Can I integrate my PayPal-generated Client ID/Secret into my Tyk API?

Support Installation and Deployment
1

I’m trying to create an API proxy through Tyk that would allow me to refund users via PayPal’s API automatically.

I have set up registration and payment through an external platform that enables users to complete a one-time payment via PayPal. I now want to enable that same user to automatically delete their account on my platform and refund their purchase if they are unhappy for any reason after 7 days).

To do this, I need to use PayPal API endpoints to authenticate the user, find their transaction ID, and call the endpoint to refund that ID.

For security reasons, I don’t want to store my PayPal credentials locally, and would instead like to create an API proxy where Tyk holds my credentials from PayPal and uses them to enable the refund, and return the result to my platform.

I have successfully created the link to the PayPal API via Tyk and can use Client ID/Secret credentials generated via Tyk. However, these are not the correct credentials for my PayPal account. I see also that it may be possible to use another system external to Tyk to generate these credentials for Tyk instead of the more traditional Tyk-generated method.

Is it possible for me to use the Client ID and Secret credentials provided to me via PayPal to generate an OAuth2.0 access token via my Tyk API? So rather than me use Tyk credentials that don’t link to my account, I can use PayPal’s credentials for my Tyk API?

Sources I’ve used so far: Tyk API Create an API, Tyk OAuth 2.0 guide(s), PayPal API developer docs, plus more that I can’t add as links because of me being a new user :slight_smile:

2

Hi @dancj5,

Welcome to the community! :tada:

Checkout out resources on sample integrations (with Keycloak, Okta etc) and see if you can work it out to suit Paypal? 1, 2, 3, 4

In the event you that you meet some limitations…

Is it possible for me to use the Client ID and Secret credentials provided to me via PayPal to generate an OAuth2.0 access token via my Tyk API?

You can have an API (in Tyk) through which you make the call to Paypal’s /token endpoint to get your access token. This API will primarily hold and embed your client ID/secret in the request. This would be useful for the sake of holding your credentials and not really an integration with Paypal as in the above examples.

I have successfully created the link to the PayPal API via Tyk and can use Client ID/Secret credentials generated via Tyk. However, these are not the correct credentials for…

You can have this API forward your correct Paypal-generated access token to the upstream. With request modification you can replace the Tyk-generated token with Paypal’s token before it gets to Paypal. So Tyk will verify it’s token, grant access, replace this token with Paypal’s and forward the request to the relevant endpoint. You can secure this API with any authentication method.

See here for documentation on request header modification, and you can achieve both of the above with it.

For instance, the api to get your access token may look like this.

"version_data": {
      "not_versioned": true,
      "default_version": "",
      "versions": {
        "Default": {
          "name": "Default",
          "expires": "",
          "paths": {
            "ignored": [],
            "white_list": [],
            "black_list": []
          },
          "global_headers": {
            "Authorization": "Basic <Base64 encoded Client ID and Secret>",
            "Content-Type": "application/x-www-form-urlencoded"
          },
        }
      }
    }

And the api for Paypal actions, like this

"version_data": {
      "not_versioned": true,
      "default_version": "",
      "versions": {
        "Default": {
          "name": "Default",
          "expires": "",
          "paths": {
            "ignored": [],
            "white_list": [],
            "black_list": []
          },
          "global_headers": {
            "Authorization": "Bearer <Paypal-generated access-token>",
          },
        }
      }
    }

Hope this helps.

3

Thanks @Ubong for the help on this!

Currently I am using your advice to try and solve this problem, but I am coming into some teething problems that I feel are maybe beside the issue here.

I regularly run into the error “Bearer token malformed” when using the Tyk API. I’ve tested my details for the PayPal API in Postman using “https://api-m.sandbox.paypal.com” as the base instead, and the credentials from PayPal work fine.

I try both the PayPal and Tyk credentials using my Tyk API (I’ve triple checked, I believe I am doing the right thing by using “Basic (Base 64 <CLIENT_ID>:<CLIENT_SECRET>)” in the Authorization header), and I keep getting this 400 error message.

Any suggestions as to what I might be doing wrong? For reference, the Base 64 encoding character set is UTF-8. I’ve also tried UTF-16, but that doesn’t seem to work.

4

UPDATE: Please ignore the above about me receiving the Bearer token malformed issue. Turns out I was just misunderstanding what I needed to do :slight_smile:

In short, previously I was trying to use OAuth2.0 to get the client working. However, OAuth2.0 returns the bearer token. I’m trying to create a bearer token using my client credentials. Therefore, the right thing to do when calling the PayPal OAuth2 endpoint is to use Basic Authentication, and use the client ID and secret to create a Key.

I now have an API that is able to authorise me on the Tyk side. I can see the flow via the debugger, and the key is definitely working. The API is correctly sending an upstream/outbound request to “https://api-m.sandbox.paypal.com/v1/oauth2/token” to get the Bearer token.

HOWEVER, I’m now hitting a 403 Forbidden. Any ideas or suggestions as to why this may be the case? Thanks for the help so far!

5

Hi @dancj5,

Great that you’ve been able to make progress!

What endpoint do you call when you get the error?
And what Tyk API are you using?
My first guess is that the 403 error is coming from PayPal. See here?

Just a recap, the suggested process involves creating two (2) APIs.

First one:
Purpose: To get Paypal bearer token.
Suggested upstream target: https://api-m.sandbox.paypal.com/v1/oauth2/token
Embedded Global Request Headers: Authorization: Basic {Base64 encoded Client ID and Secret}, Content-Type: application/x-www-form-urlencoded

Second one:
Purpose: To carryout actions on Paypal API e.g list invoices
Suggested upstream target: https://api-m.sandbox.paypal.com/
Embedded Global Request Headers: Authorization: Bearer {Paypal access token}

6

Hi @Ubong!

Big update: I have managed to get the Tyk API working! :tada:

Note to anyone using the debugger to try and work with the PayPal API - because the OAuth2 endpoint expects a content type of “application/x-www-form-urlencoded”, you need to use a tool like Postman to test the Tyk API. From what I can tell, the debugger in Tyk only uses JSON.

My final challenge is to create a file I can store on my platform that calls the API. However, I don’t want to store my basic authentication details locally. @Ubong, do you have any suggestions as to how I can call the Tyk API so that I don’t have to store these credentials anywhere else other than the Tyk API?

To help you understand what I mean, my logic is that I can create a JavaScript fetch API call to the endpoint. and because the key is stored in Tyk, Tyk would recognise that this is an accepted endpoint call from an allowed domain, and therefore use the key to call PayPal upstream. Is this possible in Tyk? Is this something I can do with whitelisting or otherwise?

UPDATE: I have used the advice you gave above to modify the header upstream, so that I can store credentials locally that will not work for PayPal outside of the context of the platform. If anyone has suggestions for how I can make this even more secure, please feel free to share! :slight_smile: