I'm working on integrating PayPal Subscriptions into my web app. I create the subscriptions server-side, but it's trivial for anyone to create a subscription, since all PayPal requires is the public Client ID. This is intended to allow (mostly) server less transactions, but in my case it just feels like leaving part of my app exposed.
Is there any way to disable this?
Continue to use the clientId+secret that you have on the server side (or, create a new pair and deactivate your current pair, if you are paranoid)
Then, create a separate permissionless REST app for use from your buttons. Make sure it corresponds to the same sandbox account if testing in sandbox, and give it the name "no permissions" for clarity. In the app features section, uncheck everything.
This new clientid will not be able to create orders or subscriptions, but can be used to present the buttons and approve ones that were created server-side.