I'm a little confused about the Paypal API and the order in which it works and the relationship between REST and NVP.
My requirement is to access a customers Paypal account, look up sales and perform refunds for them. I don't want them to have to log in everytime but i don't want them to have to log into their own Paypal account and fiddle with the complicated API credential section to grant my application rights - This is too complex for the average user.
What i do want to do is to forward them to a Paypal page that they sign into, which grants me access to their paypal account indefinately with a security token.
I've implemented the Identity routines (https://developer.paypal.com/docs/api/identity/) which allow me get a renewable refresh_token and access_token, however i've realised that this only grants me access to basic profile information (I think?!) as calls to /refund fail with an invalid scope.
What i don't understand, is why Paypal's REST Api has documentation for Sale/Refund via /v1/payments/sale/sale_id/refund but when i try to use it with the access_token from the identity routines, it tells me i don't have the correct scope. It seems like the user has to authorise this every time via a redirection to Paypal?!
I've also found the 'classic' Permissions API which appears to let me do what i want to do (https://developer.paypal.com/docs/classic/permissions-service/integration-guide/PermissionsAbout/) however it seems to use the classic NVP methods of Paypal. I was hoping to use REST and keep it all modern.
The permission section does mention a method called 'GetAccessToken' (https://developer.paypal.com/docs/classic/api/permissions/GetAccessToken_API_Operation/) which appears to return an access token - Can this access token then use used in the REST API where it requires an Access_token (Authorization: Bearer Access-Token')
Do i use the NVP Permission (https://svcs.paypal.com/Permissions/RequestPermissions) to grant myself access via logon, then use the GetAccessToken in classic Paypal to get myself a token for the REST Apis?!
Would someone kindly give me an overview to acheieve this? Grant my application permissions then perform a refund on a sale (preferably using REST Api).
Thanks!
REST is going to be out of the question -- there's no REST API to pull a list of transactions from the account, so it won't work for what you need it to do.
The Permissions Service would be the appropriate route to go to get permissions to the customer's account. You'll need to be sure you ask for TRANSACTION_SEARCH, TRANSACTION_DETAILS, and REFUND permissions in order to provide the functionality you described.
The access token returned by the Permissions Service isn't the same as access token used by the REST APIs, due to the fact that Permissions Service is older and predates the REST APIs. It's actually closer to an Oauth1 implementation (though it's not exactly). The merchant SDKs have the necessary methods built into them to take the token and token secret (that you'll get back from the Permissions Service) and turn them into the necessary headers needed to run calls on behalf of the customer's PayPal account.