Is it a security risk for app users to see the "payKey" that is returned by the Paypal API?

If a malicious user were to see the payKey token that is returned by the Paypal API, is there anything bad they could do with it?

Or does Paypal only allow my credentials to m开发者_运维问答ake queries against payKeys that are generated for my app?

No. The payKey expires in three hours and is available to your API user only.
In Express Checkout this is available as the 'token', and it's perfectly fine for this to be visible.