PayPal Express Checkout returns - Security header is not valid

Question

This has probably been asked a thousand times... But i'm sure i have all the endpoints and credentials right. It was working yesterday.

Security error:
Error no: 10002
Error message: Security header is not valid

Right now i'm testing against the sandbox server.

Whenever i try the testURL in my browser i get ACK=Success with a token, but i get "Security header is not valid" error when it runs through the code.

It was working a few hours ago but for some reason i keep getting the same error now.

using user/pwd and signature from a sandbox account

https://api-3t.sandbox.paypal.com/nvp
USER=xxxxxxxxxxxxxxxxxxxx
PWD=XXXXXXXXXXXXX
SIGNATURE=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I have the following test code:

        String testURL = "https://api-3t.sandbox.paypal.com/nvp?USER=xxxxxxxxxxxxxxxxxxxx&PWD=XXXXXXXXXXXXX&SIGNATURE=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX&VERSION=84.0-2276209&PAYMENTREQUEST_0_PAYMENTACTION=Sale&PAYMENTREQUEST_0_AMT=15&RETURNURL=https%3a%2f%2fdomain.com%2fCheckout.aspx&CANCELURL=https%3a%2f%2fdomain.com%2fCheckout.aspx&METHOD=SetExpressCheckout";

        HttpWebRequest req = (HttpWebRequest)WebRequest.Create(testURL);
        req.Method = "POST";
        req.ContentType = "application/x-www-form-urlencoded";


        //Send the request to PayPal and get the response
        StreamWriter streamOut = new StreamWriter(req.GetRequestStream(), System.Text.Encoding.ASCII);
        streamOut.Write(testURL);
        streamOut.Close();
        // get resposne
        StreamReader streamIn = new StreamReader(req.GetResponse().GetResponseStream());
        string strResponse = HttpUtility.UrlDecode(streamIn.ReadToEnd());
        streamIn.Close();

HTTPREsponse when code sends it

TIMESTAMP=2011-11-22T23:25:34Z&CORRELATIONID=392047cb78388&ACK=Failure&VERSION=84.000000&BUILD=2271164&L_ERRORCODE0=10002&L_SHORTMESSAGE0=Security error&L_LONGMESSAGE0=Security header is not valid&L_SEVERITYCODE0=Error

HttpResponse if i just copy paste the testURL in the browser

TOKEN=EC%2d4JW15968AV8121546&TIMESTAMP=2011%2d11%2d22T22%3a59%3a27Z&CORRELATIONID=c790299fd9ac7&ACK=Success&VERSION=84%2e000000&BUILD=2271164

I've tried not to UrlEncode the variables in the test url... same problem

thanks in advance

Answer 1

OK this might be a bug on Paypal's side.

if i change the testUrl from

String testURL = "https://api-3t.sandbox.paypal.com/nvp?USER=XXX&PWD=YYY&SIGNATURE=ZZZ&VERSION=.......&METHOD=SetExpressCheckout";

to

String testURL = "https://api-3t.sandbox.paypal.com/nvp?&x=y&USER=XXX&PWD=YYY&SIGNATURE=ZZZ&VERSION=.......&METHOD=SetExpressCheckout";

it works

See the bolded part with random first querystring variable. PayPal seems to ignore the first querystring parameter when it's sent from codebehind (which would be user=xxx if there wasn’t x=y before it).