API keys
API keys authenticate your API requests to Vipps MobilePay. The key type you need depends on your role:
| Key type | Who uses it |
|---|---|
| Merchant keys | Merchants building a direct integration, and smaller partners acting on behalf of a single merchant |
| Partner keys | Partners managing integrations for multiple merchants — see API keys for partners |
| Merchant-level keys | Donations product users — see Merchant-level keys |
Most of this page covers merchant keys, which are the most common type. If you use a VM number, you don't need API keys at all — see the Help Center. If you're using the Donations API, see Merchant-level keys instead.
Production and test keys
As a merchant, you will need two separate sets of keys — one for testing and one for production. Each set is tied to a specific sales unit and can only be used for that unit. If you have multiple sales units, you will have a separate set of keys for each one.
- Test environment: Keys are normally available a few minutes after the sales unit is created. See How to create a test sales unit for details.
- Production environment: Keys are normally available a few days after application, depending on workload and whether we need additional information.
API keys are sensitive information, so handle them carefully:
- Vipps MobilePay will never ask for your API keys.
- If you need to share keys with a colleague, always use encrypted email or a secure secret manager. If keys can't be moved securely, you can create a portal user for that person and give them basic access to the sales unit.
- If you accidentally expose your API keys, regenerate them immediately:
- Merchants: Click the Regenerate button on your sales unit page in the business portal. See How to regenerate API keys for step-by-step instructions.
- Partners: For partner-level keys, contact the partner team. For merchant keys, the merchant must regenerate them via the business portal.
- Update your integrations after regenerating keys so they continue to work.
Getting the API keys
- Merchants
- Partners
- Donations
Log in to the business portal and follow these steps:
-
Click For developers in the sidebar. You should see a list of sales units. Select Test or Production.
-
Find your sales unit and click Show keys. A panel opens where you can copy each key value.
-
Also copy the Merchant Serial Number (MSN) — you will need it in API requests.
If you accidentally expose your API keys, regenerate them immediately.
Partners use different key types depending on their role and the APIs they need to access. See API keys for partners for a full overview of partner key types and how to get them.
If you can't use partner keys, you have two options:
- Ask the merchant to securely send their keys to you.
- If the merchant can't share keys securely, they can add a portal user for you with Assistant access, so you can log in and retrieve the keys yourself.
If you compromise your partner keys, contact the partner team immediately.
The Donations product uses merchant-level keys rather than sales unit keys.
See merchant-level keys for details on how to find these.
For more information, see about the business portal.
API key details
The key names you receive depend on which authentication method your key type uses.
Merchant keys and partner keys (standard authentication) include four values:
| API Key Name | Description | Format | Example |
|---|---|---|---|
client_id | Client ID for the sales unit (the "username") | GUID | fb492b5e-7907-4d83-bc20-c7fb60ca35de |
client_secret | Client secret for the sales unit (the "password") | Base64 | Y8Kteew6GE3ZmeycEt6egg== |
Ocp-Apim-Subscription-Key (primary) | Subscription key for the API product | Base64 | 0f14ebcab0eb4b29ae0cb90d91b4a84a |
Ocp-Apim-Subscription-Key (secondary) | Interchangeable with the primary key | Base64 | 0f14ebcab0eb4b29ae0cb90d91b4a84a |
The primary and secondary Ocp-Apim-Subscription-Key values are interchangeable. Having two lets you rotate one without downtime while the other remains active.
Management keys, accounting keys, and Donations merchant-level keys (specialized authentication) use only client_id and client_secret — there is no subscription key.
You use client_id and client_secret with the Access Token API to get an access token for subsequent API requests.
The same merchant keys work across all integration types — direct API, mobile apps, point of sale, and plugins.
The Merchant Serial Number (MSN) is not an API key, but you will need it in many API requests. You can find it in the same place as your API keys in the business portal.
Next steps
- Merchants: See Authentication and authorization to learn how to use your keys to get an access token.
- Partners: See API keys for partners for the full overview of partner key types.
- Donations API users: See the Donations API guide to continue your setup.