I'm writing a service (in .NET Core 3.1 and Refit if it matters) that pulls transaction activities from my PayPal business account for a given date range to use on an admin dashboard. Currently I'm following the tutorial here:
https://developer.paypal.com/docs/api/get-an-access-token-postman/
and here:
https://developer.paypal.com/docs/api/transaction-search/v1/
The first part, I can get an authorization key just fine (using curl or postman, curl below
curl --location --request POST 'https://api.paypal.com/v1/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic <my client id>:<my secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
// not sure what this is, postman specific maybe?
--header 'Cookie: tsrce=devdiscoverynodeweb; ts=vr%3D0cee9361171ac120001362adffec14c3%26vreXpYrS%3D1679730671%26vteXpYrS%3D1585061694%26vt%3D0cee9390171ac120001362adffec14c2' \
--data-urlencode 'grant_type=client_credentials'
This gives me an auth token both in postman and my custom service just fine. Next, when I try to pull the transactions (both in Postman and in code), I get an error
cUrl:
curl --location --request GET 'https://api.paypal.com/v1/reporting/transactions?start_date=2020-03-01T00:00:00Z&end_date=2020-03-31T23:59:59Z' \
--header 'Authorization: Bearer <my token>' \
// Postman???
--header 'Cookie: tsrce=devdiscoverynodeweb; ts=vr%3D0cee9361171ac120001362adffec14c3%26vreXpYrS%3D1679730671%26vteXpYrS%3D1585061694%26vt%3D0cee9390171ac120001362adffec14c2'
Error:
{
"localizedMessage": "No permission for the requested operation. ",
"suppressed": [],
"name": "PERMISSION_DENIED",
"message": "No permission for the requested operation. ",
"details": [
{
"field": null,
"value": null,
"location": null,
"issue": "No permission for the requested operation. "
}
],
"information_link": "https://developer.paypal.com/docs/classic/products/permissions/",
"debug_id": "7e315038e8073"
}
The info link in the error starts talking about 3rd party permissions, which I'm not sure is applicable because it is my Business account. Anyone have any ideas? I checked transaction history on my app in PayPal, so I'm at a lost.
Thanks in advance
You need the scope https://uri.paypal.com/services/reporting/search/read .. if it's not there in the oauth2 response, double check your REST App's permissions and ensure that Transaction Search permission is enabled (box checked) there. If that was changed recently, see:
Existing access tokens are cached for 9 hours--so if you've been using the API in the past 9 hours and more recently enabled the Transaction Search permission for your app, it can take up to 9 hours for that permission's new scope to be reflected in the next access_token's generation.
To avoid waiting 9 hours, you can terminate the current cached token with:
curl -X POST https://api-m.sandbox.paypal.com/v1/oauth2/token/terminate \
-u "yourclientid:yoursecret" \
-d "token=REPLACE_WITH_YOUR_TOKEN"
After termination, your next call to get a token will get a newly-generated one, including the new scope that was just added to the REST app.