Userinfo
As part of the log-in process, you can ask the user for access to parts of their profile information.
They will be presented with a consent screen, like this:
If they give consent, you will be able to get the information
through the Get user info request:
GET:/vipps-userinfo-api/userinfo/.
Ensure that you comply with our privacy terms.
Getting the user information
Getting user consent through the Login API requires doing the full log-in flow.
Step 1. Log in and request consent
Follow the steps for:
In the start login URL, using the OAuth 2.0 authorize endpoint GET:/access-management-1.0/access/oauth2/auth?, specify the type of information that you need access to
in the scope (e.g., address).
For example:
https://apitest.vipps.no/access-management-1.0/access/oauth2/auth?client_id=YOUR-CLIENT-ID&response_type=code&scope=openid%20name%20phoneNumber%20address%20birthDate&state=8652682f-ba1d-4719-b1ec-8694ba97bde7&redirect_uri=https://developer.vippsmobilepay.com/docs/example-pages/result-page
The user will get the consent screen in their Vipps 
or MobilePay 
app.
The scopes you requested will show up there and they must select all or none. For this reason, it's best to request
only the information you need.
The access token will expire after 10 minutes.
Step 2. Get the information
Once the user has provided consent, you can request the profile information with:
GET:/vipps-userinfo-api/userinfo/.
You will need the access token from step 1. Note, the access token expires after 10 minutes.
You will get a response with the consented scopes. For example:
{
"address": {
"address_type": "home",
"country": "NO",
"formatted": "BOKS 6300, ETTERSTAD\n0603\nOSLO\nNO",
"postal_code": "0603",
"region": "OSLO",
"street_address": "BOKS 6300, ETTERSTAD"
},
"birthdate": "1955-05-18",
"family_name": "User",
"given_name": "Test",
"name": "Test User",
"other_addresses": [
{
"address_type": "work",
"country": "NO",
"formatted": "Robert Levins gate 5\n0152\nOslo\nNO",
"postal_code": "0152",
"region": "Oslo",
"street_address": "Robert Levins gate 5"
}
],
"phone_number": "4748571123",
"phone_number_verified": true,
"sid": "f2373816-439c-40e4-9882-afe7d79dd170",
"sub": "126684df-c056-4625-821d-f2905febe3f9"
}
The API follows the OIDC Standard: UserInfo Request.
Follow through the steps of the Login API quick start guide to test this flow.
Scopes
The scope parameter determines what information the user is asked to share.
The scope can include any of the following values, separated by a space.
Merchants have access to different scopes depending on their product plan.
The basic plan includes name, phoneNumber, email, and address.
Premium and advanced product plans provide access to additional scopes.
You can view the scopes available to your sales units in portal.vippsmobilepay.com on the Login Configuration page, next to your selected plan. See Portal: How to set up Login for your sales unit for more details.
If you request a scope that isn't in your plan, it will be omitted, but your request will not fail.
| Scopes | Description | User consent required |
|---|---|---|
openid | (required) This is the scope used to request an Id-token. It provides the claim sub which is a unique ID for the end user at that particular merchant. Note: Different merchants will get different values for the sub for the same end user. | no |
address | The user can have up to three addresses in their Vipps or MobilePay app: home, work and other. User addresses are given as claims address and other_addresses. The claim address returns the address set as default for the Vipps or MobilePay user. The claim other_addresses returns any other addresses of the end user. We recommend that merchants fetch all addresses on a user and allow the user to choose which address to use in the relevant context. Some users will not have any registered address, in these situations the claim address will be delivered, but the sub claims in address will be empty strings (e.g., "address" : {"country" : "", "street_address" : "", "address_type" : "", "formatted" : "", "postal_code" : "", "region" : "" }). If a user has information in the Unit, floor or other details field, this will be included in the street_address response. The Street address will then be presented first, before "\n". Then, the contents from Unit, floor or other details (e.g., Suburbia 23"\nUnit B5) | yes |
birthDate | User birthdate (verified with National Population Register) | yes |
email | User email (verified). When using the Login API with the email scope, the email address is always verified. | yes |
name | User first, middle, and given name (verified with National Population Register) | yes |
phoneNumber | Verified phone number (verified - the number used with Vipps MobilePay) | yes |
gender | Gender. User chosen gender with options: male, female, other or prefer not to say. This scope is only supported through the Login API currently. | yes |
nin | National Identity Number (NIN) (verified with National Population Register). Note, merchants need to apply for access to NIN. See Login user info: NIN. | yes |
delegatedConsents | Enables marketing consents to be collected on behalf of a merchant. How to get started with marketing consents | yes |
agreement | Enables agreement flow on behalf of a merchant. How to get started with agreement | yes |
When requesting scopes that require user consent, a view listing these scopes will be displayed to the user with the option to allow or deny the consent request. This view is skipped if no scopes requiring consent are requested. The user must either accept or reject the full set of scopes, and can't make changes to the list of requested scopes. A user can therefore not choose to accept name and deny address.
Request consent for the minimum scopes needed for your application. Adding more scopes increases the chance that they will decline.
The scope openid is required and doesn't require user consent. It
provides the claim sub which is a unique ID for the end user at that
particular merchant.
Please note: Different sales units will get different subs for the
same end user.
Example scopes:
phoneNumberemailname address emailname phoneNumber
email_verified
When using the Login API with the email scope, the email address returned is always verified,
and the email_verified field will always be true.
Vipps MobilePay ensures that email addresses are verified before sharing them through the Login flow.
nin
The National Identity Number (NIN) is a unique personal identification number assigned to each individual by their national government.
Denmark: The NIN is called CPR-nummer / personnummer.
Finland: The NIN is known as henkilötunnus.
Norway: It's called fødselsnummer.
Sweden: It's called personnummer.
The National Identity Number (NIN) is protected. Only merchants with legal requirements or other objective needs for using the NIN to achieve the required user identification can get access to NIN. We comply with local applicable laws as well as guidance from the Norwegian Data Protection Authority, Datatilsynet, and other relevant local authorities.
Apply for access to NIN by sending an email to agreement@vippsmobilepay.com. In the email you must share:
- Organization number
- Merchant name
- Sales unit name and MSN, fetched from portal.vippsmobilepay.com
- Detailed information on how you plan to use the NIN
- If the request is based on the objective need; explanation of why the purpose can be only achieved with NIN
- Any supportive documents such as user terms, process flows etc.
- If the request is based on the legal requirement, direct reference to the legal text and guidelines, if any.
As an independent controller, the merchant shall assess whether they are entitled to receive NIN. It must be noted that the legal liability regarding receiving and processing NIN solely resides with the Merchant. However, it's within Vipps MobilePay's own discretion to decide if merchant's requests meet the criteria stated above.
Keeping a unique and consistent identifier for the user over time is not a
sufficient requirement. For this purpose, we offer a unique merchant specific
user identifier that is delivered as part of the registration/login. This is
the claim sub that is delivered based on the openid scope. This unique
identifier will allow you to keep a consistent user profile even if the user
changes contact information.
Be aware that Login is not an electronic ID. Thus, the NIN can only be used to simplify the customer processes by removing manual input or to look up the customer in your own or external registers. This can be done as part of the process to become a customer or to link login with Vipps MobilePay to an existing user. If you need to store the NIN for new users, we recommend that you use an electronic ID.
Sub
The sub is a unique identifier for a Vipps MobilePay user and relates to that user's consent
to share information with a specific sales unit.
A user may have more than one sub for the same merchant, but there can only be one sub
per sales unit (Merchant Serial Number).
You cannot combine the sub for one MSN and the API keys for a different MSN.
The sub will not change if a user removes their consents, logs in again, and re-consents.
There are some special cases where the sub will change for a user:
- If a user deletes their Vipps MobilePay profile and creates a new one.
Detecting users' consent removal
Your system can dynamically detect when a user's consent has been revoked by using the Revoke consent webhooks.