paypal refund order API return Authorization failed due to insufficient permissions

Question

Currently i am redirecting order amount to merchant account that is working fine

but now when i perform refund operation getting persmission error

steps i followed :

gettting access token of merchant from his/her refresh token(stored in database) (using https://api-m.sandbox.paypal.com/v1/identity/openidconnect/tokenservice API)
now using above token(from step 1) for refund process in below API https://api.sandbox.paypal.com/v2/payments/captures/{captureId}/refund where

captureId : got from order details

response of refund api :

{
    "name": "NOT_AUTHORIZED",
    "message": "Authorization failed due to insufficient permissions.",
    "debug_id": "60091a8e09195",
    "details": [
        {
            "issue": "PERMISSION_DENIED",
            "field": "capture_id",
            "value": "90Y75959CH863854A",
            "description": "You do not have permission to access or perform operations on this resource.",
            "location": "path"
        }
    ],
    "links": [
        {
            "href": "https://developer.paypal.com/docs/api/payments/v2/#error-PERMISSION_DENIED",
            "rel": "information_link"}
    ]}

can someone help me to find what mistake am i doing ? and how can i resolve this issue ?

What scope/permissions are you requesting from the merchant before obtaining the refresh token? i.e. `https://www.sandbox.paypal.com/signin/authorize?scope=.........` — Preston PHX, Feb 09 '22 at 17:17
Thanks for your reply as currently i am using below scoopes for merchant authorization API https://www.sandbox.paypal.com/signin/authorize?scope=openid profile email https://uri.paypal.com/services/paypalattributes https://uri.paypal.com/services/paypalattributes&response_type=code — Umesh Goti, Feb 10 '22 at 04:21
please help me which scopes i need to add for refund on behalf of merchant? — Umesh Goti, Feb 10 '22 at 04:22

score 1 · Accepted Answer · answered Feb 10 '22 at 04:51

1

To determine which scopes you should try asking for during authorization, do a normal access_token request using your own credentials and look at the scopes variable returned.

https://uri.paypal.com/services/payments/refund seems relevant.

answered Feb 10 '22 at 04:51

Preston PHX

27,642
4
24
44

when i call api : https://api-m.sandbox.paypal.com/v1/oauth2/token using my app clientid and secret which returns me "scope": "https://uri.paypal.com/services/invoicing https://uri.paypal.com/services/disputes/read-buyer https://uri.paypal.com/services/payments/realtimepayment https://uri.paypal.com/services/disputes/update-seller openid https://uri.paypal.com/services/payments/payment/authcapture https://uri.paypal.com/services/disputes/read-seller https://uri.paypal.com/services/payments/refund https://api.paypal.com/v1/vault/credit-card ..... e.t.c. – Umesh Goti Feb 10 '22 at 06:26
Exactly. So some of these are potentially what you want to try requesting authorization for from the merchant account, particularly refund. – Preston PHX Feb 10 '22 at 07:19
but event if i am getting https://uri.paypal.com/services/payments/refund this inside scope i am not able to make refund on behalf of merchant(using merchant's refresh token). can you please let me know what am i missing now? or please let me know what are the steps i need to follow when i have refresh token. – Umesh Goti Feb 10 '22 at 08:02
Hard to know what you need to do differently without seeing everything you're doing, but there are two possibilities. (1) If they have granted the permission to you as a caller via the signin?authorize, then rather than a refresh token you may need to use your own access token and provide a PayPal-Auth-Assertion HTTP header with a JWT token you generate. See the information here: https://developer.paypal.com/api/rest/requests/#paypal-auth-assertion – Preston PHX Feb 10 '22 at 08:54
(2) Alternatively, you may need to integrate the Partner Referrals API instead of what you are doing, https://developer.paypal.com/docs/multiparty/seller-onboarding/before-payment/ – Preston PHX Feb 10 '22 at 08:54
currently i am using headers.put("alg", "none"); claims.put("iss", "{My_app_client_id}"); claims.put("payer_id", {payer_id}); String token = Jwts.builder() .setHeader(headers) .setClaims(claims) .compact() to generate token and pass as 'PayPal-Auth-Assertion' but do not understand 'you may need to use your own access token' this part i am only remaining with this all other things completed. – Umesh Goti Feb 10 '22 at 10:10
can you please help me to solve this ? also thanks you helped me a lot i just remain with this only. @Preston PHX – Umesh Goti Feb 11 '22 at 07:50
Your own access token is obtained with your own APP's client id and secret grant credentials request, and the JWT is an additional header when doing an API call. – Preston PHX Feb 11 '22 at 08:13
access token i get from openidconnect/tokenservice(Authorization : myAppClientId,myAppClientSecret, body : grant_type refresh token of merchant's refresh token) now when i am calling refund API /capture/{captureId}/refund(with Authorization: token of previous API, Headers : PayPal-Auth-Assertion : JWT) now my JWT contains "payer_id":"merchant_id","iss":"myAppClientId" also tried "iss": "MyAppClientSecret" can you please now let me know where i am making mistake ? @Preston PHX – Umesh Goti Feb 11 '22 at 08:48
can you please help me with this ? – Umesh Goti Feb 13 '22 at 16:41
Thanks for your support now refund is working in sandbox when i enabled Partner Referrals API. – Umesh Goti Mar 04 '22 at 12:23

paypal refund order API return Authorization failed due to insufficient permissions

1 Answers1

Linked