Skip to main content

Standard authentication

Not sure which method you need?

See How do I get started? in the Access Token API introduction.

This is the authentication method used by the vast majority of integrations.

If you are a partner who needs access to the Report API or Management API, or if you are integrating with the Donations API, use Specialized authentication instead.

Step 1: Get your API keys​

You need your API keys for the sales unit you are integrating with. See API keys for how to get them.

Step 2: Request an access token​

Call POST:/accesstoken/get with your API keys in the request headers:

  • client_id — Client ID for the sales unit.
  • client_secret — Client secret for the sales unit.
  • Ocp-Apim-Subscription-Key — Subscription key for the sales unit.

Example request:

client_id: fb492b5e-7907-4d83-ba20-c7fb60ca35de
client_secret: Y8Kteew6GE2ZmeycEt6egg==
Ocp-Apim-Subscription-Key: 0f14ebcab0ec4b29ae0cb90d91b4a84a
Merchant-Serial-Number: 123456
Vipps-System-Name: acme
Vipps-System-Version: 3.1.2
Vipps-System-Plugin-Name: acme-webshop
Vipps-System-Plugin-Version: 4.5.6

Example response:

{
  "token_type": "Bearer",
  "expires_in": "86398",
  "expires_on": "1495271273",
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>"
}
FieldDescription
token_typeAlways Bearer. Include this word when using the token.
expires_inValidity period in seconds.
expires_onExpiry time as a Unix timestamp (UTC).
access_tokenThe token to include in subsequent API requests.

The token is valid for 1 hour in the test environment and 24 hours in production. You can request tokens in advance, reuse them for their full validity period, and hold multiple valid tokens at the same time.

Step 3: Use the access token​

Include the token in the Authorization header of every API request:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>
Ocp-Apim-Subscription-Key: 0f14ebcab0ec4b29ae0cb90d91b4a84a
Merchant-Serial-Number: 123456
Vipps-System-Name: acme
Vipps-System-Version: 3.1.2
Vipps-System-Plugin-Name: acme-webshop
Vipps-System-Plugin-Version: 4.5.6

Many of these headers are optional during testing, but include them in your integration so that error information can be found in the logs.

warning

Always include the word Bearer before the token. Omitting it will result in an HTTP 401 Unauthorized error. See HTTP 401 Unauthorized.

Last updated on