PayPal API handling the return

Question

I'm using the PayPal REST API to make payments: https://developer.paypal.com/webapps/developer/docs/api/

The flow itself is quite straight forward:

1. User selects to pay thus creating a payment object /v1/payments/payment
2. User is redirected to PayPal to authenticate (approval link from PayPal response object)
3. User authenticates and accepts
4. User is returned to original site
5. User finalises payment which triggers /v1/payments/execute

Now the part I'm finding a bit tricky is step 1-2 and 4-5.

Let's start with part 4. On the return from PayPal the URL has PayerID and token as GET parameters. PayerID is a good identifier of the user making the transaction but not of the order (if they have many orders). The token therefore seems to be the logical thing to use to identify the order.

However...

The response from creating the payment in step 1 only contains the token on the end of the approval_url which is nested a few nodes in. I've managed to get it out and hold it for future reference. So that it can be used to identify which payment to execute for step 5. It would be much easier if PaymentID was in the return though.

I'm wondering whether my approach is accurate or whether there is a better way. I'm not totally sure about storing the information in sessions myself while the user goes off to PayPal in case they expire.

Your thoughts please.

Answer 1

You don't really need to store the token as it can only be used once and expires after 3 hours. Instead, what I do is store the paymentId that is generated:

$_SESSION['paymentId'] = $return['id'];

When they get redirected to your landing page you just check to make sure this is set, if not redirect them and generate a new one. You need the paymentId to even execute the payment, or look up the information about the payment:

POST /v1/payments/payment/{paymentId}/execute

and

GET /v1/payments/payment/{paymentId}

Which will return the selected shipping address, etc.