Specialized authentication

Not sure which method you need?

See How do I get started? in the Access Token API introduction.

This method applies to:

• Partners accessing the Report API with accounting keys
• Partners accessing the Management API with management keys
• Anyone integrating with the Donations API using merchant level keys

If none of these apply to you, use Standard authentication instead.

Step 1: Get your API keys

Partners

Once your partner application has been approved, you'll receive a welcome email with a test sales unit and API keys. If you have lost this or need a new test sales unit, please contact partner@vippsmobilepay.com. Sales units are unique per country. Remember to state which country the sales unit should be created for.

Note that partner functionality is not available in test. Instead, you will receive merchant API keys, as mentioned in the limitations section. All payment flows can be tested using the merchant's API keys.

See Partner: How to get access for your sales units.

Donations API

You generate your own merchant level keys.

Donations integration steps

Step 2: Request an access token

Call POST:/miami/v1/token. This endpoint uses a standard OAuth 2.0 client credentials flow — you can use any trusted OAuth library to perform the flow.

Encode your keys

Base64-encode your client_id and client_secret together:

const clientId = 'YOUR-CLIENT-ID';
const clientSecret = 'YOUR-CLIENT-SECRET';
const base64Credentials = btoa(`${clientId}:${clientSecret}`);
console.log(base64Credentials);

Send the request

Pass the encoded value in the Authorization header:

curl -X POST https://api.vipps.no/miami/v1/token \
-H 'Authorization: Basic <YOUR-BASE64-ENCODED-VALUE>' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
--data-urlencode 'grant_type=client_credentials'

warning

You must include grant_type=client_credentials or you will get an invalid_client error. Do not include the Ocp-Apim-Subscription-Key header.

You may also specify a scope:

curl -X POST https://api.vipps.no/miami/v1/token \
-H 'Authorization: Basic <YOUR-BASE64-ENCODED-VALUE>' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
--data-urlencode 'grant_type=client_credentials&scope=donations:read'

Include the standard HTTP headers (e.g. Vipps-System-Name, Vipps-System-Version) to help with debugging.

Example response:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>",
  "token_type": "Bearer",
  "expires_in": 900
}

The token is valid for 15 minutes.

Step 3: Use the access token

Include the token in the Authorization header of every API request:

curl -X GET API-ENDPOINT-ADDRESS \
-H "Authorization: Bearer YOUR-ACCESS-TOKEN" \
-H "Vipps-System-Name: acme" \
-H "Vipps-System-Version: 3.1.2"

warning

Always include the word Bearer before the token. Omitting it will result in an HTTP 401 Unauthorized error. See HTTP 401 Unauthorized.