We'd like to partner with an On Line Travel Agency. They are asking for API username, password and signature for their system to get a signal from paypal that the payment (on our behalf) is successful. Is it safe to give these information? Wouldn't they get any access on our account? Would there be any other way for them to get us connected without giving such info? I hope you guys could enlighten me. Thank you so much.
I would be hesitant as you are to give a business that might not have a verified reputation my API credentials. You are right, they could essentially do any API operations on your account that they want if they have those credentials. There are other products that the merchant could use such as the PayPal Commerce Platform that would simply have you "onboard" through PayPal to the merchant, then they could do a limited number of API operations, but this requires the merchant you're working with to build this out. Worst case, you could give the API credentials and closely monitor their actions, "removing and replacing" the credentials if you see they're taking actions you do not approve of.