🏠 Overview 🔗 Integrations 🔗 Vipps Login API

Vipps Login API

Authentication Provider Integration by Vipps MobilePay ASA

Authentication Provider Vipps MobilePay ASA Bidirectional
Rest Api
Connection
Bidirectional
Data Flow
7
Components
3
Dependencies

Description

Vipps Login is a Norwegian OAuth 2.0 / OIDC identity provider used as the primary first-time authentication path, returning the user's verified phone number and optionally their national identity number (personnummer) to the member system. Monthly licence cost of 350–750 NOK is shared across the four participating organisations and provides a familiar authentication experience for Norwegian users.

Detailed Analysis

Vipps Login serves as the primary first-time authentication path for the platform, leveraging Norway's most widely adopted mobile payment app as an identity provider. With over 4 million Norwegian users already having Vipps installed, this integration delivers an immediately familiar and low-friction onboarding experience that maximises user adoption across all four participating organisations. Beyond authentication, Vipps Login returns verified phone numbers and — with separate regulatory approval — national identity numbers (personnummer), enabling automatic member profile population without manual data entry. The fixed monthly licence fee of 350–750 NOK is shared across the four participating organisations, making the per-organisation cost exceptionally low relative to the onboarding experience it delivers.

Vipps MobilePay ASA's NIN scope access carries a separate approval requirement and GDPR obligations, including a documented Data Processing Agreement — a compliance investment that enables richer member data quality across all organisations. BankID serves as automatic fallback, ensuring continuity if Vipps services experience degradation.

Vipps Login integration requires establishing a Vipps merchant account and activating the Login product subscription — an administrative process through the Vipps developer portal that must be initiated early. Seven components depend on this integration: Vipps auth screen (017), auth service (021), API client (027), org cost config (031), auth method selector (016), personnummer confirmation widget (020), and deep link handler (029). The deep link handler is particularly important to test thoroughly on both iOS and Android, as app-to-app redirect failures are a common source of authentication drop-off. NIN scope requires separate approval from Vipps MobilePay ASA and a GDPR lawful basis per organisation — coordinate this legal workstream in parallel with technical development to avoid delays.

Monthly cost allocation logic across the four organisations (component 031) must be designed and validated. Testing must cover: Vipps app not installed (App Store redirect), OAuth cancellation, BankID fallback activation, and login success rate tracking per organisation. Alert threshold is set at 85% login success rate, which requires monitoring infrastructure to be in place before go-live.

Vipps Login API v2 implements OAuth 2.0 / OIDC over REST with PKCE required for mobile deep link security. Required scopes: openid, phoneNumber, and nin (national identity number — requires separate Vipps approval). Configuration uses VIPPS_CLIENT_ID, VIPPS_CLIENT_SECRET, and VIPPS_ISSUER_URL environment variables, plus environment toggle (test/prod). The authentication flow traverses: deep link handler (029) → Vipps API client (027) → Vipps auth service (021) → Vipps auth screen (017), with personnummer confirmation widget (020) processing the nin claim.

Error handling has three distinct paths: Vipps app not installed (detect via OS and redirect to App Store/Google Play), OAuth cancellation (graceful return to auth method selector), and Vipps Login unavailability (automatic fallback to BankID or email login). Phone number and NIN are encrypted at rest and never logged; Vipps session tokens are short-lived and not persisted beyond the authentication event. Latency target is under 8 seconds for the full flow including app redirect. Health checks poll the Vipps API status dashboard.

Track authentication success rate, Vipps app redirect success rate, and monthly active Vipps Login users per organisation for cost allocation in component 031.

Using Components (7)

Infrastructure Deep Link / OAuth Redirect Handler medium Infrastructure Vipps API Client medium Infrastructure Vipps Organization Cost Configuration low Service Vipps Authentication Service high Ui Authentication Method Selector Screen low Ui Personnummer Confirmation Widget low Ui Vipps Authentication Screen medium Infrastructure Deep Link Handler medium

Dependencies (3)

Vipps merchant agreement and Login product subscription External
Vipps app installed on user's device External
Internet connectivity External

Authentication

TypeOauth
RequirementsVipps merchant account and Vipps Login subscription, Client ID and client secret from Vipps developer portal, Mobile deep link redirect URI registered, PKCE enabled for mobile security
ScopesopenidphoneNumbernin (national identity number — requires separate approval)

Configuration

Required Settings

VIPPS_CLIENT_ID Required
VIPPS_CLIENT_SECRET Required
VIPPS_REDIRECT_URI Required
VIPPS_ENVIRONMENT (test/prod) Required

Optional Settings

Cost-sharing model configuration per organisation Optional
NIN scope opt-in per organisation Optional

Environment Variables

VIPPS_CLIENT_ID
VIPPS_CLIENT_SECRET
VIPPS_ISSUER_URL

Error Handling

Vipps app not installed detected and user redirected to App Store / Google Play
OAuth cancellation returns to auth method selector gracefully
Vipps Login unavailability falls back to BankID or email login

Monitoring

Health Checks

Vipps API status via developer.vippsmobilepay.com/docs/APIs/api-dashboard
Login success rate tracking per organisation

Metrics

Authentication success rate
Vipps app redirect success rate
Monthly active Vipps Login users (for cost allocation)

Alerts

Login success rate below 85%
Vipps API error rate spike

Performance

Latency< 8s for full Vipps Login flow including app redirect
Availability99.9% availability; BankID fallback required

Rate Limits

Vipps Login: no published per-app rate limits
Token endpoint: standard OAuth rate limiting applies

Cost Implications

Pricing ModelFixed monthly licence fee (350–750 NOK/month) shared across organisations

Cost Factors

Monthly Vipps Login licence fee
Per-organisation cost share allocation
NIN scope access may carry additional cost

Security Considerations

Phone number and NIN encrypted at rest; never logged
PKCE required to prevent authorization code theft on mobile deep links
Vipps session tokens short-lived and not persisted beyond authentication
GDPR: NIN retrieval requires documented lawful basis and DPA with Vipps

Fallback Mechanisms

BankID Login as equivalent alternative
Email/password fallback for limited-functionality access

Documentation

https://developer.vippsmobilepay.com/docs/APIs/login-api/ External