API keys for partners
Partners help their merchants create integrations and manage their sales units using the Vipps MobilePay API platform.
API keys establish your identity and determine what you are authorized to do. Partners use different key types depending on their role — each type grants access to a different set of APIs. To get API keys, the partner submits the merchant's consent, and after verification we connect the partner and merchant in the system.
Types of API keys
There are four types of partner-related API keys:
- Merchant keys — The merchant's own keys. Provide access to the common APIs the merchant has access to. Used by smaller partners who don't have partner keys.
- Merchants using the Donations API use a separate key type called Merchant level keys. These are outside the scope of this page.
- Management keys — Provide access to the Management API only. Useful when you don't have partner keys, or cannot use them for security reasons.
- Partner keys — Allow partners to act on behalf of all their merchants. See Standard authentication for the full list of APIs partner keys give access to. Partners can also use the Login API with partner keys via a slightly different flow — see Login API: Partner keys.
- Accounting keys — Provide access to the Report API only. Cannot be used to act on behalf of merchants or to access the Management API.
A partner can hold more than one set of keys. For example, a partner who handles both payments and accounting will have two separate sets: accounting keys and either partner keys or management keys.
How to get API keys
Once your partner application has been approved, you'll receive a welcome email with a test sales unit and API keys. If you have lost this or need a new test sales unit, please contact partner@vippsmobilepay.com. Sales units are unique per country. Remember to state which country the sales unit should be created for.
Note that partner functionality is not available in test. Instead, you will receive merchant API keys, as mentioned in the limitations section. All payment flows can be tested using the merchant's API keys.
See Partner: How to get access for your sales units.
Which keys do I need?
- Partner keys
- Management keys
- Accounting keys
- Merchant keys
A partner may, under some circumstances, use the merchant's own keys. These provide access to:
It is better to use your partner, management, or accounting keys instead of the merchant's keys.
Partner keys provide access to:
Management keys provide access to:
Accounting keys provide access to:
Merchant keys
Merchant keys are the standard API keys for a sales unit, obtained from the business portal. If you have partner keys, use those instead.
Partner keys
Partners at Partner Plus or above may qualify for partner keys. These allow a partner to use a single set of API keys across all their merchants' sales units, acting on behalf of merchants without needing each sales unit's own keys.
Partner keys are used exactly like merchant keys, with one difference: the Merchant-Serial-Number HTTP header is required, not just recommended.
Partner keys provide access to the main APIs as well as the Management API.
- Partner keys only work in the production environment. In the test environment, partner functionality is not available — you will use the test merchant keys provided in your welcome email instead. All payment and login flows can be tested with these keys.
- You must not use partner keys if merchants can see or access them in any way — this would allow one merchant to act on behalf of all others.
- Vipps MobilePay cannot send merchant keys to you directly. You must obtain them securely from the merchant. See API keys for details. If the merchant cannot share keys securely, they can create a user for you in the business portal.
- Partner keys work for all sales units registered with the partner, regardless of when the sales unit was created.
Keep the API keys secret: Your API keys must never be shared in any readable way with the merchants, as that will let one merchant perform API calls (including making payments, refunds, etc.) on behalf of another merchant.
💣 If your answer is yes to any of the following questions, don't use partner keys:
- Your merchants can see the partner keys (
client_id,client_secret,Ocp-Apim-Subscription-Key) in your solution. - Your merchants have the ability to change their MSN (Merchant Serial Number) in your solution.
- The keys and secrets are stored on the merchant's system (in a way that allows them to access and see it).
Partner keys don't give access to the Report API, because it can reveal information about a merchant's prices and fees, including information that is regulated by GDPR. For this, you need Accounting keys.
Use standard authentication with partner keys.
Management keys
All partners with a signed contract can use the Management API to manage their merchants' sales units and streamline merchant onboarding with prefilled information.
Management keys provide access to the Management API only — they cannot be used to act on behalf of merchants or make payments. They are useful when you don't have partner keys, or when using partner keys is not appropriate for security reasons.
Both partners and merchants can use management keys.
Use specialized authentication with management keys.
Accounting keys
Accounting keys provide access to the Report API for retrieving payment and settlement data.
The merchant must explicitly give consent before an accounting partner can access their data.
Accounting keys cannot be used to manage sales units or make payments, and have no overlapping functionality with the other key types. Partners who also hold partner keys or management keys still need a separate set of accounting keys to access the Report API.
Use specialized authentication with accounting keys.
Lost or compromised API keys
For partner-level keys, contact our partner team. For merchant keys, the merchant must regenerate them via the business portal — see How to regenerate API keys for step-by-step instructions.
Update your integrations after regenerating keys so they continue to work.