PayPal Community

davidv3 · ‎Dec-21-2020

I'm working on an integration with the PayPal REST API. When I call https://api-m.sandbox.paypal.com/v1/oauth2/token, I get a response like

{"scope":"https://uri.paypal.com/services/invoicing https://uri.paypal.com/services/vault/payment-tokens/read https://uri.paypal.com/services/payments/realtimepayment https://uri.paypal.com/services/payments/payment/authcapture openid Braintree:Vault https://uri.paypal.com/services/payments/refund https://api.paypal.com/v1/vault/credit-card https://api.paypal.com/v1/payments/.* https://uri.paypal.com/services/vault/payment-tokens/readwrite https://api.paypal.com/v1/vault/credit-card/.* https://uri.paypal.com/services/subscriptions https://uri.paypal.com/services/applications/webhooks","access_token":"[TOKEN]","token_type":"Bearer","app_id":"[APP ID]","expires_in":31511,"nonce":"[NONCE]"}

When I immediately return the access token in a subsequent call, all the endpoints I've tried return

{
"error": "invalid_token",
"error_description": "Token signature verification failed"
}

I've tried https://api-m.sandbox.paypal.com/v2/invoicing/generate-next-invoice-number, https://api-m.sandbox.paypal.com/v1/billing/plans, and https://api-m.sandbox.paypal.com/v2/invoicing/invoices. All return the same token error. I've called with both CURL and Postman. I'm sending the token in the header and I can tell it's being received because when I omit it or change the format, I get a different error.

'Content-Type: application/json',
'Authorization: Bearer <TOKEN>'

I'm guessing I'm missing something obvious. Can anyone help me? Thank you.

mrummler · ‎Feb-22-2021

Experiencing the same results.
Can generate a token, and the results there look nearly identical to what you are seeing.
However, all endpoints return the "invalid_token" error.
(and I've tried all variations on the endpoints:

api.paypal
api-m.paypal
api-m.sandbox.paypal
api.sandbox.paypal

What I'm planning on trying next is seeing if there is some kind of date range on transactions, so I'll be doing some test purchases etc...
I haven't actually done anything with the sandbox account for @ least a year.
However, I have tried pulling the card data as well and this (IF it's the card data from the account... which I actually don't know) seems like it should not be time sensitive.

adrianhb1 · ‎Aug-02-2022

Here's my test code that generates the same error

#!/bin/bash
TOKEN=`curl -v -X POST "https://api-m.sandbox.paypal.com/v1/oauth2/token" \
-u "<my-client-id>:<my-secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials"`

which returns a valid-looking token. Then

curl -v -X GET https://api-m.sandbox.paypal.com/v1/notifications/webhooks \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" > result.txt

returns the "Token signature verification failed" error. I'm not sure whether the outer curly brackets round the auth token should be included or not, but tried both.

Also I realise these are labelled as the v1 API, but they're the examples that the documentation links to from pages marked with a 'current' marker.

Hoping to get some response as I see I'm not the only one.

adrianhb1 · ‎Aug-02-2022

Embarrassing to admit, but at least it's a solution, for me at least.

The token should be the value of "access_token" in the JSON returned by the call to https://api-m.sandbox.paypal.com/v1/oauth2/token. I was using the entire string! Extracting and using the access_token works.

I don't know if the other two people with the problem were doing what I did. Possibly theirs is a different problem.

PayPal Community

Invalid token error with valid bearer token

Haven't Found your Answer?