Login API webhooks
There are 2 types of webhooks in the Login API:
- Merchant-initiated login events - Provided as part of the Webhooks API.
- Revoke consent webhooks - A webhook designed with specific authentication requirements and a distinct payload format.
Merchant-initiated login events
To set up the basic webhook infrastructure, you need to register your webhook URL, as described in the Webhooks API guide. We'll send the real-time notifications about subscribed events to the URL you specify.
We support up to 25 webhook registrations per sales unit (MSN) for each event type.
| Name | Event Type |
|---|---|
| Ping | login.merchant-initiated.ping.v1 |
The payload will contain:
| Name | Type | Description |
|---|---|---|
auth_req_id | String | The auth_req_id that identifies the login. |
Example:
{
"auth_req_id": "qwieuhwqiuhdiuwqh123"
}
For more details about this type of webhook, see the Webhooks API guide.
Revoke consent webhooks
Users may choose to revoke their consent to share data with merchants at any time.
This action can be performed in the Vipps 
or MobilePay 
app,
located under Profile > Personal information.
Once consent is revoked, the user will be required to provide new consent the next time they wish to log in with Vipps MobilePay or share data with the merchant as part of other services.
When a user revokes consent, a CONSENT_REVOKED webhook event is sent to the merchant's webhook endpoint.
This event includes the sub identifier for the relevant user.
Implementing this webhook is optional for merchants. It can be used to trigger follow-up actions, such as:
- Notifying the user that their account remains active,
- Providing information about alternative login methods,
- Advising users on how to delete any data they have stored with the merchant.
Content
The webhook is delivered as a POST request with a text/plain body containing an unsigned JSON Web Token (JWT).
The JWT format has been selected to allow for future support of signed tokens. Currently, the JWT is unsigned and uses the algorithm none.
As a result, it provides no additional security over standard JSON and should be treated accordingly.
Header
The header of the CONSENT_REVOKED webhook contains the following fields:
| Field | Type | Description |
|---|---|---|
alg | String | The algorithm used for the JWT. For this webhook, it is always none. |
typ | String | The type of the token. For this webhook, it is always JWT. |
To learn more about JWT header fields, see JWT.io: Introduction to JSON Web Tokens.
Payload
The payload of the CONSENT_REVOKED webhook contains the following fields:
| Field | Type | Description |
|---|---|---|
exp | Integer | Expiration time of the token in seconds since the Unix epoch. |
iat | Integer | Issued-at time of the token in seconds since the Unix epoch. |
nbf | Integer | Not-before time of the token in seconds since the Unix epoch. |
sub | String | The unique identifier (sub) for the user whose consent was revoked. |
event | String | The event type, which will always be CONSENT_REVOKED for this webhook. |
Decoding the request
Decode the request to get the message.
Example request
eyJhbGciOiJub25lIiwidHlwIjogIkpXVCJ9Cg.eyJleHAiOjE1OTI1NzE3ODgsImlhdCI6MTU5MjU3MTQ4OCwibmJmIjoxNTkyNTcxNDg4LCJzdWIiOiJjOWQxMDQ0NC1kOTkyLTQ4NTAtYWM2MC05ZDM1MDIwOTUwMDgiLCJldmVudCI6IkNPTlNFTlRfUkVWT0tFRCJ9
Paste the request text into the JWT Debugger to get the following decoded header and payload data.
Decoded header and token type:
{
"alg": "none",
"typ": "JWT"
}
Decoded payload data:
{
"exp": 1592571788,
"iat": 1592571488,
"nbf": 1592571488,
"sub": "c9d10444-d992-4850-ac60-9d3502095008",
"event": "CONSENT_REVOKED"
}