Partner keys
We offer Partner keys which allow partners make API calls on behalf of their merchants.
If you are a Vipps MobilePay partner managing integrations on behalf of merchants, you can use your partner API credentials to authenticate, and then send the Merchant Serial Number (MSN) to identify which of your merchants you are acting on behalf of.
Read more about partner verification in:
👉 Partner API keys are only functional in the production environment, not the test environment.
Key differences between partner keys and merchant keys in Login
The main differences between partner key integration and merchant integration are:
-
Authentication:
- Merchant integration: Authentication is based on the Login access token, as described in the Access token section.
- Partner key integration:
-
A token is obtained from the
POST:/accesstoken/get
endpoint. This authorization method must be used because the endpointstoken_endpoint_authentication
methods used by merchants are not supported for partner key integrations. -
The token is passed as a Bearer token in the header:
Authorization: Bearer <access-token>
-
-
Merchant identification:
- For partner key integration, the
Merchant-Serial-Number
header must be included in backend requests to identify the merchant you are acting on behalf of.
- For partner key integration, the
The target client must be configured with client_secret_basic
authentication, although the partner themselves must use standard access token.
Partner key when integrating from a website
This is a partner version of the Integrate from a website flow.
Authorization endpoint
To initiate a login as partner, redirect the end-user's browser to a /auth
URL containing the merchant serial number as a msn
query parameter instead of client_id
.
GET https://api.vipps.no/access-management-1.0/access/oauth2/auth?msn={Merchant-Serial-Number}&response_type=code&scope={scopes}&state={state}&redirect_uri={redirect_uri}
This request will return a redirect to a /auth
URL where the msn
query parameter is replaced by the merchant's client_id
Token endpoint
For the /token
endpoint, you should authenticate using an access token. Regular client_secret_basic
or client_secret_post
does not work for partner key integration.
The target client must be configured with client_secret_basic
authentication.
- Fetch access_token
- Use the access token in the
Authorization
header,Bearer access-token
. - Add the
Merchant-Serial-Number
header with the target merchant serial number.
Example request:
POST https://api.vipps.no/access-management-1.0/access/oauth2/token
Authorization: Bearer <access-token>
Content-Type: application/x-www-form-urlencoded
Merchant-Serial-Number: 12345
grant_type=authorization_code&code={authorization_code}&redirect_uri={redirect_uri}
Partner key in merchant-initiated login flow
This is a partner version of the Merchant-initiated login flow. This works for both the regular flow and Redirect to browser.
The Merchant-Serial-Number
header must be sent in the header of all API requests.
- Fetch access_token
- Use the access token in the
Authorization
headerBearer access-token
- Add the
Merchant-Serial-Number
header with the target merchant serial number
/backchannel/authentication
requestPOST https://api.vipps.no/vipps-login-ciba/api/backchannel/authentication
Authorization: Bearer <access-token>
Content-Type: application/x-www-form-urlencoded
Merchant-Serial-Number: 12345
scope=name address openid&login_hint=urn:msisdn:{msisdn}&state=13821s837213bng26e2n61gege26&nonce=21hebdhwqdb7261bd1b23
/token
request (without redirect)For the subsequent token request you should authorize with the same access token and add the Merchant-Serial-Number
header as in the /backchannel/authentication
request.
POST https://apitest.vipps.no/access-management-1.0/access/oauth2/token
Authorization: Bearer <access-token>
Content-Type: application/x-www-form-urlencoded
Merchant-Serial-Number: 12345
auth_req_id=<auth-req-id>&grant_type=urn:openid:params:grant-type:ciba
ID token validation
When acting as a partner on behalf of a merchant's sales unit, you don't have access to the merchant's client_id
, which is used for ID token validation.
It is important to validate the Id-token before using any data contained in it. See the OIDC standard on Id-token validation for the specifics. We recommend that you use a library for this. A good place to start is finding a library for your language at jwt.io.
We strongly encourage partners to use the msn
claim in the ID token for this purpose and ensure that its value is the same as the Merchant Serial Number used for the login.
Requirements
The target client must be configured with client_secret_basic
authentication.
The partner themselves must use standard access token.
See Portal: How to set up Login for your sales unit.
Merchant Serial Number (MSN)
This is a unique identifier for the sales unit. This is a required parameter if you are a partner making API requests on behalf of a merchant. Use the merchant's MSN, not the partner's MSN.
See: How to find the Merchant Serial Number.
Userinfo
For fetching user information, the token received during the login flow must be used.