I have a vendor who will be collecting money for our organization for an event. They will collect via paypal. They are asking for my api username, password, signature. We want them to be able to collect money and put it in our paypal account, but not may payments, withdraw money, etc.
It seems giving the api credentials is giving them too much access. Can you advise?
Bob
Simple answer is no, I wouldn't share your API credentials. You can do as Kevin mentioned, or if they insist on using the APIs instead of Standard buttons then they can use the Permissions API to setup a way for you to grant permission for their app to make calls on your behalf. That way they use their own API credentials, but can specify using a token or subject in the API request where the money should be sent.
EDIT
One more thing to add here. You can grant permissions for their app from within your profile so they don't have to build into the actual permissions API, which would be used for when they're expecting lots of users to be using their app. If it's just you, probably easier to go ahead and grant them permissions in your account manually.
If your vendor is using a website to collect money you can simply create a 'payment button' for your account wich they can place on their website. No need for API. All payments will be made to your PayPal account and they can't access anything.
We want them to be able to collect money and put it in our paypal account
If you do it with this 'payment button' the highlighted will be automated since it is direcly stored toward your paypal account.
https://www.paypal.com/us/cgi-bin/webscr?cmd=_singleitem-intro-outside for a 'payment button'. Remember that payments can be refunded.If you want people to 'donate' since the vendor is collecting money you can better use a 'donate button' found here https://www.paypal.com/us/cgi-bin/webscr?cmd=_donate-intro-outside since people cannot refund their donation once they transferred the money.
No, you should NEVER share your PayPal credentials; the holders of those credentials are treated as/assumed to BE you, not just someone acting on your behalf. See here how the vendor or service provider should be using their own api username/password/signature and should be requesting permission (specific permissions!) from you to act on your behalf:
https://developer.paypal.com/docs/classic/permissions-service/ht_permissions-invoice/
Thank you for the answers. This is exactly what I thought - I just wanted to make sure I was not missing something. I'm very familiar with paypal buttons. But I think they have an application that captures registration information so a simple button does not work. However, this is clearly not an approach that I'm comfortable with. -Bob
