Response

[ERRORS] => Array
    (
        [0] => Array
            (
                [L_ERRORCODE] => 10007
                [L_SHORTMESSAGE] => Permission denied
                [L_LONGMESSAGE] => You do not have permissions to make this API call
                [L_SEVERITYCODE] => Error
            )
    )

After spending a week trying to get this to work, googling and going through all available documentation trying to find if we have to have permissions to call DoAuthorization API, we're clueless. We're sorry if this question is too long but we wanted you to have the full picture on what's going on and how we handle things with PayPal API. If knowledgable person could shed some light onto this issue, we'd be thankful.

2
phppaypal
Glad to see you're using my library. Just so you know, I recently updated the Github repo and will be using that from here on. I have made some directory structure changes, though, so depending on which version you're currently using you may need to make a couple of adjustments if you update your existing project. - Drew Angell
Thanks for the heads up. It's certainly the most complete PHP library for PayPal today on the Internet. I just hope PayPal will complete REST API soon as I'm a huge fan of REST architecture. - choxnox

2 Answers

1
votes

Typically that sort of an error means exactly what it says, and your PayPal account simply doesn't have permissions to make that particular call.

Are you specifically wanting to place the funds on hold? You could run DoCapture to capture the order directly without the need to do the authorization in between, but order authorizations don't actually hold funds, so that's an important part of your puzzle you'll need to contact PayPal about why you're getting that error.

You can submit a ticket to www.paypal.com/mts and that goes directly to the tech support. They've been doing better lately about getting back to tickets more quickly, so I'd try that for sure.

In the mean-time you can give the phone support a try, however, the general phone reps tend to not know how to solve stuff like this and can just end up causing more confusion.

In either case, just let them know you're trying to make a call to the DoAuthorization API but you're getting this error and they should be able to help track down the issue and get you taken care of.

If you continue having trouble getting help let me know and I can reach out to some of my contacts at PayPal directly.

1
votes

Ok, I have an update (sort of). We've got a response from PayPal MTS telling us to include SUBJECT field when calling DoAuthorization and fill it with the same value as PAYMENTREQUEST_0_SELLERPAYPALACCOUNTID which is basically seller's PayPal email address. We did it and this time we get the following response from DoAuthorization API:

[ERRORS] => Array
    (
        [0] => Array
            (
                [L_ERRORCODE] => 10002
                [L_SHORTMESSAGE] => Authentication/Authorization Failed
                [L_LONGMESSAGE] => You do not have permissions to make this API call
                [L_SEVERITYCODE] => Error
            )

    )

So error code went from 10007 to 10002. Now we're still waiting for the second response from PayPal MTS but in the meantime we've narrowed the issue down and it appears the problem is with our API credentials (username, password and signature).

Basically we used our API credentials to go through SetExpressCheckout, GetExpressCheckoutDetails and DoExpressCheckoutPayment to receive transaction ID to be used with DoAuthorization API. Now instead of calling DoAuthorization with our API credentials (which will fail), we've tried to call it from: http://quar.me/paypal/api/nvp/doauthorization (using API credentials found on this website). To our surprise it worked, and the transaction has been authorized (and later captured) successfully. Then we copied API credentials from that website to our application to verify if it works, and I can confirm it does.

We're now puzzled same as the first time. I'll update this answer when we get a response from PayPal MTS. In the meantime, if someone has any idea what's wrong, feel free to respond.

Update [21-01-2014]

We've got response from PayPal MTS guy. The problem is somehow strange; in order to call DoAuthorization/DoVoid/DoCapture etc. API calls, seller needs to grant Auth/capture permissions to the API username. OK, let's say this is regular.

What's strange is that:

  1. The need to request permissions for these API calls is nowhere mentioned in the documentation.
  2. If permissions need to be granted from seller, how come API credentials found here work without ever requesting Auth/capture permissions? We've even successfully generated transaction ID with our API credentials and then authorized payment with API credentials from aforementioned website.

Update [22-01-2014]

OK, we've settled the issue with PayPal MTS. Reason for getting back these errors is the fact that each seller needs to give permission to our API username in order for us to be able authorize/capture payments. These can be achieved either by seller manually giving permissions, or via Permissions API.