I'm implementing Express Checkout in PayPal.
I have no problem with the first two steps, SetExpressCheckout and GetExpressCheckout. But when I use DoExpressCheckout, I encounter the error "Security header is not valid".
The API credentials are the same!
I've fixed it by changing the $environment to live in DoExpressCheckout. (The difference $environment makes is that it'll use https://api.sandbox.paypal.com/nvp/ instead of https://api-3t.$environment.paypal.com/nvp)
But why?
Is there something wrong with https://api-3t.$environment.paypal.com/nvp?
https://api-3t.sandbox.paypal.com/nvp requires different user-accounts than what https://api-3t.paypal.com/nvp requires.
The sandbox accounts can be activated at developer.paypal.com
I had the same error being thrown for the live environment. For me, it turned out there was a trailing space at the end of my API username.... I removed the space and it worked fine.... I'd pasted them into a config file straight from PayPal and must've copied a blank there as well... so if this happens to you, check for trailing spaces! This would've been obvious if the username was hardcoded in a string, but wasn't because it was in a java properties file.
note that you'll also get this error if your credentials are wrong (ie bad username, password or signature). I just had the same issue happen when I pasted in my info to a config file, and had extra characters at the end of my signature by mistake.
He may not grant permission for checkout. Refer to this article, apparently down for now but still available here.
来源:https://stackoverflow.com/questions/1712685/express-checkout-error-message-security-header-is-not-valid