Standard authentication
This type of authentication is used for almost everything.
π If you are a partner who needs limited, specialized access to the Management API or Report API, go to the Partner specialized authentication section.
What does this provide access to?β
You can use this access token with any of the main APIs and supporting APIs included with the products you have ordered.
If you are using merchant keys, you get access to everything the merchant has access to.
If you're using partner keys, you can access all the merchant's products except for Report API, which requires accounting keys and partner specialized authentication.
Get your API keysβ
Every merchant has a set of API keys that they use for authentication with the
POST:/accesstoken/get. These are referred to as API keys or merchant API keys.
In most cases, you can get both test keys and production keys. See Get your test API keys.
We will send you test numbers and keys when you order a product.
Get the access tokenβ
Get the access token by calling
POST:/accesstoken/get
and providing your API keys and the subscription key in the following headers:
client_id- Client_id for a sales unit.client_secret- Client_secret for a sales unit.Ocp-Apim-Subscription-Key- Subscription key for a sales unit.
For example:
client_id: fb492b5e-7907-4d83-ba20-c7fb60ca35de
client_secret: Y8Kteew6GE2ZmeycEt6egg==
Ocp-Apim-Subscription-Key: 0f14ebcab0ec4b29ae0cb90d91b4a84a
Merchant-Serial-Number: 123456
Vipps-System-Name: acme
Vipps-System-Version: 3.1.2
Vipps-System-Plugin-Name: acme-webshop
Vipps-System-Plugin-Version: 4.5.6
Example response:
{
"token_type": "Bearer",
"expires_in": "86398",
"ext_expires_in": "0",
"expires_on": "1495271273",
"not_before": "1495184574",
"resource": "00000002-0000-0000-c000-000000000000",
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>"
}
If successful, the request returns a response which contains the following properties:
| Name | Description |
|---|---|
token_type | Itβs a Bearer token. The word Bearer must be added before the token |
expires_in | Token expiry duration in seconds. |
ext_expires_in | Extra expiry time. Not used. |
expires_on | Token expiry time in epoch time format. |
not_before | Token creation time in epoch time format. |
resource | For the product for which token has been issued. |
access_token | The actual access token that needs to be used in Authorization request header. |
The access_token property contains the JSON Web Token (JWT) that represents your identity.
Use the JWT access token as the Bearer token in the Authorization header of API requests.
The access token is a JSON Web Token (JWT), and uses UTC time.
To be sure that you are using
correct time, please take note of the expires_in or expires_on properties.
When you run further API requests, attach the access token and subscription key. These are used to get your identity and confirm that you have permission to run the request.
The access token JWT must be included in the Authorization header of each request.
The access token is valid for 1 hour in the test environment and 24 hours in the production environment.
You can have multiple access tokens, and they can be used at the same time as long as they are valid.
Use the access tokenβ
The access token represents your identity. Attach the token and your subscription key so that we get your identity and can confirm that you have permission to run the request.
Use the standard HTTP headers. For example:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>
Ocp-Apim-Subscription-Key: 0f14ebcab0ec4b29ae0cb90d91b4a84a
Merchant-Serial-Number: 123456
Vipps-System-Name: acme
Vipps-System-Version: 3.1.2
Vipps-System-Plugin-Name: acme-webshop
Vipps-System-Plugin-Version: 4.5.6
Many of these headers are optional during testing, but you should include them in your integration, so that error information can be found in the logs.
Important: Remember to specify Bearer. If not, you may get a
HTTP 401 Unauthorized error. See the FAQ:
Why do I get HTTP 401 Unauthorized?.
All API requests must include an Authorization header with
a JSON Web Token (JWT), which we call the access token.
The Access token API allows you to get this token.