PayPal REST API credentials of another business or party

So I have a platform where my customers who are e-commerce companies can log in and connect to their PayPal account. Once they have connected and authorised I can pull their payout data and transactions and apply some business logic to it.

What I struggle to figure out is how to trigger the OAuth flow that takes the user to the PayPal authorization page and then redirects the user back to my page. From the docs it seems like you should provide client_id and client_secret, but this won't trigger an OAuth flow, it just returns a token, have I misunderstood something? should the user not go through an OAuth flow?

How will my users get their client_id and client_secret? Will THEY have to create an app in the PayPal developer portal to get the client_id and client_secret? This seems very unintuitive.

Furthermore there is an expiration time on the token returned, but no refresh_token that I can use. Is the idea that I should save a customers client_id and client_secret

So to summarize my questions:

1. To gain access to the Paypal REST APIs and make requests on the behalf of other merchants, should the merchant go through an OAuth flow?
2. Does the merchant have to create an app to obtain their client_id and client_secret?
3. How to I refresh the token if there is not fresh token? Do I store the merchants client_id and client_secret?

The post here says that the OAuth flow has been solved but I seem to understand how it has.

> What I struggle to figure out is how to trigger the OAuth flow that takes the user to the PayPal authorization page and then redirects the user back to my page. From the docs it seems like you should provide client_id and client_secret, but this won't trigger an OAuth flow, it just returns a token, have I misunderstood something?

OAuth is used for a couple distinct things. What you are talking about is a Login with PayPal integration, whereas OAuth is also used to obtain an access_token using a client-id and secret. The latter is required for all basic REST API usage so you'll be doing that. The Log in with PayPal integration to get permission granted from a user is optional (and requires approval for use in live)

Overall for what you want to accomplish there are three approaches:

• First party integration: Have them obtain a client-id and secret from logging into their dashboard and creating a new live REST app. Store and use these to obtain an access_token, which if desired can be cached and reused for up to 9 hours. Obtain a new access_token as needed.

• With your third party credentials and their merchant-id: Instead of using their client-id and secret, use yours and their merchant-id in both the JS SDK query string and in API calls (must be in both and match). They can obtain their merchant-id from their PayPal Business account settings, or if you integrate 'Login with PayPal' (as mentioned requires approval to use in live), with or without also using the partner referrals API to for them to give permissions (also requires approval to use in live). If you even end up needing to use the v2/payments/API for things like refunds or voids those require passing a PayPal-Auth-Assertion header with a value in JWT token format; for order creation it's just a payee.merchant_id value in the create order purchase_units.

• Third-party with no account info nor permissions: Set payee.email_address to their business account email address; this is more limited in what it allows (for example you can't refund, or do more advanced things like intent:'AUTHORIZE' and later capture/void). The integration is also subject to breaking if they change or don't confirm that account's email address in PayPal.