Login API checklist

Did you try out the Login API? Use this checklist as your integration requirement specification to ensure your Login API implementation is complete and production-ready.

It covers the key endpoints, quality assurance steps and pitfalls. Once you have completed your integration you must use the checklist to ensure that you have covered all areas of the integration.

Partners

Flow to go live for partner integrations

1. Complete your testing of the Login API. Use below list to ensure you cover all areas of the integration before you submit the checklist.

2. Send your filled out Login checklist to us at developer@vippsmobilepay.com.
   Use this editable PDF to fill out and submit. Request examples in the checklist must be no more than 1 month old at the time you submit the checklist.
   Together with the checklist please include a video of your Login flow and a short description of your solution. he video must include both a successful login flow and a failed login flow (where user rejects the login).

3. Fill out production sign up form with details about your company and solution.

4. We will verify your integration and get back to you as soon as possible. After the checklist is approved, we'll send you the information you need to go live.

Download the editable Login checklist

📋 Download the PDF - an editable PDF you can fill out and track your progress.

Merchants

Flow to go live for direct integrations

1. Order Login.
2. We will complete customer control (KYC, PEP, AML, and other compliance checks). As soon as the customer control is completed, independently of this checklist, we will make the production API keys available on the business portal and notify you that you can retrieve your keys.
3. Retrieve your API keys.
4. Complete all the checklist items.
5. Verify the integration in the test environment.
6. Verify the integration in the production environment:
7. Partners only: Send your checklist to developer@vippsmobilepay.com. We don't do any kind of activation or make any changes based on this checklist, we just use it to verify that you have done the integration.
8. Go live 🎉

Login API checklist
Endpoints to integrate For examples of requests and responses, see the quick start guide.
OpenID connect (Get OIDC well-known endpoint) GET:/access-management-1.0/access/.well-known/openid-configuration
JSON web keys discovery GET:/access-management-1.0/access/.well-known/jwks.json
OAuth 2.0 authorize (Only required if using the Login from a website flow) GET:/access-management-1.0/access/oauth2/auth
OAuth 2.0 token POST:/access-management-1.0/access/oauth2/token
CIBA authentication (Only required if using the Merchant-initiated login flow) POST:/vipps-login-ciba/api/backchannel/authentication
User exists (Only required if using the Merchant-initiated login flow) POST:/vipps-login-ciba/api/v1/user-exists
Quality assurance
Ensure functionality Verify that your solution works seamlessly across all browsers, including non-default mobile browsers (e.g., initiating login from Chrome on iOS).
Connect existing accounts Implement proper linking of the Vipps or MobilePay user to your own user registry. See recommendations on linking to user account.
Handle errors Make sure to log and handle all errors. For example, handle cancelled logins and error situations while redirecting the user back to redirect_uri (i.e., redirect with an error query parameter). In addition, display errors in a way that the users (customers and merchant employees/administrators) can see and understand them.
Avoid integration pitfalls
Use correct flow Native app integrations use the Login from a mobile app flows. Merchant-initiated login must not be used for web-based login.
Do not use embedded iFrames Integration with the Login API is redirect-based (i.e., do not use an embedded iFrame).
Set company name and logo The sales unit name appears on the Vipps MobilePay landing page. Both the name and logo appear in the Vipps or MobilePay app under Personal information > Companies with access. See how to change name and logo.
Whitelist redirect URIs Ensure that each redirect_uri for your integration has been added to the business portal whitelist. See the FAQ for how to do this. Ensure that all URLs use HTTPS or native URL schemes (i.e., vipps://), not HTTP. ALL URLs must match the exact URI sent on /auth request. No query parameters or additional trailing / can be included.
Use only required scopes Request only the scopes that you require, no "nice to have" scopes. If using national identity number, you must be granted access to request these scopes. See Login: scopes for details.
Comply with our terms and conditions If you, as a merchant, will act on behalf of others (e.g., share data you have gotten from us with other merchants), ensure that you comply with our terms: Vipps MobilePay - terms and conditions Vipps MobilePay - terms and privacy
Follow design guidelines The branding must be according to the Design guidelines. Use the button generator.
Include standard HTTP headers Send the HTTP headers in all API requests for better tracking and troubleshooting (mandatory for partners and platforms, who must send these headers as part of the checklist approval).
Configure marketing consents (Only required if you are collecting consents.) Ensure that you have the correct terms and conditions and privacy URL set up if you are collecting consents.
Security
Generate a state parameter Ensure that a unique state parameter is generated for each /auth request.
Do not share client_secret Ensure that the client_secret is kept secret and is never shared to browsers or native apps.

tip

Operational Status Page

We recommend that you subscribe to the Vipps MobilePay Operational Status Page for real-time updates on service availability, incidents, and maintenance.