Login API webhooks
A merchant receive instant notifications about important events, such as a merchant-initiated login. To set up the basic webhook infrastructure, you need to register your webhook URL, as described in the Webhooks API guide. We'll send the real-time notifications about subscribed events to the URL you specify.
Merchant-initiated login events
We support up to 25 webhook registrations per sales unit (MSN) for each event type.
| Name | Event Type |
|---|---|
| Ping | login.merchant-initiated.ping.v1 |
The payload will contain:
| Name | Type | Description |
|---|---|---|
auth_req_id | String | The auth_req_id that identifies the login. |
Example:
{
"auth_req_id": "qwieuhwqiuhdiuwqh123"
}
Revoke consent webhooks
Users can revoke their consent to share data with merchants. This is done in the Vipps 
or 
MobilePay app,
in the Profile section under Personal information. The practical consequence for the user is that they must give a consent the next time they want to log in with Vipps MobilePay,
or share data as part of other Vipps MobilePay services with the merchant.
When a user revokes their consent, we will send a CONSENT_REVOKED webhook event to the merchant's webhook server.
This contains the sub for the given user.
This service is optional for the merchant and can be used to trigger events on the merchant's side. For example, the merchant can inform the user that they still have an account, can provide information on alternative login solutions, or can inform the user where to go if they would like to delete the data they have stored with the merchant.
Content
The webhook is sent as a POST with a text/plain body containing an unsigned JSON Web Token (JWT).
The JWT format was chosen to allow for the possibility to add signing on a later state, but as of now the JWT is delivered unsigned with the algorithm set to none.
It is therefore no more secure than a regular JSON and should be handled as such.
Example request
eyJhbGciOiJub25lIiwidHlwIjogIkpXVCJ9Cg.eyJleHAiOjE1OTI1NzE3ODgsImlhdCI6MTU5MjU3MTQ4OCwibmJmIjoxNTkyNTcxNDg4LCJzdWIiOiJjOWQxMDQ0NC1kOTkyLTQ4NTAtYWM2MC05ZDM1MDIwOTUwMDgiLCJldmVudCI6IkNPTlNFTlRfUkVWT0tFRCJ9
Decoded JWT
Header
{
"alg": "none",
"typ": "JWT"
}
Payload
{
"exp": 1592571788,
"iat": 1592571488,
"nbf": 1592571488,
"sub": "c9d10444-d992-4850-ac60-9d3502095008",
"event": "CONSENT_REVOKED"
}
:::