Based on the API you’re using, PayPal returned API error code 10002, accompanied by one of the messages described in the following paragraphs.
Causes and Solutions
This error usually happens when permissions are set incorrectly in your PayPal account. To allow a third party to make API calls on your behalf, you must explicitly grant them permission to do so. If you’ve already done this but you got error code 10002, your shopping cart configuration may be the cause. Your vendor needs to know the primary email address on the PayPal account for which they’re making the third-party API call. They must add this email address to the API script making the API call on your behalf.
If you’re making third-party API calls but not using a vendor and you still get this error, it can be because of the following reasons:
- Incorrect API information – Follow this procedure to request API Signature or API Certificate credentials.
- Passing a value in the Subject field – This field should be blank if you’re not making an API call on behalf of another person.
One of several different error messages accompanies error code 10002. You’re most likely to see this message:
- 10002: Authentication/Authorization – Username/Password incorrect
This error occurs when you provide an incorrect API username and API password to the PayPal server, for example, if you:
- Provide the username and password for your actual PayPal account, instead of your API username and API password. PayPal generates your API username and API password when you generate your API Certificate and Signature.
- Use the same API information for the Sandbox and Live environments. You need to generate separate API information for your Sandbox and Live accounts.
- Don’t update the endpoint to point to PayPal’s Live API servers.
- Format your API Certificate as .txt instead of .pem.
- Add trailing or leading whitespace on any of the characters.
One of the following error messages also may accompany code 10002:
- 10002: Account locked – The user account is locked
- 10002: Authentication/Authorization Failed – Account is locked or inactive
- 10002: Internal Error – Account is locked or inactive
- 10002: Internal Error – Internal Error
- 10002: Authentication/Authorization Failed – Account is not verified
- 10002: Authentication/Authorization Failed – API access is disabled for this account
- 10002: Authentication/Authorization Failed – Client certificate is disabled
- 10002: Authentication/Authorization Failed – Internal Error
- 10002: Authentication/Authorization Failed – This call is not defined in the database!
- 10002: Authentication/Authorization Failed – Token is not valid
- 10002: Receiving Limit exceeded – You’ve exceeded the receiving limit. This transaction can’t be completed
- 10002: Restricted account – Account is restricted
These errors occur because the credentials are incorrect or invalid. Make sure they’re entered correctly and, if possible, try again. If the problem persists or you can’t try again, contact your Account Manager or open a ticket with Merchant Technical Services.
If you get error code 10002 with the message 10002: Security Header Invalid, you have incorrect API credentials. Check that the account that will receive payments was used to generate the API credentials. If you’re using PayPal’s Sandbox environment, you must generate API credentials from within the Sandbox business account rather than a Live account.
You should also check that you’re submitting your request to the correct environment (Live vs. Test). For information on endpoints, see NVP/SOAP API endpoints. If you use a shopping cart, there’s often a switch on their end to change from Live mode to Test or Sandbox mode. Make sure that this switch is set to the correct environment. In addition, your shopping cart often manages endpoints, so consult your shopping cart provider for help.
Note: Any extra spaces or characters in the username, password, or signature can also cause the Security Header invalid error. Check for any extra spaces at the end of the password or signature; it’s common for them to be added when pasting credentials into your cart.
Requesting API credentials
Depending on your shopping cart requirements, you may need an API Signature or an API Certificate. Here’s how to request API Signature or Certificate credentials.
- If you choose API Signature, you can copy the API username, password, and Signature. Then, paste this information into your shopping cart configuration or administration screen and click Done. You can view or remove an API username, password, or Signature anytime.
- If you choose API Certificate, copy your API username and password and click Download Certificate. Save the file to your computer. Remember where you saved the file because you’ll need it later in your shopping cart setup.
Example NVP responses for error 10002
- L_SHORTMESSAGE0=Security error
- L_LONGMESSAGE0=Security header is not valid