Specialized authentication
This type of authentication applies to:
- Accounting partners for access to the Report API.
- Partners who want to use management keys for accessing the Management API.
If these don't apply to you, go to the Standard authentication section.
What does this provide access to?​
You can use this access token with management keys and accounting keys.
- Management keys - Provide authentication for the Management API.
- Accounting keys - Provide authentication for the Report API.
The Management API and Report API are not available in the test environment, so you will only need production keys.
A mapping of the authentication type to APIs and keys:
| API | Partner keys | Management keys | Accounting keys |
|---|---|---|---|
| Main APIs | Standard authentication | N/A | N/A |
| Management API | Standard authentication | Specialized authentication | N/A |
| Report API | N/A | N/A | Specialized authentication |
Get your API keys​
The partner team will provide these to you.
How partners get API keys
Once your partner application has been approved, you'll receive a welcome email with a test sales unit and API keys. If you have lost this or need a new test sales unit, please contact partner@vippsmobilepay.com. Sales units are unique per country. Remember to state which country the sales unit should be created for.
Note that partner functionality is not available in test. Instead, you will receive merchant API keys, as mentioned in the limitations section. All payment and login flows can be tested using the merchant API keys.
Partners can also get access to the test environment by ordering the Login API. See Partner: How to get access to your sales units on the portal.
Request an access token​
API calls are authenticated with an access token provided by the Access Token API.
To request the access token, use
POST:/miami/v1/token.
This endpoint uses a completely standard OAuth client credentials flow, allowing use of standardized libraries. We strongly recommend this approach, using one of the trusted libraries to perform the flow.
How do I encrypt my keys​
The value for authorization is a string representing your Base64-encoded accounting keys, client_id and client_secret.
Example of how to convert your client_id and client_secret to base64 with JavaScript:
const clientId = 'YOUR-CLIENT-ID';
const clientSecret = 'YOUR-CLIENT-SECRET';
const base64Credentials = btoa(`${clientId}:${clientSecret}`);
console.log(base64Credentials);
Send the API request​
Provide the Base64-encoded value in the Authorization header in a request to
POST:/miami/v1/token:
curl -X POST https://api.vipps.no/miami/v1/token \
-H 'Authorization: Basic <YOUR-BASE64-ENCODED-VALUE>' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
--data-urlencode 'grant_type=client_credentials'
You must include the line, --data-urlencode 'grant_type=client_credentials', or
you'll get an invalid_client error.
The Ocp-Apim-Subscription-Key HTTP header should not be sent.
Scope:
You may also specify a scope. For example:
curl -X POST https://api.vipps.no/miami/v1/token \
-H 'Authorization: Basic <YOUR-BASE64-ENCODED-VALUE>' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
--data-urlencode 'grant_type=client_credentials&scope=donations:read'
It's a good idea to include the standard HTTP headers
in your requests (e.g., Vipps-System-Name, Vipps-System-Version),
because these will help us to debug the problem, if you have one.
An access token will be returned and is valid for 15 minutes.
API response​
Example (JSON) response from
[POST:/miami/v1/token][mtx]:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>",
"token_type": "Bearer",
"expires_in": 900
}
Use the access token​
The access token represents your identity. Attach the token so that we get your identity and can confirm that you have permission to run the request.
Take the value you received in the access_token field of the response
and use this in the Authorization field in the API request.
For example:
curl -X GET API-ENDPOINT-ADDRESS \
-H "Authorization: Bearer YOUR-ACCESS-TOKEN" \