Regarding Paypal API credentials, here's a summary to avoid confusion:
* If you're using SANDBOX mode, you need to use a SANDBOX account API credentials.
* If you're using LIVE mode, you need to use a LIVE account API credentials.
If you use a LIVE account to test in Paypal's SANDBOX environment, Paypal will respond with "The security header is not valid" and vice versa.
There must be a good reason why the returned message is so vague.
