I've been getting error 10002 'Security Header is not Valid' when trying to use the Paypal API with NVP php sample code. I started hacking at the project of integrating Joomla Virtuemart with the paypal DoDirectPayment API. I first made a standalone php file which calls the API to process a hardcode transaction. The file works when I load that single file directly no problem. I can check the transaction online at the sandbox. Then when I try to load this file during the checkout process in Joomla it gives me the error 10002 'Security Header is not Valid'. I then dived into the code and found out the way to solve is to replace the line
$environment = 'sandbox'; // or 'beta-sandbox' or 'live'
make sure you cut this line from outside the function
This should solve your problem. Then you can experiment more and pack the string from your session, and your API should work no problem. Drop me a line if you have any question.