PayPal Client ID Validator

PayPal Client ID: format, OAuth 2.0 and the Sandbox vs Live split

A PayPal Client ID is the public half of the OAuth 2.0 credential pair that authenticates a merchant application against the PayPal REST API. Created in the PayPal Developer Dashboard when you register an app, the Client ID is roughly 80 characters of alphanumerics plus hyphens and underscores. The exact length varies across cohorts of generated apps, but the ^[A-Za-z0-9_-]{70,90}$ shape captures essentially every modern issuance. Older IDs from before the 2017 REST overhaul were shorter and used a slightly different alphabet; if you have such an account, regenerate the credential to align with the current format.

PayPal keeps two fully separate environments: Sandbox (sandbox.paypal.com) and Live (paypal.com). Each issues its own Client ID and Secret, with no overlap. Sandbox transactions move only fake balances between fake accounts created in the dashboard, while live transactions touch the real settlement rails. Conflating the two is the most common cause of "checkout works locally but fails in production" tickets — verify the prefix of the Client ID is matched against the right base URL of the SDK call.

Where the Client ID is used: Smart Buttons, Subscriptions, REST API

The Client ID surfaces in three layers of a PayPal integration:

• Smart Payment Buttons (JavaScript SDK): a dynamic <script src> URL parameterized by the Client ID, rendering PayPal, PayPal Credit, debit and local payment options based on locale.
• Subscriptions API: recurring-billing product launched in 2019; the Client ID is required to mint billing-agreement tokens.
• REST API OAuth 2.0: server-side calls authenticate with the Client ID + Secret to mint a Bearer access token, which is then used for Orders, Payments, Payouts and Disputes endpoints.
• Webhooks: each app has webhook subscriptions tied to its Client ID; events such as PAYMENT.SALE.COMPLETED and BILLING.SUBSCRIPTION.ACTIVATED arrive only at registered URLs.

<!-- Smart Buttons: client side -->
<script src="https://www.paypal.com/sdk/js?client-id=YOUR_CLIENT_ID¤cy=BRL"></script>
<div id="paypal-button-container"></div>
<script>
  paypal.Buttons({
    createOrder: (data, actions) => actions.order.create({
      purchase_units: [{ amount: { value: '99.90', currency_code: 'BRL' } }]
    }),
    onApprove: (data, actions) => actions.order.capture()
  }).render('#paypal-button-container');
</script>

For the OAuth handshake on the server, base64-encode CLIENT_ID:SECRET and POST to /v1/oauth2/token with grant type client_credentials. The returned access token is valid for nine hours; cache and refresh it instead of re-handshaking on every request.

PayPal in Brazil: BRL, cross-border and the Mercado Pago competition

PayPal entered Brazil in 2008 and supports BRL as a transactional currency for both buyers and sellers. The Brazilian e-commerce checkout landscape is, however, dominated by Mercado Pago (the financial arm of MercadoLibre/MercadoLivre), which combines acquiring, e-wallet and consumer credit at a scale PayPal has not matched locally. PayPal remains relevant for cross-border sales: Brazilian freelancers, content creators and small exporters use PayPal to receive USD, EUR and GBP, then withdraw to a BR bank account with currency conversion handled by PayPal.

Transaction fees vary by plan, but a typical Brazilian PayPal merchant pays around 4.49% + R$ 0.40 per domestic transaction and a percentage spread on the FX conversion when withdrawing. Income received via PayPal is reportable to the Receita Federal, both for individuals (Carne-Leao if from international sources) and legal entities (regular DRE/DCTF). PayPal Pay Later (BNPL — Buy Now Pay Later) has limited BR availability compared with the strong domestic BNPL competition.

Webhooks, IPN, currency support and the Checkout v2 rebrand

PayPal exposes two notification systems: the legacy IPN (Instant Payment Notification) from the Classic API era, and modern Webhooks built on the REST API. Webhooks are the recommended path for any new integration: events are signed and can be verified server-side by hitting /v1/notifications/verify-webhook-signature. The IPN remains supported for legacy carts but is no longer recommended.

• PayPal Checkout v2: rebranded JavaScript SDK launched in 2021, replacing the Express Checkout buttons with the Smart Payment Buttons.
• Currency support: 25+ currencies including USD, EUR, GBP, BRL, MXN, CAD, AUD, JPY, with automatic FX on settlement.
• PayPal Working Capital: small-business loans based on sales history (US/UK markets primarily).
• Mobile SDK: iOS and Android native components, plus React Native bindings.
• PayPal Honey: consumer browser extension (acquired 2020) for coupon discovery; not part of the merchant API.

FAQ

Is PayPal really smaller than Mercado Pago in Brazil?

Yes, by a wide margin in domestic e-commerce. Mercado Pago dominates marketplace, in-store QR and PIX flows in Brazil. PayPal remains stronger for cross-border merchant flows where buyers and sellers are in different countries.

Is the Sandbox Client ID free?

Yes. The PayPal Developer Dashboard issues Sandbox apps at no cost. Each Sandbox app has its own distinct Client ID; never reuse Live credentials in test environments and vice versa.

Does PayPal support multi-currency for Brazilian merchants?

Yes. A Brazilian seller account can receive BRL, USD, EUR, GBP and others. Withdrawal to a BR bank converts at the PayPal exchange rate, which includes a spread above the spot rate.

Is the Client ID confidential?

The Client ID is not strictly secret — it ships in the Smart Buttons script tag. The Client Secret, on the other hand, must never leave the server. Treat the Secret like a database password and rotate it after any incident.

Does this validator confirm the app is active in PayPal?

No. It only confirms the shape matches the documented PayPal Client ID format. Verifying activation requires a successful OAuth token call against the REST API in the correct environment.