As a software developer, I’ve worked with a lot of APIs and developer tools over the years and had many good experiences and a few bad ones. The bad ones are where you waste a lot of time trying to get something to work and it just doesn’t do what it’s supposed to.
These kinds of things make you angry and make you resent the vendor because they make you look bad as a developer and they cost you a lot of time, and time is money. The worst cases are those where you have no real choice, you have to use the vendors’ products or APIs.
The latest bad experience I’ve had is with PayPal. Their developer sandbox just doesn’t work and it’s been eating up my time trying to make it work. I have followed the API documentation closely and am 100% sure I’m doing the right things in my code but it doesn’t work. Yet, how can I ignore PayPal if I want to implement e-commerce? I can’t because they are the most popular provider.
 
I simply have to get it working. Maybe I will have to test on their production site and then issue refunds. This is what some others have resorted to if you read their forums. You end up paying the transaction fees though even if you do issue refunds.
It’s a wonder to me that PayPal is so dominant given these shortcomings. I’ve implemented Google Checkout and Authorize.NET and they both worked as expected using their sandboxes.
I’ve created a Camtasia movie here showing the problems, but to summarize:
PayPal offers 2 products, PayPal Express and PayPal Pro/ Direct Pay.
Direct Pay allows you to charge the customer right from your own site by letting them enter their credit card info, this costs you $30/month to enable the service. Express checkout doesn’t have this monthly fee but requires users to pay at the PayPal site with their account.
Using the NVP (Name Value Pair) API to process Express checkout, the process is.
Make a call to the PayPal NVP web service using the SetExpressCheckout call. You receive back a PayPal token and then you redirect the user to PayPal passing this same token. This call works as expected, you get the token and you redirect.
After the customer pays at PayPal, PayPal redirects them back to your designated page and passes the PayPal token again. It’s the same token as the one returned from the previous call to SetExpressCheckout.
Next, you are supposed to call GetExpressCheckoutDetails passing the same token back to PayPal. This call fails with the error “Security header is not valid”.
When you look this up or google it, it’s supposed to mean that you did not pass the correct API credentials, but believe me, I’m passing the right credentials, and it’s the same credentials that worked fine in the call to SetExpressCheckout.
If the call to GetExpressCheckoutDetails worked as it’s supposed to, the next step would be to call DoExpressCheckoutPayment which is where the order would be completed.
To use the DirectPay API you need to accept the billing agreement which would cost you $30/month on production but should be free on the sandbox. However, when you click the I Agree button in the sandbox account it doesn’t work so you can’t get your sandbox account enabled to use the DirectPay API.
So, in short, the PayPal sandbox just doesn’t work. You can’t reliably test the Express Checkout or the DirectPay API. You would think the so-called industry leader in payment processing could do a better job with this.
 
Check out some of our other guides in the Coding section:
PayPal are you listening? Please please please fix this crap and stop making me waste my time. Are you really going to make me use the production site for testing? Is that some angle to help you squeeze me for $30/month or are you just incompetent?
UPDATE: In case you think I’m being too hard on PayPal, I captured another little video to show how difficult it is to file a support ticket. I have not figured out how to do it yet. I had this same problem yesterday which is why I resorted to blogging in hopes of getting some attention from PayPal to address the sandbox problems.
UPDATE 2008-07-11:
I’ve had a lot better luck with testing the PayPal Standard API in the sandbox, but still, no joy when trying PayPal Pro APIs.
PayPal Standard
Buy Now button works as expected
Cart Upload works as expected
PDT (Payment Data Transfer) works as expected
IPN (Instant Payment Notification) works as expected
PayPal Pro NVP (Name Value Pair) API
PayPalDirect – test with expired card returns correct error
PayPalDirect – test with a valid expiry date format returns the correct error
PayPalDirect – test with valid nonexpired test card Visa 4111111111111111 fails with invalid card message, error code 10759 -this should not happen
SetExpressCheckout – works as expected and returns a token
GetExpressCheckoutDetails – fails with invalid security header message, error code 10002
DoExpressCheckoutPayment – can’t be called due to an invalid response from GetExpressCheckoutDetails
UPDATE 2008-07-12
Somehow today I managed to get ExpressCheckout working. I’m not sure whether it was something I changed in the code or the sandbox just started working right but it’s been reliable for testing all day today. I’ve done some refactoring but haven’t changed any logic, at least I don’t think I have, but in any case, I’m glad it’s working.
UPDATE 2008-07-14
Success! Today I got PayPal DirectPayment API working in the sandbox. It’s rather slow so you have to put a long timeout on the web request to the sandbox, but it’s working. So, now I have got everything working in the PayPal sandbox for PayPal Standard and PayPal Pro.
