Skip to main content

Userinfo

As part of the log-in process, you can ask the user for access to parts of their profile information.
They will be presented with a consent screen, like this:

User information consent screen in Vipps User information consent screen in MobilePay

If they give consent, you will be able to get the information through the Get user info request:
GET:/vipps-userinfo-api/userinfo/.

Privacy terms

Ensure that you comply with our privacy terms.

Getting the user information​

Getting user consent through the Login API requires doing the full log-in flow.

Follow the steps for:

In the start login URL, using the OAuth 2.0 authorize endpoint GET:/access-management-1.0/access/oauth2/auth?, specify the type of information that you need access to in the scope (e.g., address).

For example:

https://apitest.vipps.no/access-management-1.0/access/oauth2/auth?client_id=YOUR-CLIENT-ID&response_type=code&scope=openid%20name%20phoneNumber%20address%20birthDate&state=8652682f-ba1d-4719-b1ec-8694ba97bde7&redirect_uri=https://developer.vippsmobilepay.com/docs/example-pages/result-page

The user will get the consent screen in their Vipps Vipps or MobilePay MobilePay app. The scopes you requested will show up there and they must select all or none. For this reason, it's best to request only the information you need.

The access token will expire after 10 minutes.

Step 2. Get the information​

Once the user has provided consent, you can request the profile information with:
GET:/vipps-userinfo-api/userinfo/.

You will need the access token from step 1. Note, the access token expires after 10 minutes.

You will get a response with the consented scopes. For example:

{
    "address": {
        "address_type": "home",
        "country": "NO",
        "formatted": "BOKS 6300, ETTERSTAD\n0603\nOSLO\nNO",
        "postal_code": "0603",
        "region": "OSLO",
        "street_address": "BOKS 6300, ETTERSTAD"
    },
    "birthdate": "1955-05-18",
    "family_name": "User",
    "given_name": "Test",
    "name": "Test User",
    "other_addresses": [
        {
            "address_type": "work",
            "country": "NO",
            "formatted": "Robert Levins gate 5\n0152\nOslo\nNO",
            "postal_code": "0152",
            "region": "Oslo",
            "street_address": "Robert Levins gate 5"
        }
    ],
    "phone_number": "4748571123",
    "phone_number_verified": true,
    "sid": "f2373816-439c-40e4-9882-afe7d79dd170",
    "sub": "126684df-c056-4625-821d-f2905febe3f9"
}

The API follows the OIDC Standard: UserInfo Request.

Follow through the steps of the Login API Quick start guide to test this flow.

Scopes​

The scope determines what information the user is asked to share. The scope can include any of the values, separated by a space:

ScopesDescriptionUser consent required
openid(required) This is the scope used to request an Id-token. It provides the claim sub which is a unique ID for the end user at that particular merchant. Note: Different merchants will get different values for the sub for the same end user.no
addressThe user can have up to three addresses in their Vipps or MobilePay app: home, work and other. User addresses are given as claims address and other_addresses. The claim address returns the address set as default for the Vipps or MobilePay user. The claim other_addresses returns any other addresses of the end user. We recommend that merchants fetch all addresses on a user and allow the user to choose which address to use in the relevant context. Some users will not have any registered address, in these situations the claim address will be delivered, but the sub claims in address will be empty strings (e.g., "address" : {"country" : "", "street_address" : "", "address_type" : "", "formatted" : "", "postal_code" : "", "region" : "" }). If a user has information in the Unit, floor or other details field, this will be included in the street_address response. The Street address will then be presented first, before "\n". Then, the contents from Unit, floor or other details (e.g., Suburbia 23"\nUnit B5)yes
birthDateUser birthdate (verified with National Population Register)yes
emailUser email (verified). The flag email_verified : true in the response can be used by merchants to confirm that the email actually is verified for each request.yes
nameUser first, middle, and given name (verified with National Population Register)yes
phoneNumberVerified phone number (verified - the number used with Vipps MobilePay)yes
genderGender. User chosen gender with options: male, female, other or prefer not to say. This scope is only supported through the Login API currently.yes
ninNational Identity Number (NIN) (verified with National Population Register). Note, merchants need to apply for access to NIN. See Login user info: NIN.yes
delegatedConsentsEnables marketing consents to be collected on behalf of a merchant. How to get started with marketing consentsyes
agreementEnables agreement flow on behalf of a merchant. How to get started with agreementyes

When requesting scopes that require user consent, a view listing these scopes will be displayed to the user with the option to allow or deny the consent request. This view is skipped if no scopes requiring consent are requested. The user must either accept or reject the full set of scopes, and can't make changes to the list of requested scopes. A user can therefore not choose to accept name and deny address.

tip

Ask for the minimum scopes needed for your application. Adding more scopes increases the chance that they will decline.

The scope openid is required and doesn't require user consent. It provides the claim sub which is a unique ID for the end user at that particular merchant.

Please note: Different sales units will get different subs for the same end user.

Example scopes:

  • phoneNumber
  • email
  • name address email
  • name phoneNumber
  • name birthDate
  • name email nin
info

If you get Invalid_scope this means that you have included one or more scopes that you don't have access to or is not supported.

All merchants have access to these scopes:

  • openid
  • address
  • birthdate
  • email
  • name
  • phoneNumber

You can find the list of scopes that your individual sales units have access to in portal.vippsmobilepay.com under the Developer section and the Set-up Login panel.

email_verified​

If the email address that is delivered has the flag email_verified : false, this address should not be used to link the user to an existing account without further authentication.

Such authentication could be to prompt the user to log in to the original account or to confirm the account linking by providing a confirmation link sent to the email address.

nin​

info

Access to the nin scope and the National Identity Number (NIN) is a paid service.

Only merchants with legal requirements or other objective needs for using the NIN to achieve the required user identification can get access to NIN. We comply with local applicable laws as well as guidance from the Norwegian Data Protection Authority, Datatilsynet, and other relevant local authorities.

As an independent controller, the merchant shall assess whether they are entitled to receive NIN. It must be noted that the legal liability regarding receiving and processing NIN solely resides with the Merchant. However, it's within Vipps MobilePay's own discretion to decide if merchant's requests meet the criteria stated above.

Keeping a unique and consistent identifier for the user over time is not a sufficient requirement. For this purpose, we offer a unique merchant specific user identifier that is delivered as part of the registration/login. This is the claim sub that is delivered based on the openid scope. This unique identifier will allow you to keep a consistent user profile even if the user changes contact information.

Be aware that Login is not an electronic ID. Thus, the NIN can only be used to simplify the customer processes by removing manual input or to look up the customer in your own or external registers. This can be done as part of the process to become a customer or to link login with Vipps MobilePay to an existing user. If you need to store the NIN for new users, we recommend that you use an electronic ID.

Merchants need to apply for access to NIN by sending an email to agreement@vippsmobilepay.com. In the email you must share:

  • Organization number
  • Merchant name
  • Name and number of the sales unit from portal.vippsmobilepay.com
  • Detailed information on how you plan to use the NIN
  • If the request is based on the objective need; explanation of why the purpose can be only achieved with NIN
  • Any supportive documents such as user terms, process flows etc.
  • If the request is based on the legal requirement, direct reference to the legal text and guidelines, if any.

Sub​

The sub is a unique identifier for a Vipps MobilePay user and relates to that user's consent to share information with a specific sales unit.

A user may have more than one sub for the same merchant, but there can only be one sub per sales unit (Merchant Serial Number). You cannot combine the sub for one MSN and the API keys for a different MSN.

The sub will not change if a user removes their consents, logs in again, and re-consents.

note

There are some special cases where the sub will change for a user:

  • If a user deletes their Vipps MobilePay profile and creates a new one.

Your system can dynamically detect when a user's consent has been revoked by using the Revoke consent webhooks.

Last updated on