Skip to main content

Login API extended Postman guide

This is a guide for the using the Login API with Postman, and is an extension of the Login API quick start guide which shows the recommended flow in both Postman and curl.

Prerequisites

You must have already signed up as an organization with Vipps MobilePay and have your test credentials from the merchant portal. See Getting started guide.

Your test sales unit must be set up for using login. See How to set up login on your sales unit.

Set up

You will need the following values (How to find the API keys):

  • client_id - Client_id for a test sales unit.
  • client_secret - Client_secret for a test sales unit.
  • Ocp-Apim-Subscription-Key - Subscription key for a test sales unit.
  • merchantSerialNumber - The unique ID for a test sales unit.
  • internationalMobileNumber - The MSISDN for the test app profile you have received or registered. This is your test mobile number including country code.
  • well-known_uri - URL to well-known endpoint for used environment. See API Guide: well known for more details.
  • redirect_uri - The URL where the user is sent after finishing a login. The URL must be exactly the same as the one specified in your sale unit. See How to set up login on your sales unit.
warning

🔥 Do not store production keys in the Postman cloud. 🔥

To prevent your sensitive data and credentials from being synced to the Postman cloud, store them in the Current Value fields of your Postman environment.

Open Postman and do the following:

  1. Import the following files:

  2. Select to use the imported global environment.

  3. In the global environment, update only the Current Value field with your own values for the following:

    • client_id
    • client_secret
    • Ocp-Apim-Subscription-Key
    • merchantSerialNumber
    • internationalMobileNumber
    • well-known_uri
    • redirect_uri

Standard Login API calls

User initiated login from a website

  1. Send request Get OIDC well-known.
  2. In your active Postman environment, copy the value of key start_login_uri, and use this URL in any browser.
  3. Finish login. This request includes a scope parameter that requests access to user information. This means that if you have not yet consented to sharing your user information, a distinct screen asking for your consent will appear the first time.
  4. When you finish your login, the website will update. If you used http://localhost, it will appear to be broken, but that doesn't matter. Copy the query parameter code from the URL in the browser. Paste this code into the key code in the active Postman environment.
  5. From the Login in Browser folder, send request Get token. This provides the access token and ID token.
  6. Send request Get user info to get the user info of the logged-in user.

Merchant initiated login (CIBA without redirect)

  1. Send request Get OIDC well-known. This will populate the environment variables init_ciba_endpoint, token_endpoint and userinfo_endpoint used in subsequent requests.
  2. From the CIBA Without Redirect folder, send request to Init CIBA no-redirect. This will trigger a push message to the Vipps or MobilePay app registered with the internationalMobileNumber in your environment. This request will populate the environment variable auth_req_id used for the subsequent token request.
  3. Authenticate in the Vipps or MobilePay app and approve the login request.
  4. Send request to Token no-redirect endpoint. This will populate the environment variable access_token used for the subsequent request.
  5. Send request to Get user info. This will use the token from (4) to obtain the userinfo of the logged-in user.

Merchant initiated login (CIBA with redirect)

  1. Send request Get OIDC well-known. This will populate the environment variables init_ciba_endpoint, token_endpoint and userinfo_endpoint used in subsequent requests
  2. From the CIBA With Redirect folder, submit the Init CIBA redirect. This will trigger a push message to the Vipps or MobilePay app registered with the internationalMobileNumber in your environment.
  3. Authenticate in the Vipps or MobilePay app and approve the login request. Your mobile will now open the URL specified by redirect_uri (default http://localhost) with a code query parameter after successful authentication. It doesn't matter if the page appears to be broken, you only need the code value from the address.
  4. Copy/take note of the code parameter in the query string that you were returned to in the above step. This code has 300s time-to-live in test environment and 30s time-to-live in production environment.
  5. Set the value of the code parameter in the body of the Token redirect request to the code you obtained in the previous step.
  6. Submit the Token redirect request. This will populate the environment variable access_token used for the subsequent request.
  7. Send request to Get user info. This will use the token from the previous step to obtain the user info of the logged-in user.

Partner API calls

Please note: Partner API keys are only functional in the production environment, not the test environment.

As a partner: Set up Postman environment

  1. Click the down arrow, next to the "eye" icon in the top-right corner, and select the environment you have imported.
  2. Click the "eye" icon and, in the dropdown window, click Edit in the top-right corner.
  3. Ensure that you have the correct values for the following fields:
    • client_id - Client ID for the partner.
    • client_secret - Client Secret for the partner.
    • well-known_uri - URL to well-known endpoint for used environment. In the test environment, you can use https://apitest.vipps.no/access-management-1.0/access/.well-known/openid-configuration. See API Guide: well known for more details.
    • redirect_uri - The URL where the user is sent after finishing a login.
    • internationalMobileNumber - The MSISDN for the test app profile you have received or registered. This is your test mobile number including country code.
    • targetMerchantSerialNumber - The target merchant you want to log in towards.

As a partner: Login from phone number (CIBA without redirect)

  1. Send request Get OIDC well-known. This will populate the environment variables init_ciba_endpoint, token_endpoint and userinfo_endpoint used in subsequent requests.
  2. Using requests in the folder Partner login/CIBA without redirect
  3. Send request Get partner token
  4. Send request Start login. This will trigger a push message to the Vipps or MobilePay app registered with the internationalMobileNumber in your environment. This request will populate the environment variable auth_req_id used for the subsequent token request.
  5. Authenticate in the Vipps or MobilePay app and approve the login request.
  6. Send request Get login token. This will populate the environment variable access_token used for the subsequent request.
  7. Send request Get user info stored in the root folder. This will use the token from (6) to obtain the userinfo of the logged-in user.

As a partner: Login from phone number (CIBA with redirect)

  1. Send request Get OIDC well-known. This will populate the environment variables init_ciba_endpoint, token_endpoint and userinfo_endpoint used in subsequent requests.
  2. Using requests in the folder Partner login/CIBA with redirect
  3. Send request Get partner token
  4. Send request Start login. This will trigger a push message to the Vipps or MobilePay app registered with the internationalMobileNumber in your environment. This request will populate the environment variable auth_req_id used for the subsequent token request.
  5. Authenticate in the Vipps or MobilePay app and approve the login request. Your mobile will now open the URL specified by redirect_uri (default http://localhost) with a code query parameter after successful authentication. It doesn't matter if the page appears to be broken, you only need the code value from the address.
  6. Copy/take note of the code parameter in the query string that you were returned to in the above step. This code has 300s time-to-live in test environment and 30s time-to-live in production environment.
  7. Set the value of the code parameter in the body of the Get login token request to the code you obtained in the previous step.
  8. Send request Get login token. This will populate the environment variable access_token used for the subsequent request.
  9. Send request Get user info stored in the root folder. This will use the token from (8) to obtain the userinfo of the logged-in user.

See the API reference for details about the calls.

Help us improve our documentation

Did you find what you were looking for?