I am implementing the Express Checkout API for a web application, and everything works fine. Still, I am left with a doubt about the flow of the operation.

If I understand well, the user experience is as follows:

1. User orders some items on the merchant sites
2. Before paying, the user is sent to the PayPal site
3. After authentication, the user can confirm some details about the transaction, such as the shipping order, but NOT the total amount
4. The user is redirected to the merchant site, where he can confirm other information, and in particular the total amount of the order
5. The payment is done and the user gets a confirmation page from the merchant.

The SetExpressCheckout call happens between 1 and 2, GetExpressCheckoutDetails between 3 and 4, and finally DoExpressCheckoutPaymentbetween 4 and 5.

The fact that the user is not given the opportunity to confirm the total amount in step 3 is because at this point the merchant may not have the information about the shipping cost. Indeed the documentation says explicitly that the amount can change between the call to SetExpressCheckout and the one to DoExpressCheckoutPayment.

So, what if the merchant lies to the user? I may say that you are confirming a payment for 20EUR and charge you 2000EUR. Now, that is a fraud and I may be prosecuted, but it should not be allowed anyway.

Note that the documentation also claims that obtaining the details about the transaction with a call to GetExpressCheckoutDetails is optional. Similarly, step 4, where the user reviews the payment details, may be skipped altogether, and in this case the user will not confirm any amount!

Am I getting something wrong, or is there a rationale behind this working?