Is facilitatorAccessToken safe?

AlekseiYerokhin
Contributor
Contributor
Posted on
‎Jan-26-2021 01:24 AM

While testing Subscription API with a Sandbox account i was confused by receiving the following info from PayPal back to a page when sandbox customer approves a payment:

 

 

{
  "orderID": "<order_id>",
  "paymentID": null,
  "billingToken": "<billing_token>",
  "subscriptionID": "<sub_id>",
  "facilitatorAccessToken": "A21someY4M3zBrYByQs0tREObsensitivenRX_eE1z0MwoiCKTSb0Z_6GTkoinformationCbtwwhere"
}

 

 facilitatorAccessToken is just the same token which i use for any API request. This means that anyone who uses my app can make any requests since he/she aware of a token.

Does it mean that i should use webhooks or i just miss something?

Login to Me Too
Login to Reply or Kudo
1 REPLY 1

ValKhlevniuk
Contributor
Contributor
‎Jun-08-2021 02:05 PM

I was curious of the same and it looks facilitatorAccessToken provides access only to the details of the order it was returned in the response for (it correlates to), on attempt to use it for another Order you should receive a response similar to this:
{
"name": "NOT_AUTHORIZED",
"details": [
{
"issue": "PERMISSION_DENIED",
"description": "You do not have permission to access or perform operations on this resource."
}
],
"message": "Authorization failed due to insufficient permissions.",
"debug_id": "%debug_id%",
"links": [
{
"href": "https://developer.paypal.com/docs/api/orders/v2/#error-PERMISSION_DENIED",
"rel": "information_link"
}
]
}

Login to Me Too
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.