Paypal - Security header is not valid - Website Payments Pro
posted by kevin on May 22, 2009

Paypal is a joke..

So for a client we integrated with the Website Payments Pro, using the NVP API and using the API Signature method. Now if you don't know exactly what those services/api's are, it doesn't really matter, you should still get a chuckle out of this story.

So we integrated it with the sandbox and everything worked fine.

We obtained the 'live' api credentials and slapped them into our configuration file. We then ran a test. The results we got back were: 'Security header is not valid'

Now none of the code was changed except our configuration which we copy and pasted from Paypal's site. So confused as why this wasn't working we called their tech support (had a number for the account rep), explained the situation and he said he'd put in a ticket.

So late the next day we finally hear from their support guy, and what he told me cracked me up. I tried not to laugh at him when he told me what to do:

He said what you're using is the nvp 3.0 API and we've been having issues with authentication using the API. What I want you to do is remove the api credentials you have setup, and then request new credentials. Then remove the new credentials you've set up. Now create new credentials a 4th time. Once you have the 4th credentials issued, plug those into your application and it should work.

So I tried it, and after generating the 4th credential it still didn't work (imagine that).

I called him back letting him know it didn't work, he said email me your request and I'll take a look at it.

I emailed him the curl request I was using and this was his email back:

Hi Kevin,

I did a test on the new API credentials and get the same error. I recommend that you create a few more and let me know if you’re still getting the error.

Regards,

XXX XXXXXX
Merchant Technical Services Integration

So it's still not working, but at least I have a funny story out of it.

Tags: PHP, Paypal, Website Payments Pro, Paypal is a Joke, Security header is not valid
Read more | Comments (9) | Last updated on May 22, 2009

9 comments to "Paypal - Security header is not valid - Website Payments Pro"

#25
Brent says:
June 19, 2009 at 08:22 pm
Hi Kevin. Did you ever get this situation resolved? We're having the exact same issue. Ugh.
#26
Kevin Korb says:
June 20, 2009 at 11:19 am
Brent, After about a week and a half of going back and forth with their support I finally got to a level 2 support guy that said just make sure you're connecting to the live end-point with the live API credentials. I could have sworn that's what I was doing, but it finally worked that time. So I'm not sure if they fixed something or what. But I sent my credentials to a level 1 support staff guy there and he verified that he wasn't able to connect with my credentials. So I'm not sure exactly what happened...
#87
Andrew Kelly says:
November 26, 2009 at 02:35 am
Kevin, it is not that complicated: Use the sand-box API credentials with the sand-box 'end-point'. Use your live API credentials with the live 'end-point'. That was your only problem. Paypal was not the joke, rather....
#89
Kevin Korb says:
November 30, 2009 at 02:04 pm
Andrew, If that was the case then my initial API credentials for the live server would have worked for the live server. Also when I sent the credentials to Paypal they would have verified that it worked for them, instead of confirming that the live credentials did not work for the live server. And that's when I got the advice to create and delete the credentials 3 times before using them.

You indicated that I was simply using the wrong credentials in the wrong place.. wouldn't you think their support would have picked up on that instead of giving me some ridiculous advice? I would hope so, and if not, that strengthens my case.

Would you not agree?

I'm glad your credentials worked for you, and you had no issues, congratulations.
#97
Madcat says:
December 16, 2009 at 04:06 pm
Kevin, I should totally agree with you. I am wasting my time with this PayPal for the past 2 days trying to it working, Nothing complicated right, but the PayPal will make it complicated. Just check how poor the documentation is: Obtaining API Credentials To use the PayPal API, you must have API credentialsthat identify you as a PayPal business account holder authorizedto perform various API operations. Although you can use either an API signature or a certificatefor credentials, PayPal recommends you use a signature. Important: You can use either a signature or acertificate; however, you cannot use a signature and a certificateat the same time. I am serious, look at the way the words are. Here is the link for the broken crap: https://www.x.com/docs/DOC-1216 Andrew, i hope you are not offended by this :-)
#125
danny ocean says:
May 5, 2010 at 07:15 pm
yeah, I totally agree that if you've never set up online payments with Paypal, it's absolutely hell to figure it out. Most of their help pages redirect you three times to the "new location", and even then, their help files are duplicitous and the most confusing tutorials I've ever read. I'm an experienced programmer and it took me 2 days just to figure out how the hell to test a transaction. Paypal sucks for the programmer. Too bad the clients all want to use it because it's cheap.
#133
Chris says:
May 23, 2010 at 12:06 pm
Danny, what did you do to get it working? I am using swipe on my iPhone and I get the security header problem
#154
sivakumar says:
July 1, 2010 at 05:15 am
I agreed with Andrew Kelly. I got the same error and it resolved when I change the api endpoint(sandbox to live).
#155
Kevin Korb says:
July 1, 2010 at 10:32 am
sivakumar, I'm glad you got this error for that reason, and changing the correct api worked for you. The point of this post isn't really how to fix the security header, the point was that the support I recieved from paypal was absolutely ridiculous. I've had many dealings with paypal, and most of them have not been good (at least from a developer standpoint) as a customer it hasn't been horrible.
Bookmark and Share

Leave a Comment

Your email address will not be published.

(You can enclose code in <php></php> blocks.)

You may use Markdown syntax.

Please enter the letters as they are shown in the image above.
Letters are not case-sensitive.