API keys for partners
Partners help their merchants create integrations and manage their sales units using the Vipps MobilePay API platform.
API keys establish your identity and determine what you are authorized to do. Partners use different key types depending on their role — each type grants access to a different set of APIs. To get API keys, the partner submits the merchant's consent, and after verification we connect the partner and merchant in the system.
API keys are exchanged for an access token, which must then be included in every API request.
Types of API keys​
A partner can hold more than one set of keys. For example, a partner who handles both payments and accounting will have two separate sets: accounting keys and partner keys.
- Partner keys — Allow partners to act on behalf of all their merchants. See Standard authentication for the full list of APIs partner keys give access to. Partners can also use the Login API with partner keys via a slightly different flow — see Login API: Partner keys.
- Merchant keys — The merchant's own keys. Provide access to the common APIs the merchant has access to. Used by smaller partners who don't have partner keys.
- Accounting keys — Provide access to the Report API only. Cannot be used to act on behalf of merchants or to access the Management API.
- Management keys — (DEPRECATED) Provide access to the Management API only. Useful when you don't have partner keys, or cannot use them for security reasons.
- Merchant-level keys — (Not used by partners) Merchants using the Donations API use a separate key type called Merchant-level keys or Donation keys. Partners can access this API with their partner keys.
How to get API keys​
After submitting the partner application form, you'll receive a welcome email with a test sales unit, API keys, documentation links, and an overview of the required steps of the partner onboarding process.
If you have lost this or need a new test sales unit, please contact partner@vippsmobilepay.com. Sales units are unique per country. Remember to state which country the sales unit should be created for.
Note that partner functionality is not available in test. Instead, you will receive merchant API keys, as mentioned in the limitations section. All payment flows can be tested using the merchant's API keys.
See Partner: How to get access for your sales units.
Which keys do I need?​
- Partner keys
- Accounting keys
- Merchant keys
A partner may, under some circumstances, use the merchant's own keys. These provide access to:
It is better to use your partner, management, or accounting keys instead of the merchant's keys.
Partner keys provide access to:
Accounting keys provide access to:
Merchant keys​
Merchant keys are the standard API keys for a sales unit, obtained from the business portal. If you have partner keys, use those instead.
Partner keys​
Partners at Partner Plus or above may qualify for partner keys. These allow a partner to use a single set of API keys across all their merchants' sales units, acting on behalf of merchants without needing each sales unit's own keys.
Partner keys are used exactly like merchant keys, with one difference: the Merchant-Serial-Number HTTP header is required, not just recommended.
Partner keys provide access to the main APIs as well as the Management API.
- Partner keys only work in the production environment. In the test environment, partner functionality is not available — you will use the test merchant keys provided in your welcome email instead. All payment and login flows can be tested with these keys.
- You must not use partner keys if merchants can see or access them in any way — this would allow one merchant to act on behalf of all others.
- Vipps MobilePay cannot send merchant keys to you directly. You must obtain them securely from the merchant. See API keys for details. If the merchant cannot share keys securely, they can create a user for you in the business portal.
- Partner keys work for all sales units registered with the partner, regardless of when the sales unit was created.
Keep the API keys secret: Your API keys must never be shared in any readable way with the merchants, as that will let one merchant perform API calls (including making payments and refunds) on behalf of another merchant.
💣 If your answer is yes to any of the following questions, don't use partner keys:
- Your merchants can see the partner keys (
client_id,client_secret,Ocp-Apim-Subscription-Key) in your solution. - Your merchants have the ability to change their MSN (Merchant Serial Number) in your solution.
- The keys and secrets are stored on the merchant's system (in a way that allows them to access and see it).
Partner keys don't give access to the Report API, because it can reveal information about a merchant's prices and fees, including information that is regulated by GDPR. For this, you need Accounting keys.
Use standard authentication with partner keys.
Accounting keys​
Accounting keys provide access to the Report API for retrieving payment and settlement data.
The merchant must explicitly give consent before an accounting partner can access their data.
Accounting keys cannot be used to manage sales units or make payments, and have no overlapping functionality with the other key types. Partners who also hold partner keys still need a separate set of accounting keys to access the Report API.
Use specialized authentication with accounting keys.
Management keys​
Management keys are deprecated. Partners should use their partner keys or the merchant's API keys instead.
Management keys provide access to the Management API only — they cannot be used to act on behalf of merchants or make payments. They should only be be used when partner keys is not appropriate for security reasons.
Lost or compromised API keys​
For partner-level keys, contact our partner team. For merchant keys, the merchant must regenerate them via the business portal — see How to regenerate API keys for step-by-step instructions.
Update your integrations after regenerating keys so they continue to work.