Skip to main content

Login API (1.1.0)

Download OpenAPI specification:Download

The Login API enables users to log in to a service using their Vipps or MobilePay credentials. See the API Guide for more details. For the userinfo endpoint, see Userinfo API Guide.

Login API

OpenID configuration endpoint

The well-known endpoint can be used to retrieve configuration information for OpenID Connect clients. To learn more about this endpoint, please refer to the specification at https://openid.net/specs/openid-connect-discovery-1_0.html

header Parameters
Vipps-System-Name
string <= 30 characters
Example: Acme Commerce

The name of the solution. One word in lowercase letters is good. See HTTP headers.

Vipps-System-Version
string <= 30 characters
Example: 2.6

The version number of the solution. See HTTP headers.

Vipps-System-Plugin-Name
string <= 30 characters
Example: acme-webshop

The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.

Vipps-System-Plugin-Version
string <= 30 characters
Example: 4.3

The version number of the ecommerce plugin (if applicable). See HTTP headers.

Responses

Response samples

Content type
application/json
{}

The OAuth 2.0 authorize endpoint

The resource owner (end user) is redirected to this endpoint at the beginning of the authentication process, and it is used to obtain an authorization grant. To learn more about this endpoint please refer to the specification at https://tools.ietf.org/html/rfc6749#section-3.1

header Parameters
Vipps-System-Name
string <= 30 characters
Example: Acme Commerce

The name of the solution. One word in lowercase letters is good. See HTTP headers.

Vipps-System-Version
string <= 30 characters
Example: 2.6

The version number of the solution. See HTTP headers.

Vipps-System-Plugin-Name
string <= 30 characters
Example: acme-webshop

The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.

Vipps-System-Plugin-Version
string <= 30 characters
Example: 4.3

The version number of the ecommerce plugin (if applicable). See HTTP headers.

Responses

The OAuth 2.0 token endpoint

The token endpoint is used by the client to obtain an access token by presenting its authorization grant. To learn more about this endpoint please refer to the specification at https://tools.ietf.org/html/rfc6749#section-3.2

Authorizations:
Basic-AuthorizationBearer-Authorization
header Parameters
Merchant-Serial-Number
string
Example: 123456

This is a required parameter if you are a partner making API requests on behalf of a merchant. The partner must use the merchant's MSN, not the partner's MSN.

Vipps-System-Name
string <= 30 characters
Example: Acme Commerce

The name of the solution. One word in lowercase letters is good. See HTTP headers.

Vipps-System-Version
string <= 30 characters
Example: 2.6

The version number of the solution. See HTTP headers.

Vipps-System-Plugin-Name
string <= 30 characters
Example: acme-webshop

The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.

Vipps-System-Plugin-Version
string <= 30 characters
Example: 4.3

The version number of the ecommerce plugin (if applicable). See HTTP headers.

Request Body schema: application/x-www-form-urlencoded
grant_type
required
string

Value MUST be authorization_code.

code
required
string

The authorization code received from the authorization server as a query param on the redirect_uri.

redirect_uri
required
string

The redirect URL which the user agent is redirected to after finishing a login. If the URL is using a custom URL scheme, such as myapp://, a path is required: myapp://path-to-something. The URL must be exactly the same as the one specified on portal.vippsmobilepay.com. Be extra careful with trailing slashes and URL-encoded entities.

client_id
string

The client_id is available on portal.vippsmobilepay.com, under the 'Developer' section. This parameter is required if the token endpoint authentication method is set to client_secret_post.

client_secret
string

The client_secret is available on portal.vippsmobilepay.com, under the 'Developer' section. This parameter is required if the token endpoint authentication method is set to client_secret_post.

code_verifier
string

Required if PKCE, https://tools.ietf.org/html/rfc7636, is used.

Responses

Response samples

Content type
application/json
{
  • "access_token": "shxuQPSLpKAiBrgD-HPbgDWc3RHzcXq3skcydKwRroo.Y5aH3PavJkZnSq5dffj8AmKVE-SdwRcbKhUKkmqimoQ",
  • "expires_in": 3599,
  • "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo2ZjIxMTlkZS03ZWY4LTQ0NDQtYjNkYy1lNDNiYWY2MDUwMGYifQ.eyJhdF9oYXNoIjoiUGpLVVQ0VUpFYkZWY05MempyOVppQSIsImF1ZCI6WyJlZGRkYjMyZi01MDI4LTQzOTctYjBhYi1lOGVjZjIxOGZkYzIiXSwiYXV0aF90aW1lIjoxNjQzMTIwMjA0LCJleHAiOjE2NDMxMjM4MDUsImlhdCI6MTY0MzEyMDIwNSwiaXNzIjoiaHR0cHM6Ly9lY2U0NmVjNC02ZjljLTQ4OWItOGZlNS0xNDZhODllMTE2MzUudGVjaC0wMi5uZXQvYWNjZXNzLW1hbmFnZW1lbnQtMS4wL2FjY2Vzcy8iLCJqdGkiOiI1MzM2NzJlYi1lY2M0LTQ0OTQtYjM4NS02NWY2MGJkMTk1YTciLCJub25jZSI6IjU4OTU0MTFlLWU5MzAtNDMyYS05ZWIzLWQzYTAzODhlMWIzOSIsInJhdCI6MTY0MzEyMDAwNywic2lkIjoiYWJlMjIzOTUtZThkNC00ODFlLThjZDItNTU0YmYwOWY0MzJmIiwic3ViIjoiNjNkODMwM2YtNDFkNS00MTUwLTllMzMtMGEzOWVkODE4NTZjIn0.Nejx0nIAPhGjDAOKIpLUVK2bcfTmUr7JfKU8V_7SHUdLGFjSHmDSXkAqYIL_oFXmTQsBrVXTQO-yjL6WGpR5nrpYPHzpY7hMUj00VQ1KTd9gwoMk6uBDvXAnSN7O-cNqC0ehZAlZ6ofR9TwDn03fhS1UcxhLnFq9phzxKD4q7EgBkHOQiwv90M8ZvrZMqdwtdjqIOABks0tVcYlQFKKDDrij0Df90vrFR-coAZeXJzRGsMUivvZlkwlYEQAlTx2BxBT2WqJr407DX-W0k0mj7QPnPQNV-0qT0VLJ6liUwFUi6MQrQ01yosrHwrmwY-0f_GwDDSPp4HizkTmT_CecQy9CLsbnASrcBurpLvjl9bfxXiYtZvvDlxyoyjMd05z94MmuADvM-nIWztKHIbU4ez6qRS1uyMPN2P9-_wzD7Tj2RCrAfSHlgTrx-grhqdkIqcVKdx8RVj5cmmbLDsmgfwLdM0m5Z_QYmctxq7TsLWm0x2A2-rbxlAma5USRDfPpzWBwbZDbJygXEIccGUwgG7SK6XHeTblHmgz87Tx7yfqTw9YSYbzxjnCCBwCXlKUUcHOLMRF_L0BwTBaNaFtYfgc5ne68Ej0V2Mz_BodR3OpRnukTdb1_nXAbDs4JiKhM22aR3R7qopAUnhUAFbde2q1sfwGr-b21a4NgEaWtFwk",
  • "token_type": "bearer",
  • "scope": "openid name phoneNumber address birthDate email"
}

JSON Web Keys Discovery

This endpoint returns JWK (JSON Web Keys) to be used as public keys for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT (JSON Web Token, the access token).

header Parameters
Vipps-System-Name
string <= 30 characters
Example: Acme Commerce

The name of the solution. One word in lowercase letters is good. See HTTP headers.

Vipps-System-Version
string <= 30 characters
Example: 2.6

The version number of the solution. See HTTP headers.

Vipps-System-Plugin-Name
string <= 30 characters
Example: acme-webshop

The name of the plugin (if applicable). One word in lowercase letters is good. See HTTP headers.

Vipps-System-Plugin-Version
string <= 30 characters
Example: 4.3

The version number of the ecommerce plugin (if applicable). See HTTP headers.

Responses

Response samples

Content type
application/json
{
  • "keys": [
    ]
}

CIBA authentication endpoint

This endpoint is used to start merchant initiated logins according to the Client initiated backchannel authentication standard.

Authorizations:
Basic-Authorization
Request Body schema: application/x-www-form-urlencoded
object (AuthenticationRequestPayload)
scope
string
loginHint
required
string
bindingMessage
string
requested_expiry
any

A positive integer representing the requested expiration time, in seconds, for the authentication.

Responses

Response samples

Content type
application/json
{
  • "auth_req_id": "string",
  • "expires_in": 0,
  • "interval": null
}

Endpoint for checking if user exists

Enables validating if a user exists before actually initiating a authentication

Authorizations:
Basic-Authorization
Request Body schema: application/x-www-form-urlencoded
object (UserExistsRequestPayload)
loginHint
required
string

Responses

Response samples

Content type
application/json
{
  • "exists": true
}