The “Security header is not valid” error message is only caused for two reasons:
Wrong Credentials
Make sure that you’ve put your API Username, API Password and API Signature correctly.
Sometimes it happens that during copy and paste there is accidentally a space added, this would trigger this error. Double-check this settings in the SDK or in the admin panel of your third party shopping cart.
Wrong Endpoint
This error would come up if you send the data to the wrong endpoint.
Make sure that you sending the live credentials and data to our live endpoint.
When you want to test your store make sure that you use our test endpoint and the credentials from your sandbox test account.
If you are using a third party shopping cart, make sure that your store is running in test or live mode, regarding which credentials you are using.
Here’s how you can check if your credentials are correct:
FOR LIVE
FOR SANDBOX
Just Substitute the user, pwd and signature and enter in your browser.You should get ACK = SUCCESS if you have input your credentials correctly.
You can also get your credentials from under your PayPal dashboard : https://www.paypal.com/cgi-bin/webscr?cmd=_get-api-signature&generic-flow=true
