Login API (1.1.0)

Download OpenAPI specification:Download

The Login API enables users to log in to a service using their Vipps or MobilePay credentials. See the API Guide for more details. For the userinfo endpoint, see Userinfo API Guide.

Login API

OpenID configuration endpoint

The well-known endpoint can be used to retrieve configuration information for OpenID Connect clients. To learn more about this endpoint, please refer to the specification at https://openid.net/specs/openid-connect-discovery-1_0.html

header Parameters

Vipps-System-Name	string <= 30 characters Example: Acme Commerce The name of the solution. One word in lowercase letters is good. See HTTP headers.
Vipps-System-Version	string <= 30 characters Example: 2.6 The version number of the solution. See HTTP headers.
Vipps-System-Plugin-Name	string <= 30 characters Example: acme-webshop The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.
Vipps-System-Plugin-Version	string <= 30 characters Example: 4.3 The version number of the ecommerce plugin (if applicable). See HTTP headers.

Responses

Response samples

200
401
500

Content type

application/json

{"authorization_endpoint": "https://apitest.vipps.no/access-management-1.0/access/oauth2/auth",
"claims_parameter_supported": false,
"claims_supported": [["sub"
]
],
"grant_types_supported": [["openid",
"name",
"phoneNumber",
"address",
"birthDate",
"email"
]
],
"id_token_signing_alg_values_supported": [["RS256"
]
],
"issuer": "https://apitest.vipps.no/access-management-1.0/access/",
"jwks_uri": "https://apitest.vipps.no/access-management-1.0/access/.well-known/jwks.json",
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": [["query"
]
],
"response_types_supported": [["code"
]
],
"scopes_supported": [["openid",
"address",
"name",
"email",
"phoneNumber",
"nnin",
"birthDate"
]
],
"subject_types_supported": [["pairwise"
]
],
"token_endpoint": "string",
"token_endpoint_auth_methods_supported": [["client_secret_basic",
"client_secret_post"
]
]
}

The OAuth 2.0 authorize endpoint

The resource owner (end user) is redirected to this endpoint at the beginning of the authentication process, and it is used to obtain an authorization grant. To learn more about this endpoint please refer to the specification at https://tools.ietf.org/html/rfc6749#section-3.1

header Parameters

Vipps-System-Name	string <= 30 characters Example: Acme Commerce The name of the solution. One word in lowercase letters is good. See HTTP headers.
Vipps-System-Version	string <= 30 characters Example: 2.6 The version number of the solution. See HTTP headers.
Vipps-System-Plugin-Name	string <= 30 characters Example: acme-webshop The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.
Vipps-System-Plugin-Version	string <= 30 characters Example: 4.3 The version number of the ecommerce plugin (if applicable). See HTTP headers.

Responses

The OAuth 2.0 token endpoint

The token endpoint is used by the client to obtain an access token by presenting its authorization grant. To learn more about this endpoint please refer to the specification at https://tools.ietf.org/html/rfc6749#section-3.2

Authorizations:

Basic-AuthorizationBearer-Authorization

header Parameters

Merchant-Serial-Number	string Example: 123456 This is a required parameter if you are a partner making API requests on behalf of a merchant. The partner must use the merchant's MSN, not the partner's MSN.
Vipps-System-Name	string <= 30 characters Example: Acme Commerce The name of the solution. One word in lowercase letters is good. See HTTP headers.
Vipps-System-Version	string <= 30 characters Example: 2.6 The version number of the solution. See HTTP headers.
Vipps-System-Plugin-Name	string <= 30 characters Example: acme-webshop The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.
Vipps-System-Plugin-Version	string <= 30 characters Example: 4.3 The version number of the ecommerce plugin (if applicable). See HTTP headers.

Request Body schema: application/x-www-form-urlencoded

grant_type required	string Value MUST be authorization_code.
code required	string The authorization code received from the authorization server as a query param on the redirect_uri.
redirect_uri required	string The redirect URL which the user agent is redirected to after finishing a login. If the URL is using a custom URL scheme, such as myapp://, a path is required: myapp://path-to-something. The URL must be exactly the same as the one specified on portal.vippsmobilepay.com. Be extra careful with trailing slashes and URL-encoded entities.
client_id	string The `client_id` is available on portal.vippsmobilepay.com, under the 'Developer' section. This parameter is required if the token endpoint authentication method is set to `client_secret_post`.
client_secret	string The `client_secret` is available on portal.vippsmobilepay.com, under the 'Developer' section. This parameter is required if the token endpoint authentication method is set to `client_secret_post`.
code_verifier	string Required if PKCE, https://tools.ietf.org/html/rfc7636, is used.

Responses

Response samples

200
401
500

Content type

application/json

{"access_token": "shxuQPSLpKAiBrgD-HPbgDWc3RHzcXq3skcydKwRroo.Y5aH3PavJkZnSq5dffj8AmKVE-SdwRcbKhUKkmqimoQ",
"expires_in": 3599,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo2ZjIxMTlkZS03ZWY4LTQ0NDQtYjNkYy1lNDNiYWY2MDUwMGYifQ.eyJhdF9oYXNoIjoiUGpLVVQ0VUpFYkZWY05MempyOVppQSIsImF1ZCI6WyJlZGRkYjMyZi01MDI4LTQzOTctYjBhYi1lOGVjZjIxOGZkYzIiXSwiYXV0aF90aW1lIjoxNjQzMTIwMjA0LCJleHAiOjE2NDMxMjM4MDUsImlhdCI6MTY0MzEyMDIwNSwiaXNzIjoiaHR0cHM6Ly9lY2U0NmVjNC02ZjljLTQ4OWItOGZlNS0xNDZhODllMTE2MzUudGVjaC0wMi5uZXQvYWNjZXNzLW1hbmFnZW1lbnQtMS4wL2FjY2Vzcy8iLCJqdGkiOiI1MzM2NzJlYi1lY2M0LTQ0OTQtYjM4NS02NWY2MGJkMTk1YTciLCJub25jZSI6IjU4OTU0MTFlLWU5MzAtNDMyYS05ZWIzLWQzYTAzODhlMWIzOSIsInJhdCI6MTY0MzEyMDAwNywic2lkIjoiYWJlMjIzOTUtZThkNC00ODFlLThjZDItNTU0YmYwOWY0MzJmIiwic3ViIjoiNjNkODMwM2YtNDFkNS00MTUwLTllMzMtMGEzOWVkODE4NTZjIn0.Nejx0nIAPhGjDAOKIpLUVK2bcfTmUr7JfKU8V_7SHUdLGFjSHmDSXkAqYIL_oFXmTQsBrVXTQO-yjL6WGpR5nrpYPHzpY7hMUj00VQ1KTd9gwoMk6uBDvXAnSN7O-cNqC0ehZAlZ6ofR9TwDn03fhS1UcxhLnFq9phzxKD4q7EgBkHOQiwv90M8ZvrZMqdwtdjqIOABks0tVcYlQFKKDDrij0Df90vrFR-coAZeXJzRGsMUivvZlkwlYEQAlTx2BxBT2WqJr407DX-W0k0mj7QPnPQNV-0qT0VLJ6liUwFUi6MQrQ01yosrHwrmwY-0f_GwDDSPp4HizkTmT_CecQy9CLsbnASrcBurpLvjl9bfxXiYtZvvDlxyoyjMd05z94MmuADvM-nIWztKHIbU4ez6qRS1uyMPN2P9-_wzD7Tj2RCrAfSHlgTrx-grhqdkIqcVKdx8RVj5cmmbLDsmgfwLdM0m5Z_QYmctxq7TsLWm0x2A2-rbxlAma5USRDfPpzWBwbZDbJygXEIccGUwgG7SK6XHeTblHmgz87Tx7yfqTw9YSYbzxjnCCBwCXlKUUcHOLMRF_L0BwTBaNaFtYfgc5ne68Ej0V2Mz_BodR3OpRnukTdb1_nXAbDs4JiKhM22aR3R7qopAUnhUAFbde2q1sfwGr-b21a4NgEaWtFwk",
"token_type": "bearer",
"scope": "openid name phoneNumber address birthDate email"
}

JSON Web Keys Discovery

This endpoint returns JWK (JSON Web Keys) to be used as public keys for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT (JSON Web Token, the access token).

header Parameters

Vipps-System-Name	string <= 30 characters Example: Acme Commerce The name of the solution. One word in lowercase letters is good. See HTTP headers.
Vipps-System-Version	string <= 30 characters Example: 2.6 The version number of the solution. See HTTP headers.
Vipps-System-Plugin-Name	string <= 30 characters Example: acme-webshop The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.
Vipps-System-Plugin-Version	string <= 30 characters Example: 4.3 The version number of the ecommerce plugin (if applicable). See HTTP headers.

Responses

Response samples

200
500

Content type

application/json

{"keys": [{"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}

CIBA authentication endpoint

This endpoint is used to start merchant initiated logins according to the Client initiated backchannel authentication standard.

Authorizations:

Basic-Authorization

Request Body schema: application/x-www-form-urlencoded

object (AuthenticationRequestPayload)

scope	string
loginHint required	string
bindingMessage	string
requested_expiry	integer [ 60 .. 900 ] A positive integer representing the requested expiration time, in seconds, for the authentication.

Responses

Response samples

200

Content type

application/json

{"auth_req_id": "string",
"expires_in": 0,
"interval": null
}

Endpoint for checking if user exists

Enables validating if a user exists before actually initiating a authentication

Authorizations:

Basic-Authorization

Request Body schema: application/x-www-form-urlencoded

object (UserExistsRequestPayload)

loginHint

required

string

Responses

Response samples

200

Content type

application/json

{"exists": true
}