PayPal currently accepts both GET and POST HTTP methods on our classic NVP/SOAP APIs, used for Express Checkout, Website Payments Pro, MassPay, and Button Manager. Going forward, PayPal will allow the use of the POST request method only for these APIs. This change will not impact the behaviors of our other API products, such as REST and Adaptive APIs.
To avoid any disruption of service, you must verify that your systems are ready for this change by June 2018.
PayPal is committed to providing the highest level of security to protect customer and transactional data, and we work closely with our merchant community to do the same. In response to feedback from several merchants, PayPal did not strictly enforce some of these vital security upgrades before the June 2017 deadline. However, in order to provide the most secure experience for all of our customers, PayPal must proceed with implementing these upgrades in the first half of 2018. To help merchants understand the areas of their integration that still require work, in March we will conduct brief rounds of testing to demonstrate the upgraded security experience. A complete list of testing dates and times are available on the Merchant Security Upgrade Testing Microsite.
About Classic NVP/SOAP APIs
In most cases, PayPal’s classic APIs are integrated using either the Name-Value Pair (NVP) or Simple Object Access Protocol (SOAP) protocol and use PayPal’s api* endpoints (such as “api-3t.paypal.com”). These NVP/SOAP APIs are used for Express Checkout, Website Payments Pro, MassPay, and Button Manager. You can determine if a request is using an NVP/SOAP API by looking at the URL used for the request to see if it matches these criteria:
For more details, including a full list of API operations, see the following FAQs, as well as the NVP and SOAP API Reference documentation on the Developer Portal.
Sandbox Endpoints - Ready Now
The Sandbox environment will allow the use of the POST method only for classic NVP/SOAP API requests:
Production Endpoints - Ready after June 2018
The Production environment will allow the use of the POST method only for classic NVP/SOAP API requests:
What happened to the Temporary Sandbox endpoints?
Do not use the following test endpoints, which were made available before the Sandbox endpoints were updated:
What is the difference between the GET and POST HTTP request methods?
GET is used to request data, while POST is used to submit data to a specified resource. From a security perspective, the key difference is that GET requests pass parameters in the URL and can be cached. For more details about GET vs. POST, see the w3schools website.
Why is the PayPal REST API not impacted?
The REST API uses the various HTTP request methods as part of the API design. The GET method is used to request details about an object. Because API credential information is passed as HTTP headers, the risk associated with the caching of GET requests is reduced.
What are the specific API operations affected by this change?
Express Checkout API Operations
Mass Payments API Operation
Website Payments Pro API Operations
Button Manager API Operations
For more help, go to https://www.paypal-techsupport.com.