Skip to main content

Login API checklist

API version: 2.0.

Endpoints to integrate

Integrate the API endpoints. For examples of requests and responses, see the Postman collection and environment.

EndpointComment
OpenID Connect (Get OIDC well-known endpoint)GET:/access-management-1.0/access/.well-known/openid-configuration
The OAuth 2.0 authorize endpointGET:/access-management-1.0/access/oauth2/auth
The OAuth 2.0 token endpointPOST:/access-management-1.0/access/oauth2/token
JSON Web Keys DiscoveryGET:/access-management-1.0/access/.well-known/jwks.json

When the checklist is completed, notify Vipps MobilePay Integration Service at developer@vippsmobilepay.com. Include examples from the test environment, pilot customer info, and a description of the implemented solution. Please provide a test access to your setup for us to try, or a video of the user flow. The video must include both a successful login flow and a failed login flow (where user rejects the login).

We will verify the integration and contact you. After the checklist is approved, we'll send you the information you need to get started.

Integration considerations

ActionComment
Use correct flowNative app integrations use the app-to-app flow. Merchant initiated login must not be used for web-based login.
Do not use embedded iFramesIntegration with the Login API is redirect-based (i.e., do not use an embedded iFrame).
Set company name and logoThe sales unit name appears on the Vipps MobilePay landing page. Both the name and logo appear in the Vipps or MobilePay app under Personal information > Companies with access. See how to change name and logo.
Whitelist redirect URIsEnsure that all redirect_uris for your integration have been added to the merchant portal white list. See the FAQ for how to do this. Ensure that all URLs use HTTPS or native URL schemes (i.e., vipps://), not HTTP. ALL URLs must match the exact URI sent on /auth request. No query parameters or additional trailing / can be included.
Use only required scopesRequest only the scopes that you require, no "nice to have" scopes. If using national identity number, you must be granted access to request these scopes. See FAQ for details.
Comply with our terms and conditionsIf you, as a merchant, will act on behalf of others (e.g., share data you have gotten from us with other merchants), ensure that you comply with our terms and conditions.
Present terms and conditionsTerms and conditions are presented to the user, and the necessary consents are collected from the user (i.e., consent to marketing purposes, etc.).

Security

ActionComment
Generate a state parameterEnsure that a unique state parameter is generated for each /auth request.
Do not share client_secretEnsure that the client_secret is kept secret and is never be shared to browsers or native apps.

Quality assurance

ActionComment
Ensure functionalityEnsure that your solution is verified to work if the user start in a "non-default" browser on mobile (e.g., start login from Chrome browser on iOS).
Update user registryImplement proper linking of the Vipps or MobilePay user to your own user registry. This login must be based on either phone number or email address. See recommendations on linking to user account.
Handle errorsMake sure to log and handle all errors. For example, handle cancelled logins and error situations while redirecting the user back to redirect_uri (i.e., redirect with an error query parameter). In addition, display errors in a way that the users (customers and merchant employees/administrators) can see and understand them.
Include standard HTTP headersSend the HTTP headers in all API requests for better tracking and troubleshooting (mandatory for partners and platforms, who must send these headers as part of the checklist approval).

Avoid integration pitfalls

ActionComment
Follow design guidelinesThe branding must be according to the Design guidelines.
Educate customer supportMake sure your customer service, etc. has all the tools and information they need available in your system, through the APIs listed in the first item in this checklist, and that they do not need to visit portal.vippsmobilepay.com for normal work.

Help us improve our documentation

Did you find what you were looking for?