Do I need 3rd party's Paypal API credentials to let them sell on my site using Payments Pro?

Question

I am working on a website in which a facility pays us for membership. Their membership payment is the only money we receive. This payment is done via Paypal Website Payments Pro using the DoDirectPayment API.

These members then rent out their facility to customers by listing available blocks of time on our website. The customer would pay for this time block via credit card, also via DoDirectPayment, but this time the payment goes directly to the member's Paypal account.

I have found a lack of clear direction on what needs to be done to enable this. I know I could require all members to have a Paypal Payments Pro account ($30 per month) and store their API credentials (including passwords and signatures) in our system and those payments could be handled directly. But I am vaguely aware of the Third-Party app authorization option... I just can't find info on how it should be set up.

Is it possible to only store the member's Paypal email address and just ask them to authorize our app in their profile?

Also, I saw someone suggest the thrid-party payment recipient wouldn't even need a Pro account. If that is the case, what do I need to change about the API call (I'm using the NVP method) so that our Pro account is leveraged but payment is given to the member?

Answer 1

First, your members will need their own Pro account. The only way to try and get around that would be to have all of the funds come into your account and then disperse them accordingly. This is frowned upon by PayPal and will result in a suspended account.

You could indeed have users enter their API credentials into your application and store them with your customer's profile so that you can include them in API calls for that particular member. You'll want to make sure to encrypt these values if you end up doing that.

The proper way to handle it (since you're a hosted solution) would be using Permissions. You would use your own API credentials, but then pass an additional parameter to flag what account you're making that call on behalf of. This is where the Permissions come into play. Your members will need to Grant API Permission for your app to make the DoDirectPayment call on their behalf.

This can be done manually from within the PayPal account under API Access, or programatically via the Permissions API.

Answer 2

OK, I discovered the answer. I am sharing the detail here for others looking for this very elusive information:

• My account (hosted solution) must be a Pro account.
• Members who will be selling to customers on my site must also have Pro accounts. I tested the same code with a regular business account and the error said "This transaction cannot be processed due to an invalid merchant configuration."
• Members do not have to give me all their API credentials.
• The DoDirectPayment call is the same as if I were doing my own payment (almost). I use my own username, password, and signature. The way to send the money to another account is to include one more parameter called SUBJECT which should be the email address associated with the member's Paypal account (not their API username).
• The member must grant my (third-party app) account permission. In my case I only needed the one Paypal labels "Process your customers credit or debit card payments." which should correspond to DIRECT_PAYMENT in API terminology.

Andrew's answer gave me some additional keywords to use in searches, and I appreciate the tip off to the Permission API. It did not directly answer the question, but that will be a nice feature to add to my app instead of making users go through their Paypal profile's to grant permission.