Important information
Best practices for linking user accountsβ
Logging with Vipps or
MobilePay gives a simple experience for the user.
Users who already have an account based on another login method can link this account to their Vipps/MobilePay user. This will give them a better experience next time.
The following are guidelines for linking the user's existing account with their Vipps/MobilePay user:
-
Check if you already have the
sub
First, check if you already have the unique user identifier for Vipps MobilePay (calledsub
in the response from our API) stored on one of your accounts. If you have it, this means that the user has used Vipps MobilePay on your site earlier and have an explicit link to the account. In this case, use thesub
to log the user into their account.The
sub
does not change (except in very special cases). See: What is the sub? -
Fallback to phone number and email address matching
If you have not already stored thesub
, check if the user already has an account based on their phone number and email address. If this gives a match on one (and only one) account, then you can use this to log the user into that account since both phone number and email address are verified in Vipps MobilePay. -
Ensure that email is verified
Before linking an account based on email, ensure that the flagemail_verified : true
in the response. If this for some reason is "false", the matching should be aborted, or the user should be prompted to log in to the original account or confirm the account linking by having a confirmation link sent to the email address. -
Perform a sanity check
Before completing the linking, compare the user's name from Vipps MobilePay with the name in the existing account. This ensures it is not an old account where the user has abandoned the phone number or email address and this has been picked up by someone else at a later time. -
Handle multiple account matches
If you get a match on multiple accounts, you can provide information on this and offer the user the possibility to log in to their existing account (using the old login method) and then link the account to Vipps MobilePay. -
Enable account linking from their account profile settings
Provide logged-in users with the option to link their profile to Vipps MobilePay on your website. This provides for an easier login next time.Just provide the login with Vipps or login with MobilePay buttons and link the
sub
from Vipps MobilePay with this account. -
Account creation guidance
If the user does not have an existing account, but this is required for some reason (e.g. because you have a separate sign-up process or the users need to be an existing member/customer), you should provide the user with a message explaining the situation after Login has finished. If relevant, you should provide links or directions on how to create the required account.
By following these steps, you ensure a smoother integration process while providing flexibility for users.
Using Login in native applicationsβ
Web views should not be used when using Login in a native application. Instead, the user should be redirected using an external browser opened by or within the app.
Android: Use Custom Tabs or fallback to open external browser on user's device.
iOS: Use SFAuthenticationSession (for iOS 11 and 12) or ASWebAuthenticationSession (for iOS 13 and above).
Revoking consentβ
Users can revoke their data sharing consent with merchants in the Vipps or
MobilePay app,
under Profile > Personal information. After revoking, users must give consent again to log in or share data via Vipps MobilePay.
When consent is revoked, we send a CONSENT_REVOKED
webhook event (including the userβs sub) to the merchant's webhook server.
This feature is optional for merchants. It can be used to trigger events on the merchant's side. For example:
- Notify users they still have an account
- Suggest alternative login options
- Provide instructions for deleting stored data
For more information, see the Revoke consent webhooks section.