GPT-5.6 (Sol / Terra / Luna) is now evaluated on TrustVector โ€” with day-1 independent verification, incl. METR's benchmark-cheating findings.

Read the evaluation
Evaluation record ยท mcp-server-paypal

PayPal MCP Server

v2026.7

PayPal

MCPpaymentsinvoicingfintechmcp
79
Strong
About This MCP

PayPal's official MCP server (Agent Toolkit), hosted at https://mcp.paypal.com with SSE (/sse) and streamable HTTP (/http) transports plus a sandbox at mcp.sandbox.paypal.com; also installable locally as @paypal/mcp. OAuth login or client-credential access tokens gate access, with restricted tool visibility so the LLM only sees tools its token permits. Tools cover invoices, orders, captures, refunds, disputes, subscriptions, catalog, shipment tracking, and transaction reporting.

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
api reliability

API stability and uptime analysis of the underlying PayPal REST APIs

Evidence
PayPal Status โ€” Built directly on PayPal's production REST APIs, which serve global payment volume with historically high availability and a public status page
highVerified: 2026-07-09
operation success rate

Operation success testing across the documented tool set in sandbox mode

Evidence
PayPal MCP Server Repository โ€” Tools are wrappers over stable PayPal API endpoints across invoicing (create, list, send, remind, cancel, QR codes), orders/captures/refunds, disputes, subscriptions, catalog, tracking, and transaction reporting
mediumVerified: 2026-07-09
rate limit handling

Rate limiting behavior testing under sustained tool-call load

Evidence
PayPal REST API Rate Limiting Guidance โ€” Inherits PayPal REST API rate limiting with standard 429 responses; limits are adequate for typical agent workloads though not published as fixed quotas
mediumVerified: 2026-07-09
error recovery

Error handling testing with invalid parameters, insufficient permissions, and declined operations

Evidence
PayPal MCP Server Repository โ€” Surfaces PayPal's structured error objects (validation errors, authorization failures) to the agent; strict schema validation rejects malformed tool requests before they reach the API
mediumVerified: 2026-07-09
sandbox environment fidelity

Parity comparison of sandbox and production tool surfaces and behaviors

Evidence
PayPal MCP Quickstart โ€” A full parallel sandbox server at https://mcp.sandbox.paypal.com mirrors the production tool surface, enabling safe end-to-end agent evaluation before any live money movement
highVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+
authentication security

Authentication mechanism review for OAuth and access-token flows on the hosted endpoints

Evidence
PayPal MCP Quickstart โ€” Remote server supports OAuth (user logs into PayPal and grants consent) or access tokens minted from Developer Dashboard client credentials; sandbox and production are fully separated hosts with separate credentials
highVerified: 2026-07-09
scope limitation

Permission scope testing across tokens with differing grants; verification that unpermitted tools are absent from tools/list responses

Evidence
PayPal Community Blog: Expanding PayPal's Remote MCP Server Tools โ€” Restricted tool visibility ensures only authorized users and models can access specific tools: the tool list itself is filtered server-side by token permissions, so the LLM never even sees tools its token does not permit โ€” a stronger design than post-hoc authorization checks
highVerified: 2026-07-09
token exposure risk

Token storage and exposure-surface analysis for local configuration versus hosted OAuth

Evidence
PayPal MCP Quickstart โ€” Local @paypal/mcp mode requires client ID and secret in client configuration; a leaked live credential grants API access at the credential's full permission level, making OAuth on the remote server the safer default
mediumVerified: 2026-07-09
action auditability

Audit logging review of API event logs and account activity attribution

Evidence
PayPal Developer Dashboard โ€” Tool calls are API requests attributable to the app credential or OAuth grant, visible in Developer Dashboard event logs and account transaction/activity history, though less granular than a dedicated per-tool-call audit log
mediumVerified: 2026-07-09
unauthorized action risk

Threat modeling of write-capable financial tools under prompt injection; calibrated against other payment-domain MCP servers

Evidence
PayPal MCP Quickstart โ€” Tool surface includes direct money movement (refunds, order capture, invoicing, subscription changes) with no server-side human confirmation step; restricted tool visibility narrows the blast radius but a prompt-injected agent holding a write-permitted token can still move real funds
highVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
payment data exposure

Data flow analysis of tool results containing payer and transaction data

Evidence
PayPal MCP Server Repository โ€” Invoice recipients, order payer details, dispute records, and transaction reports returned by tools flow into the LLM provider's context; raw card credentials are never exposed by PayPal's REST APIs
highVerified: 2026-07-09
sensitive data protection

Review of PayPal compliance posture and the data classes reachable via the tool surface

Evidence
PayPal Security Center โ€” PayPal operates PCI-DSS compliant payment infrastructure; card and bank credentials are tokenized server-side and are not retrievable through any MCP tool
highVerified: 2026-07-09
organization data control

Access control review of credential permissioning and consent revocation

Evidence
PayPal MCP Quickstart โ€” Account owners control exposure through app credential permissions (which drive restricted tool visibility), sandbox/production separation, and revocation of OAuth consents and app credentials in the Developer Dashboard
mediumVerified: 2026-07-09
third party data sharing

Analysis of downstream data sharing once tool results leave PayPal

Evidence
PayPal Privacy Statement โ€” Payer PII retrieved via tools is shared with the user's LLM provider under that provider's data policy, outside PayPal's compliance boundary
mediumVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+
documentation quality

Documentation completeness and accuracy review across the developer portals

Evidence
PayPal MCP Quickstart โ€” Dedicated quickstart covering remote (SSE and streamable HTTP) and local setup, both auth flows, and client configuration for Claude, Cursor, and Cline; tool catalog lives in a separate agent-tools reference, and material is split across docs.paypal.ai and developer.paypal.com
highVerified: 2026-07-09
operation visibility

Logging and traceability assessment via dashboard logs and transaction records

Evidence
PayPal Developer Dashboard โ€” Operations surface in Developer Dashboard event logs and account activity; financial writes (invoices, refunds, captures) additionally appear in the account's transaction history
mediumVerified: 2026-07-09
open source transparency

Source code review of the published package and comparison against observed hosted behavior

Evidence
PayPal MCP Server Repository โ€” Apache-2.0 licensed server source (@paypal/mcp v1.8.1 on npm) is published and auditable, though community traction is thin (11 stars) and the hosted remote server's exact deployment cannot be independently verified against the repo
highVerified: 2026-07-09
api coverage clarity

Comparison of documented tool surface against the shipped package and hosted tools/list output

Evidence
PayPal Community Blog: Expanding PayPal's Remote MCP Server Tools โ€” Remote server expanded from invoicing-only at launch (April 2025) to the full agent toolkit (June 2025): invoices, orders, captures, refunds, disputes, subscriptions and plans, catalog, shipment tracking, and transaction reporting
mediumVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of setup

Setup complexity assessment for hosted and local transports across major MCP clients

Evidence
PayPal MCP Quickstart โ€” Remote endpoints connect via OAuth with a simple PayPal login (some clients require the mcp-remote shim); local mode is an npm install of @paypal/mcp with Node.js 18+ and dashboard credentials
highVerified: 2026-07-09
api performance

Latency observation across representative tool calls on both transports

Evidence
PayPal MCP Quickstart โ€” Streamable HTTP transport (/http) delivers chunked responses for immediate display; underlying REST API latency is typical of production payment APIs with thin wrapper overhead
mediumVerified: 2026-07-09
reliability

Uptime analysis of PayPal infrastructure hosting the MCP endpoints

Evidence
PayPal Status โ€” Hosted MCP and underlying APIs ride PayPal's production payments infrastructure with strong historical availability
mediumVerified: 2026-07-09
feature coverage

Feature completeness assessment against the full PayPal API surface

Evidence
PayPal MCP Server Repository โ€” Covers the core merchant surface (invoicing, orders, refunds, disputes, subscriptions, catalog, tracking, reporting); payouts, Braintree, and marketplace/platform features are not exposed
highVerified: 2026-07-09
community adoption

Community activity and adoption analysis across GitHub, npm, and MCP client ecosystems

Evidence
PayPal MCP Server Repository โ€” First-party maintained, but community traction is modest: 11 GitHub stars, last repository push October 2025, and @paypal/mcp last published to npm October 2025; most usage flows through the hosted remote server
mediumVerified: 2026-07-09
Strengths
  • +Restricted tool visibility: the LLM only sees tools its token permits, filtered server-side โ€” a best-in-class scoping design
  • +Hosted remote server with OAuth avoids placing client secrets in local config
  • +Full parallel sandbox environment (mcp.sandbox.paypal.com) for safe end-to-end agent testing
  • +Broad merchant tool surface: invoices, orders, refunds, disputes, subscriptions, catalog, tracking, reporting
  • +Apache-2.0 open-source server implementation published as @paypal/mcp
  • +Both SSE and streamable HTTP transports on the hosted endpoint
  • +Backed by PCI-DSS compliant production payments infrastructure
Limitations
  • !Money-movement tools (refunds, captures, invoicing, subscription changes) make misuse directly costly
  • !No server-side human confirmation step on write operations; must be enforced by the client
  • !Payer PII in tool results is shared with the LLM provider
  • !Client ID/secret in local stdio config is a high-value leak target
  • !No dedicated per-tool-call audit log beyond standard API event logs
  • !Local package and repository updates have lagged the hosted server (last npm publish October 2025)
  • !Payouts, Braintree, and marketplace features are not exposed
Metadata
repository: https://github.com/paypal/paypal-mcp-server
package name: @paypal/mcp
package version: 1.8.1
license: Apache-2.0
maintained by: PayPal
github stars: 11
remote endpoint: https://mcp.paypal.com/sse (SSE); https://mcp.paypal.com/http (streamable HTTP); sandbox at https://mcp.sandbox.paypal.com
authentication: OAuth (hosted, recommended) or access tokens from Developer Dashboard client credentials; restricted tool visibility filters the tool list by token permissions
transport types
0: sse (hosted)
1: streamable-http (hosted)
2: stdio (@paypal/mcp, local)
installation methods
0: Remote MCP endpoint (OAuth or bearer token, mcp-remote shim where needed)
1: npm @paypal/mcp (Node.js 18+)
compliance
0: PCI-DSS
mcp version: 1.0

Use Case Ratings

financial analysis

Transaction reporting and dispute/subscription queries directly from the source of truth; weaker than dedicated analytics for bulk work

customer support

Strong for support agents managing invoices, order lookups, refunds, and dispute status with permission-scoped tokens

code generation

Sandbox parity makes integration development safe, though there is no built-in docs-search tool

data analysis

Good for ad-hoc transaction and subscription queries; bulk analytics is better served by reporting exports

legal compliance

Dispute records are accessible, but payer PII flowing to LLM providers requires careful review